Bug#945845: buster-pu: package qtwebengine-opensource-src/5.11.3+dfsg-2+deb10u1

[Dmitry Shachnev <mitya57@debian.org>]

Dear Release team,

On Fri, Nov 29, 2019 at 11:10:16PM +0300, Dmitry Shachnev wrote:
> This update fixes bug #919504 that is also known as #929286, #931860,
> #933278 and #945147.
>
> The debdiff is attached. Please see the header of the added patch for the
> description of the fix.

I looked at qtwebengine bugs and found two more bugs that would be nice to
fix for Buster:

#882805 — Browsers (like Falkon) did not show proper error pages when
something went wrong (host not found, certificate invalid, etc). Instead
they showed empty pages with unlabeled and not working buttons.

#887875 aka #944971 — libQt5WebEngineCore.so.5 was requiring executable
stack for no good reason. This is a potential security issue.

So I am attaching the updated debdiff.

Please let me know if you are OK with all fixes, or a subset of them.

#882805 is not yet fixed in Bullseye but I can upload the fix soon and let
it migrate before I do the Buster upload. The other bugs are already fixed
in Bullseye.

If you prefer, you may review the individual commits in our Git:

https://salsa.debian.org/qt-kde-team/qt/qtwebengine/commits/buster

--
Dmitry Shachnev

--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+qtwebengine-opensource-src (5.11.3+dfsg-2+deb10u1) buster; urgency=medium
+
+  * Fix PDF parsing by adding the missing non-const overrides for
+    CPDF_Dictionary::GetDict() and CPDF_Reference::GetDict(). This also
+    fixes QWebEnginePage::print() method (closes: #919504).
+  * Use ui/webui/resources/js/jstemplate_compiled.js provided by upstream
+    instead of an empty file (closes: #882805).
+  * Backport upstream patch to disable executable stack (closes: #887875).
+
+ -- Dmitry Shachnev <mitya57@debian.org>  Tue, 03 Dec 2019 11:28:09 +0300
+
 qtwebengine-opensource-src (5.11.3+dfsg-2) unstable; urgency=medium
 
   [ Dmitry Shachnev ]
--- /dev/null
+++ b/debian/patches/getdict-overrides.patch
@@ -0,0 +1,80 @@
+Description: fix GetDict methods in CPDF_Object descendants
+ In commit [1], Qt WebEngine developers backported a change to cpdf_object.h
+ that splits GetDict() virtual method into two: const and non-const.
+ .
+ However, this change was not applied to CPDF_Dictionary and CPDF_Reference
+ that are descendant classes of CPDF_Object. So they were missing the non-const
+ override, and the method from base class CPDF_Object was used instead (which
+ always returns nullptr).
+ .
+ In upstream PDFium, all files were changed in [2], so the bug was specific to
+ Qt WebEngine 5.11 (Chromium 65-based) branch.
+ .
+ [1]: https://code.qt.io/cgit/qt/qtwebengine-chromium.git/commit/?id=bc188914f3ce1d2c
+ [2]: https://pdfium.googlesource.com/pdfium/+/7e28208d26764438
+Author: Dmitry Shachnev <mitya57@debian.org>
+Last-Update: 2019-11-29
+
+--- a/src/3rdparty/chromium/third_party/pdfium/core/fpdfapi/parser/cpdf_dictionary.cpp
++++ b/src/3rdparty/chromium/third_party/pdfium/core/fpdfapi/parser/cpdf_dictionary.cpp
+@@ -42,10 +42,12 @@ CPDF_Object::Type CPDF_Dictionary::GetTy
+   return DICTIONARY;
+ }
+ 
+-CPDF_Dictionary* CPDF_Dictionary::GetDict() const {
+-  // The method should be made non-const if we want to not be const.
+-  // See bug #234.
+-  return const_cast<CPDF_Dictionary*>(this);
++CPDF_Dictionary* CPDF_Dictionary::GetDict() {
++  return this;
++}
++
++const CPDF_Dictionary* CPDF_Dictionary::GetDict() const {
++  return this;
+ }
+ 
+ bool CPDF_Dictionary::IsDictionary() const {
+--- a/src/3rdparty/chromium/third_party/pdfium/core/fpdfapi/parser/cpdf_dictionary.h
++++ b/src/3rdparty/chromium/third_party/pdfium/core/fpdfapi/parser/cpdf_dictionary.h
+@@ -33,7 +33,8 @@ class CPDF_Dictionary : public CPDF_Obje
+   // CPDF_Object:
+   Type GetType() const override;
+   std::unique_ptr<CPDF_Object> Clone() const override;
+-  CPDF_Dictionary* GetDict() const override;
++  CPDF_Dictionary* GetDict() override;
++  const CPDF_Dictionary* GetDict() const override;
+   bool IsDictionary() const override;
+   CPDF_Dictionary* AsDictionary() override;
+   const CPDF_Dictionary* AsDictionary() const override;
+--- a/src/3rdparty/chromium/third_party/pdfium/core/fpdfapi/parser/cpdf_reference.cpp
++++ b/src/3rdparty/chromium/third_party/pdfium/core/fpdfapi/parser/cpdf_reference.cpp
+@@ -35,11 +35,16 @@ int CPDF_Reference::GetInteger() const {
+   return obj ? obj->GetInteger() : 0;
+ }
+ 
+-CPDF_Dictionary* CPDF_Reference::GetDict() const {
++CPDF_Dictionary* CPDF_Reference::GetDict() {
+   CPDF_Object* obj = SafeGetDirect();
+   return obj ? obj->GetDict() : nullptr;
+ }
+ 
++const CPDF_Dictionary* CPDF_Reference::GetDict() const {
++  const CPDF_Object* obj = SafeGetDirect();
++  return obj ? obj->GetDict() : nullptr;
++}
++
+ bool CPDF_Reference::IsReference() const {
+   return true;
+ }
+--- a/src/3rdparty/chromium/third_party/pdfium/core/fpdfapi/parser/cpdf_reference.h
++++ b/src/3rdparty/chromium/third_party/pdfium/core/fpdfapi/parser/cpdf_reference.h
+@@ -27,7 +27,8 @@ class CPDF_Reference : public CPDF_Objec
+   ByteString GetString() const override;
+   float GetNumber() const override;
+   int GetInteger() const override;
+-  CPDF_Dictionary* GetDict() const override;
++  CPDF_Dictionary* GetDict() override;
++  const CPDF_Dictionary* GetDict() const override;
+   bool IsReference() const override;
+   CPDF_Reference* AsReference() override;
+   const CPDF_Reference* AsReference() const override;
--- /dev/null
+++ b/debian/patches/no-exec-stack.patch
@@ -0,0 +1,47 @@
+Description: don't allow QtWebEngineCore to request executable stack
+ The Chromium sources contain assembly code that causes the library to
+ default to executable stack (the linker requires that *all* .o files
+ have a .note.GNU-stack section in order to default to non-executable).
+ So add the -z noexecstack linker flag to change the setting.
+ .
+ The other libraries are not affected.
+Origin: upstream, https://code.qt.io/cgit/qt/qtwebengine.git/commit/?id=597359a16a798df3
+Last-Update: 2019-12-03
+
+--- a/configure.json
++++ b/configure.json
+@@ -320,6 +320,11 @@
+         "webengine-win-compiler64": {
+             "label": "64bit compiler",
+             "type": "isWindowsHostCompiler64"
++        },
++        "webengine-noexecstack": {
++            "label": "linker supports -z noexecstack",
++            "type": "linkerSupportsFlag",
++            "flag": "-z,noexecstack"
+         }
+     },
+ 
+@@ -632,6 +637,11 @@
+             "condition": "config.win32 && tests.webengine-win-compiler64",
+             "type": "isWindowsHostCompiler64",
+             "output": [ "privateFeature" ]
++        },
++        "webengine-noexecstack": {
++            "label": "linker supports -z noexecstack",
++            "condition": "config.unix && tests.webengine-noexecstack",
++            "output": [ "privateFeature" ]
+         }
+     },
+ 
+--- a/src/core/core_module.pro
++++ b/src/core/core_module.pro
+@@ -41,6 +41,8 @@ LIBS_PRIVATE += $$NINJA_LIB_DIRS $$NINJA
+ # GN's LFLAGS doesn't always work across all the Linux configurations we support.
+ # The Windows and macOS ones from GN does provide a few useful flags however
+ 
++unix:qtConfig(webengine-noexecstack): \
++    QMAKE_LFLAGS += -Wl,-z,noexecstack
+ linux {
+     QMAKE_LFLAGS += -Wl,--gc-sections -Wl,-O1 -Wl,-z,now
+     # Embedded address sanitizer symbols are undefined and are picked up by the dynamic link loader
--- /dev/null
+++ b/debian/patches/restore-jstemplate.patch
@@ -0,0 +1,21 @@
+Description: restore a file that was erroneously excluded from the tarball
+Author: Dmitry Shachnev <mitya57@debian.org>
+Forwarded: not-needed
+Last-Update: 2019-11-30
+
+--- /dev/null
++++ b/src/3rdparty/chromium/ui/webui/resources/js/jstemplate_compiled.js
+@@ -0,0 +1,13 @@
++// Copyright (c) 2012 The Chromium Authors. All rights reserved.
++// Use of this source code is governed by a BSD-style license that can be
++// found in the LICENSE file.
++
++// This file serves as a proxy to bring the included js file from /third_party
++// into its correct location under the resources directory tree, whence it is
++// delivered via a chrome://resources URL.  See ../webui_resources.grd.
++
++// Note: this <include> is not behind a single-line comment because the first
++// line of the file is source code (so the first line would be skipped) instead
++// of a licence header.
++// clang-format off
++<include src="../../../../third_party/jstemplate/jstemplate_compiled.js">
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,6 @@ no-icudtl-dat.patch
 disable-last_commit_position.patch
 verbose-gn-bootstrap.patch
 fix-gcc-8-i386.patch
+getdict-overrides.patch
+restore-jstemplate.patch
+no-exec-stack.patch
--- a/debian/rules
+++ b/debian/rules
@@ -50,8 +50,7 @@ touch_files = src/3rdparty/chromium/third_party/analytics/google-analytics-bundl
 	      src/3rdparty/chromium/third_party/WebKit/Source/devtools/front_end/network/NetworkConfigView.js \
 	      src/3rdparty/chromium/third_party/WebKit/Source/devtools/front_end/settings/EditFileSystemView.js \
 	      src/3rdparty/chromium/third_party/WebKit/Source/devtools/front_end/terminal/xterm.js/build/xterm.css \
-	      src/3rdparty/chromium/third_party/WebKit/Source/devtools/front_end/terminal/xterm.js/build/xterm.js \
-	      src/3rdparty/chromium/ui/webui/resources/js/jstemplate_compiled.js
+	      src/3rdparty/chromium/third_party/WebKit/Source/devtools/front_end/terminal/xterm.js/build/xterm.js
 
 %:
 	dh $@ --with pkgkde_symbolshelper

Attachment: signature.asc
Description: PGP signature