[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#944971: marked as done (qtwebengine-opensource-src: the stack is executable, and forced upon linked programs)

Your message dated Wed, 08 Jan 2020 21:47:12 +0000
with message-id <E1ipJAW-000G92-Nl@fasolo.debian.org>
and subject line Bug#887875: fixed in qtwebengine-opensource-src 5.11.3+dfsg-2+deb10u1
has caused the Debian Bug report #887875,
regarding qtwebengine-opensource-src: the stack is executable, and forced upon linked programs
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
887875: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887875
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Source: qtwebengine-opensource-src
Severity: normal

The libQt5WebEngineCore.so shared object requests an executable stack
from the loader. You can see this using "readelf -l" and inspecting the
GNU_STACK program header. All programs linked against this library also
get an executable stack whether or not they need or want it. Affected
programs include several that parse hostile input from the internet,
such as KMail, Akregator, qutebrowser, and Akonadi. Other Qt and KDE
applications are also affected.

You can see the executable stack in affected programs by looking in
their /proc/PID/maps while they're running.

This isn't a security vulnerability in itself, but an executable stack
makes vulnerabilities in all these applications much easier to exploit.
Fortunately there's no need for an executable stack in QtWebEngine. It
only arises due to a compilation misconfiguration: A handful of object
files fail to use .note.GNU-stack to opt out an executable stack.

https://www.airs.com/blog/archives/518

I've attached a list of the offending object files. Each is an assembly
file, and all but one belong to BoringSSL. Either each of these each
need to be assembled with an empty .note.GNU-stack section, or the "-z
noexecstack" option needs to be supplied at link time.

./src/core/release/host/obj/third_party/boringssl/boringssl_asm/aes128gcmsiv-x86_64.o
./src/core/release/host/obj/third_party/boringssl/boringssl_asm/chacha-x86_64.o
./src/core/release/host/obj/third_party/boringssl/boringssl_asm/x25519-asm-x86_64.o
./src/core/release/host/obj/third_party/boringssl/boringssl_asm/x86_64-mont5.o
./src/core/release/host/obj/third_party/boringssl/boringssl_asm/sha256-x86_64.o
./src/core/release/host/obj/third_party/boringssl/boringssl_asm/x86_64-mont.o
./src/core/release/host/obj/third_party/boringssl/boringssl_asm/vpaes-x86_64.o
./src/core/release/host/obj/third_party/boringssl/boringssl_asm/sha1-x86_64.o
./src/core/release/host/obj/third_party/boringssl/boringssl_asm/rdrand-x86_64.o
./src/core/release/host/obj/third_party/boringssl/boringssl_asm/sha512-x86_64.o
./src/core/release/host/obj/third_party/boringssl/boringssl_asm/p256-x86_64-asm.o
./src/core/release/host/obj/third_party/boringssl/boringssl_asm/md5-x86_64.o
./src/core/release/host/obj/third_party/boringssl/boringssl_asm/rsaz-avx2.o
./src/core/release/host/obj/third_party/boringssl/boringssl_asm/ghash-x86_64.o
./src/core/release/host/obj/third_party/boringssl/boringssl_asm/aesni-x86_64.o
./src/core/release/host/obj/third_party/boringssl/boringssl_asm/bsaes-x86_64.o
./src/core/release/host/obj/third_party/boringssl/boringssl_asm/aesni-gcm-x86_64.o
./src/core/release/host/obj/third_party/boringssl/boringssl_asm/aes-x86_64.o
./src/core/release/host/obj/third_party/boringssl/boringssl_asm/chacha20_poly1305_x86_64.o
./src/core/release/obj/third_party/boringssl/boringssl_asm/x25519-asm-x86_64.o
./src/core/release/obj/third_party/boringssl/boringssl_asm/x86_64-mont5.o
./src/core/release/obj/third_party/boringssl/boringssl_asm/vpaes-x86_64.o
./src/core/release/obj/third_party/boringssl/boringssl_asm/sha1-x86_64.o
./src/core/release/obj/third_party/boringssl/boringssl_asm/x86_64-mont.o
./src/core/release/obj/third_party/boringssl/boringssl_asm/sha512-x86_64.o
./src/core/release/obj/third_party/boringssl/boringssl_asm/rdrand-x86_64.o
./src/core/release/obj/third_party/boringssl/boringssl_asm/sha256-x86_64.o
./src/core/release/obj/third_party/boringssl/boringssl_asm/p256-x86_64-asm.o
./src/core/release/obj/third_party/boringssl/boringssl_asm/aesni-x86_64.o
./src/core/release/obj/third_party/boringssl/boringssl_asm/rsaz-avx2.o
./src/core/release/obj/third_party/boringssl/boringssl_asm/md5-x86_64.o
./src/core/release/obj/third_party/boringssl/boringssl_asm/bsaes-x86_64.o
./src/core/release/obj/third_party/boringssl/boringssl_asm/ghash-x86_64.o
./src/core/release/obj/third_party/boringssl/boringssl_asm/aesni-gcm-x86_64.o
./src/core/release/obj/third_party/boringssl/boringssl_asm/aes-x86_64.o
./src/core/release/obj/third_party/boringssl/boringssl_asm/chacha20_poly1305_x86_64.o
./src/core/release/obj/third_party/boringssl/boringssl_asm/chacha-x86_64.o
./src/core/release/obj/third_party/boringssl/boringssl_asm/aes128gcmsiv-x86_64.o
./src/core/release/obj/third_party/WebKit/Source/platform/heap/asm/asm/SaveRegisters_x86.o

--- End Message ---
--- Begin Message --- 
Source: qtwebengine-opensource-src
Source-Version: 5.11.3+dfsg-2+deb10u1

We believe that the bug you reported is fixed in the latest version of
qtwebengine-opensource-src, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 887875@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dmitry Shachnev <mitya57@debian.org> (supplier of updated qtwebengine-opensource-src package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 31 Dec 2019 00:06:07 +0300
Source: qtwebengine-opensource-src
Binary: qtwebengine5-dev qtwebengine5-private-dev libqt5webengine5 libqt5webenginecore5 libqt5webenginewidgets5 libqt5webengine-data qml-module-qtwebengine qtwebengine5-dev-tools qtwebengine5-examples qtwebengine5-doc qtwebengine5-doc-html
Architecture: source
Version: 5.11.3+dfsg-2+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Dmitry Shachnev <mitya57@debian.org>
Description:
 libqt5webengine-data - Web content engine library for Qt - Data
 libqt5webengine5 - Web content engine library for Qt
 libqt5webenginecore5 - Web content engine library for Qt - Core
 libqt5webenginewidgets5 - Web content engine library for Qt - Widget
 qml-module-qtwebengine - Qt WebEngine QML module
 qtwebengine5-dev - Web content engine library for Qt - development files
 qtwebengine5-dev-tools - Qt WebEngine tools
 qtwebengine5-doc - Qt 5 webengine documentation
 qtwebengine5-doc-html - Qt 5 webengine HTML documentation
 qtwebengine5-examples - Qt WebEngine - Examples
 qtwebengine5-private-dev - Web content engine library for Qt - private development files
Closes: 882805 887875 919504
Changes:
 qtwebengine-opensource-src (5.11.3+dfsg-2+deb10u1) buster; urgency=medium
 .
   * Fix PDF parsing by adding the missing non-const overrides for
     CPDF_Dictionary::GetDict() and CPDF_Reference::GetDict(). This also
     fixes QWebEnginePage::print() method (closes: #919504).
   * Use ui/webui/resources/js/jstemplate_compiled.js provided by upstream
     instead of an empty file (closes: #882805).
   * Backport upstream patch to disable executable stack (closes: #887875).
Checksums-Sha1:
 002ade7c180eb441257ca0aa4a3fa84f1bbb318e 4734 qtwebengine-opensource-src_5.11.3+dfsg-2+deb10u1.dsc
 c4055922ab9c8c51c4b7ed14807d68d4f05ec390 465536 qtwebengine-opensource-src_5.11.3+dfsg-2+deb10u1.debian.tar.xz
 7be9236854c2fcb1675ec80f2c33d11abff6bcac 13076 qtwebengine-opensource-src_5.11.3+dfsg-2+deb10u1_source.buildinfo
Checksums-Sha256:
 515fc3e8b6aa5759f7c91280a472a0ca6a63995e1a532e918ff562050297ac38 4734 qtwebengine-opensource-src_5.11.3+dfsg-2+deb10u1.dsc
 473032d598dfdfa6cf97ccfc665c9a670a217760bac6e2d34757d0e09b684d30 465536 qtwebengine-opensource-src_5.11.3+dfsg-2+deb10u1.debian.tar.xz
 b939e6f1f302cd0b65266efa596f15f3db9edc59578c565b76b582a0ae9c2b79 13076 qtwebengine-opensource-src_5.11.3+dfsg-2+deb10u1_source.buildinfo
Files:
 be1500b4f46f38901e1239d49e04bbeb 4734 libs optional qtwebengine-opensource-src_5.11.3+dfsg-2+deb10u1.dsc
 079a8c977693b2605964dfd446c60f27 465536 libs optional qtwebengine-opensource-src_5.11.3+dfsg-2+deb10u1.debian.tar.xz
 1209a594145e837986203ce43c33dedb 13076 libs optional qtwebengine-opensource-src_5.11.3+dfsg-2+deb10u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCgAxFiEE5688gqe4PSusUZcLZkYmW1hrg8sFAl4KaOUTHG1pdHlhNTdA
ZGViaWFuLm9yZwAKCRBmRiZbWGuDy5aqD/43W2MsjmoRv7tytZmTdRc1XgN4lB0z
z1dE1ZHw8AVkMNTApzCo9szf/Hx9BLf7OHrKejy28YnvHzw671sYJXlXyt7kO4dw
To8Ipo3Z/7SMCQzCgrv8vK4eXdUYq7c8UxyNSzT9PE7/czOx+RVC2eF+mMX0HKPI
PYBv/kYTakaXEf5/MLfFLaYrYhhoX35OiZHcEJ4KPGHvBw8SXT5MSSIH44hUfp7p
U+gUbJzXOAOTLC2ajQRs/uzDVk9DGukV1kRAg0OBEuNCKsXBvA3kcBXPfY1vIva3
HXhaHWo5c/76qp4Zdlyk+GCp971FX+jhkqSN3vU45Bt18LLaNN5oRYiSOV9awQsa
TpeGlfRKgWMkljBJ7TahT7m08HOD7yfmkgkKI69J4ApCxRsUuQKnXzYMKN8K2yFP
VCCv/qayhKdPrb04RQvteVrT/w/DUUzCHJpqsQNhdCxThzPu+Xm8YHc5Lz5v/t4n
XJGyri62yfg4zvMk0iNX6Mk+SduNl482sEe/Eo0Z/xszBVfl5CUXTByd8uTyL8lX
Ha/5LfB8SLD0zTnFe7ntg33Gd1Gil3pDkvNO5LjGWeBUMANbjtjqbLUFaodemaJK
N71eTXvf3Ua05IFLqF8XfhAdAFgwArnCE/mRmYc3JYxjcXNhpPZ8Dsa8qxeka2hp
Y1KqJvOV9c7uCg==
=jy3g
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: