Dear Release team, On Fri, Nov 29, 2019 at 11:10:16PM +0300, Dmitry Shachnev wrote: > This update fixes bug #919504 that is also known as #929286, #931860, > #933278 and #945147. > > The debdiff is attached. Please see the header of the added patch for the > description of the fix. I looked at qtwebengine bugs and found two more bugs that would be nice to fix for Buster: #882805 — Browsers (like Falkon) did not show proper error pages when something went wrong (host not found, certificate invalid, etc). Instead they showed empty pages with unlabeled and not working buttons. #887875 aka #944971 — libQt5WebEngineCore.so.5 was requiring executable stack for no good reason. This is a potential security issue. So I am attaching the updated debdiff. Please let me know if you are OK with all fixes, or a subset of them. #882805 is not yet fixed in Bullseye but I can upload the fix soon and let it migrate before I do the Buster upload. The other bugs are already fixed in Bullseye. If you prefer, you may review the individual commits in our Git: https://salsa.debian.org/qt-kde-team/qt/qtwebengine/commits/buster -- Dmitry Shachnev
--- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +qtwebengine-opensource-src (5.11.3+dfsg-2+deb10u1) buster; urgency=medium + + * Fix PDF parsing by adding the missing non-const overrides for + CPDF_Dictionary::GetDict() and CPDF_Reference::GetDict(). This also + fixes QWebEnginePage::print() method (closes: #919504). + * Use ui/webui/resources/js/jstemplate_compiled.js provided by upstream + instead of an empty file (closes: #882805). + * Backport upstream patch to disable executable stack (closes: #887875). + + -- Dmitry Shachnev <mitya57@debian.org> Tue, 03 Dec 2019 11:28:09 +0300 + qtwebengine-opensource-src (5.11.3+dfsg-2) unstable; urgency=medium [ Dmitry Shachnev ] --- /dev/null +++ b/debian/patches/getdict-overrides.patch @@ -0,0 +1,80 @@ +Description: fix GetDict methods in CPDF_Object descendants + In commit [1], Qt WebEngine developers backported a change to cpdf_object.h + that splits GetDict() virtual method into two: const and non-const. + . + However, this change was not applied to CPDF_Dictionary and CPDF_Reference + that are descendant classes of CPDF_Object. So they were missing the non-const + override, and the method from base class CPDF_Object was used instead (which + always returns nullptr). + . + In upstream PDFium, all files were changed in [2], so the bug was specific to + Qt WebEngine 5.11 (Chromium 65-based) branch. + . + [1]: https://code.qt.io/cgit/qt/qtwebengine-chromium.git/commit/?id=bc188914f3ce1d2c + [2]: https://pdfium.googlesource.com/pdfium/+/7e28208d26764438 +Author: Dmitry Shachnev <mitya57@debian.org> +Last-Update: 2019-11-29 + +--- a/src/3rdparty/chromium/third_party/pdfium/core/fpdfapi/parser/cpdf_dictionary.cpp ++++ b/src/3rdparty/chromium/third_party/pdfium/core/fpdfapi/parser/cpdf_dictionary.cpp +@@ -42,10 +42,12 @@ CPDF_Object::Type CPDF_Dictionary::GetTy + return DICTIONARY; + } + +-CPDF_Dictionary* CPDF_Dictionary::GetDict() const { +- // The method should be made non-const if we want to not be const. +- // See bug #234. +- return const_cast<CPDF_Dictionary*>(this); ++CPDF_Dictionary* CPDF_Dictionary::GetDict() { ++ return this; ++} ++ ++const CPDF_Dictionary* CPDF_Dictionary::GetDict() const { ++ return this; + } + + bool CPDF_Dictionary::IsDictionary() const { +--- a/src/3rdparty/chromium/third_party/pdfium/core/fpdfapi/parser/cpdf_dictionary.h ++++ b/src/3rdparty/chromium/third_party/pdfium/core/fpdfapi/parser/cpdf_dictionary.h +@@ -33,7 +33,8 @@ class CPDF_Dictionary : public CPDF_Obje + // CPDF_Object: + Type GetType() const override; + std::unique_ptr<CPDF_Object> Clone() const override; +- CPDF_Dictionary* GetDict() const override; ++ CPDF_Dictionary* GetDict() override; ++ const CPDF_Dictionary* GetDict() const override; + bool IsDictionary() const override; + CPDF_Dictionary* AsDictionary() override; + const CPDF_Dictionary* AsDictionary() const override; +--- a/src/3rdparty/chromium/third_party/pdfium/core/fpdfapi/parser/cpdf_reference.cpp ++++ b/src/3rdparty/chromium/third_party/pdfium/core/fpdfapi/parser/cpdf_reference.cpp +@@ -35,11 +35,16 @@ int CPDF_Reference::GetInteger() const { + return obj ? obj->GetInteger() : 0; + } + +-CPDF_Dictionary* CPDF_Reference::GetDict() const { ++CPDF_Dictionary* CPDF_Reference::GetDict() { + CPDF_Object* obj = SafeGetDirect(); + return obj ? obj->GetDict() : nullptr; + } + ++const CPDF_Dictionary* CPDF_Reference::GetDict() const { ++ const CPDF_Object* obj = SafeGetDirect(); ++ return obj ? obj->GetDict() : nullptr; ++} ++ + bool CPDF_Reference::IsReference() const { + return true; + } +--- a/src/3rdparty/chromium/third_party/pdfium/core/fpdfapi/parser/cpdf_reference.h ++++ b/src/3rdparty/chromium/third_party/pdfium/core/fpdfapi/parser/cpdf_reference.h +@@ -27,7 +27,8 @@ class CPDF_Reference : public CPDF_Objec + ByteString GetString() const override; + float GetNumber() const override; + int GetInteger() const override; +- CPDF_Dictionary* GetDict() const override; ++ CPDF_Dictionary* GetDict() override; ++ const CPDF_Dictionary* GetDict() const override; + bool IsReference() const override; + CPDF_Reference* AsReference() override; + const CPDF_Reference* AsReference() const override; --- /dev/null +++ b/debian/patches/no-exec-stack.patch @@ -0,0 +1,47 @@ +Description: don't allow QtWebEngineCore to request executable stack + The Chromium sources contain assembly code that causes the library to + default to executable stack (the linker requires that *all* .o files + have a .note.GNU-stack section in order to default to non-executable). + So add the -z noexecstack linker flag to change the setting. + . + The other libraries are not affected. +Origin: upstream, https://code.qt.io/cgit/qt/qtwebengine.git/commit/?id=597359a16a798df3 +Last-Update: 2019-12-03 + +--- a/configure.json ++++ b/configure.json +@@ -320,6 +320,11 @@ + "webengine-win-compiler64": { + "label": "64bit compiler", + "type": "isWindowsHostCompiler64" ++ }, ++ "webengine-noexecstack": { ++ "label": "linker supports -z noexecstack", ++ "type": "linkerSupportsFlag", ++ "flag": "-z,noexecstack" + } + }, + +@@ -632,6 +637,11 @@ + "condition": "config.win32 && tests.webengine-win-compiler64", + "type": "isWindowsHostCompiler64", + "output": [ "privateFeature" ] ++ }, ++ "webengine-noexecstack": { ++ "label": "linker supports -z noexecstack", ++ "condition": "config.unix && tests.webengine-noexecstack", ++ "output": [ "privateFeature" ] + } + }, + +--- a/src/core/core_module.pro ++++ b/src/core/core_module.pro +@@ -41,6 +41,8 @@ LIBS_PRIVATE += $$NINJA_LIB_DIRS $$NINJA + # GN's LFLAGS doesn't always work across all the Linux configurations we support. + # The Windows and macOS ones from GN does provide a few useful flags however + ++unix:qtConfig(webengine-noexecstack): \ ++ QMAKE_LFLAGS += -Wl,-z,noexecstack + linux { + QMAKE_LFLAGS += -Wl,--gc-sections -Wl,-O1 -Wl,-z,now + # Embedded address sanitizer symbols are undefined and are picked up by the dynamic link loader --- /dev/null +++ b/debian/patches/restore-jstemplate.patch @@ -0,0 +1,21 @@ +Description: restore a file that was erroneously excluded from the tarball +Author: Dmitry Shachnev <mitya57@debian.org> +Forwarded: not-needed +Last-Update: 2019-11-30 + +--- /dev/null ++++ b/src/3rdparty/chromium/ui/webui/resources/js/jstemplate_compiled.js +@@ -0,0 +1,13 @@ ++// Copyright (c) 2012 The Chromium Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style license that can be ++// found in the LICENSE file. ++ ++// This file serves as a proxy to bring the included js file from /third_party ++// into its correct location under the resources directory tree, whence it is ++// delivered via a chrome://resources URL. See ../webui_resources.grd. ++ ++// Note: this <include> is not behind a single-line comment because the first ++// line of the file is source code (so the first line would be skipped) instead ++// of a licence header. ++// clang-format off ++<include src="../../../../third_party/jstemplate/jstemplate_compiled.js"> --- a/debian/patches/series +++ b/debian/patches/series @@ -6,3 +6,6 @@ no-icudtl-dat.patch disable-last_commit_position.patch verbose-gn-bootstrap.patch fix-gcc-8-i386.patch +getdict-overrides.patch +restore-jstemplate.patch +no-exec-stack.patch --- a/debian/rules +++ b/debian/rules @@ -50,8 +50,7 @@ touch_files = src/3rdparty/chromium/third_party/analytics/google-analytics-bundl src/3rdparty/chromium/third_party/WebKit/Source/devtools/front_end/network/NetworkConfigView.js \ src/3rdparty/chromium/third_party/WebKit/Source/devtools/front_end/settings/EditFileSystemView.js \ src/3rdparty/chromium/third_party/WebKit/Source/devtools/front_end/terminal/xterm.js/build/xterm.css \ - src/3rdparty/chromium/third_party/WebKit/Source/devtools/front_end/terminal/xterm.js/build/xterm.js \ - src/3rdparty/chromium/ui/webui/resources/js/jstemplate_compiled.js + src/3rdparty/chromium/third_party/WebKit/Source/devtools/front_end/terminal/xterm.js/build/xterm.js %: dh $@ --with pkgkde_symbolshelper
Attachment:
signature.asc
Description: PGP signature