From f795d7c0d4b5a831dd847911c355c8d01d0a235f Mon Sep 17 00:00:00 2001 From: Antti Kokko Date: Tue, 27 Oct 2020 10:02:11 +0200 Subject: Add changes file for Qt 5.15.2 Pick-to: dev 5.15 Change-Id: If1c29cc043736619513620120f96133575bf28d5 Reviewed-by: Allan Sandfeld Jensen --- dist/changes-5.15.2 | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 dist/changes-5.15.2 diff --git a/dist/changes-5.15.2 b/dist/changes-5.15.2 new file mode 100644 index 000000000..de6ffc584 --- /dev/null +++ b/dist/changes-5.15.2 @@ -0,0 +1,82 @@ +Qt 5.15.2 is a bug-fix release. It maintains both forward and backward +compatibility (source and binary) with Qt 5.15.1. + +For more details, refer to the online documentation included in this +distribution. The documentation is also available online: + + https://doc.qt.io/qt-5.15/index.html + +The Qt version 5.15 series is binary compatible with the 5.14.x series. +Applications compiled for 5.14 will continue to run with 5.15. + +Some of the changes listed in this file include issue tracking numbers +corresponding to tasks in the Qt Bug Tracker: + + https://bugreports.qt.io/ + +Each of these identifiers can be entered in the bug tracker to obtain more +information about a particular change. + +**************************************************************************** +* Library * +**************************************************************************** + +General +------- + - [QTBUG-84632] Warn about QtWebengineProcess launching from network share + on Windows. + - [QTBUG-85363] Handle non-ASCII names for PulseAudio + - [QTBUG-85494] Fix regression crash when not handling QQuickWebEngineNewViewRequest + - [QTBUG-85817] Fix crashes on resize + - [QTBUG-86672] Fix remapped menu key being mapped back to menu key + - [QTBUG-86945] Fix crash when opening a PDF in debug build on windows. + - [QTBUG-87129] Mention node.js build-time dependency + - The QtWebEngineProcess now has a version number + - The old compositor has been removed and can no longer be restored using + command line argument. + +Chromium +-------- + + - The Chromium version has been updated to 83.0.4103.122 + - Security fixes from Chromium up to version 86.0.4240.111, including: + - CVE-2020-6540: Heap buffer overflow in Skia + - CVE-2020-6557: Inappropriate implementation in networking + - CVE-2020-6561: Inappropriate implementation in Content Security Policy + - CVE-2020-6562: Insufficient policy enforcement in Blink + - CVE-2020-6569: Integer overflow in WebUSB + - CVE-2020-6570: Side-channel information leakage in WebRTC + - CVE-2020-6573: Use after free in video + - CVE-2020-6571: Incorrect security UI in Omnibox + - CVE-2020-6575: Race in Mojo + - CVE-2020-6576: Use after free in offscreen canvas + - CVE-2020-15959: Insufficient policy enforcement in networking + - CVE-2020-15960: Out of bounds read in storage + - CVE-2020-15961: Insufficient policy enforcement in extensions + - CVE-2020-15962: Insufficient policy enforcement in serial + - CVE-2020-15963 + - CVE-2020-15964: Insufficient data validation in media + - CVE-2020-15965: Out of bounds write in V8 + - CVE-2020-15966 + - CVE-2020-15968: Use after free in Blink + - CVE-2020-15969: Use after free in WebRTC. + - CVE-2020-15972: Use after free in audio. + - CVE-2020—15973: Insufficient policy enforcement in extensions + - CVE-2020-15974: Integer overflow in Blink + - CVE-2020-15976: Use after free in WebXR + - CVE-2020-15977: Insufficient data validation in dialogs. + - CVE-2020-15978: Insufficient data validation in navigation + - CVE-2020-15979: Inappropriate implementation in V8. + - CVE-2020-15985: Inappropriate implementation in Blink. + - CVE-2020-15987: Use after free in WebRTC + - CVE-2020-15989: Uninitialized Use in PDFium + - CVE-2020-15992: Insufficient policy enforcement in networking + - CVE-2020-15999: Heap buffer overflow in freetype + - CVE-2020-16001: Use after free in media. + - CVE-2020-16002: Use after free in PDFium + - CVE-2020-16003: Use after free in printing + - Security bug 1106091 + - Security bug 1107824 + - Security bug 1111149 + - Security bug 1125199 + -- cgit v1.2.3 From c2c0c7d092ef3d07885eac7c8053d518d28b20c9 Mon Sep 17 00:00:00 2001 From: Tamas Zakor Date: Wed, 28 Oct 2020 13:12:08 +0100 Subject: Fix tst_QWebEngineView flaky IME tests Add QTest::qWaitForWindowExposed() to make sure that the window is visible before the input event is sent. Change-Id: I72b02abaaf5970a1533f1d6f6dae59e47e891548 Reviewed-by: Allan Sandfeld Jensen --- tests/auto/widgets/qwebengineview/tst_qwebengineview.cpp | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tests/auto/widgets/qwebengineview/tst_qwebengineview.cpp b/tests/auto/widgets/qwebengineview/tst_qwebengineview.cpp index 5e16361c5..cb73d7079 100644 --- a/tests/auto/widgets/qwebengineview/tst_qwebengineview.cpp +++ b/tests/auto/widgets/qwebengineview/tst_qwebengineview.cpp @@ -1283,6 +1283,7 @@ void tst_QWebEngineView::inputMethodsTextFormat() evaluateJavaScriptSync(view.page(), "document.getElementById('input1').focus()"); view.show(); + QVERIFY(QTest::qWaitForWindowExposed(&view)); QFETCH(QString, string); QFETCH(int, start); @@ -2051,6 +2052,7 @@ void tst_QWebEngineView::inputContextQueryInput() " " ""); QTRY_COMPARE(loadFinishedSpy.count(), 1); + QVERIFY(QTest::qWaitForWindowExposed(&view)); QCOMPARE(testContext.infos.count(), 0); // Set focus on an input field. @@ -2202,6 +2204,7 @@ void tst_QWebEngineView::inputMethods() " " ""); QTRY_COMPARE(loadFinishedSpy.size(), 1); + QVERIFY(QTest::qWaitForWindowExposed(&view)); QPoint textInputCenter = elementCenter(view.page(), "input1"); QTest::mouseClick(view.focusProxy(), Qt::LeftButton, {}, textInputCenter); @@ -2299,6 +2302,7 @@ void tst_QWebEngineView::textSelectionInInputField() " " ""); QVERIFY(loadFinishedSpy.wait()); + QVERIFY(QTest::qWaitForWindowExposed(&view)); // Tests for Selection when the Editor is NOT in Composition mode @@ -2508,6 +2512,7 @@ void tst_QWebEngineView::emptyInputMethodEvent() " " ""); QVERIFY(loadFinishedSpy.wait()); + QVERIFY(QTest::qWaitForWindowExposed(&view)); evaluateJavaScriptSync(view.page(), "var inputEle = document.getElementById('input1'); inputEle.focus(); inputEle.select();"); QTRY_COMPARE(selectionChangedSpy.count(), 1); @@ -2556,6 +2561,7 @@ void tst_QWebEngineView::imeComposition() " " ""); QVERIFY(loadFinishedSpy.wait()); + QVERIFY(QTest::qWaitForWindowExposed(&view)); evaluateJavaScriptSync(view.page(), "var inputEle = document.getElementById('input1'); inputEle.focus(); inputEle.select();"); QTRY_COMPARE(selectionChangedSpy.count(), 1); @@ -2773,6 +2779,7 @@ void tst_QWebEngineView::newlineInTextarea() " " ""); QVERIFY(loadFinishedSpy.wait()); + QVERIFY(QTest::qWaitForWindowExposed(&view)); evaluateJavaScriptSync(view.page(), "var inputEle = document.getElementById('input1'); inputEle.focus(); inputEle.select();"); QTRY_VERIFY(evaluateJavaScriptSync(view.page(), "document.getElementById('input1').value").toString().isEmpty()); @@ -2897,6 +2904,7 @@ void tst_QWebEngineView::imeJSInputEvents() " 
"
                          "");
     QVERIFY(loadFinishedSpy.wait());
+    QVERIFY(QTest::qWaitForWindowExposed(&view));
 
     evaluateJavaScriptSync(view.page(), "document.getElementById('input').focus()");
     QTRY_COMPARE(evaluateJavaScriptSync(view.page(), "document.activeElement.id").toString(), QStringLiteral("input"));
@@ -3019,6 +3027,7 @@ void tst_QWebEngineView::imeCompositionQueryEvent()
                  "  "
                  "");
     QVERIFY(loadFinishedSpy.wait());
+    QVERIFY(QTest::qWaitForWindowExposed(&view));
 
     evaluateJavaScriptSync(view.page(), "document.getElementById('input1').focus()");
     QTRY_COMPARE(evaluateJavaScriptSync(view.page(), "document.activeElement.id").toString(), QStringLiteral("input1"));
-- 
cgit v1.2.3


From fcbf5e18c921ccad494387da60b36df5c34f1c8f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20Br=C3=BCning?= 
Date: Tue, 27 Oct 2020 22:19:54 +0100
Subject: Update Chromium
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Pulls in the changes:
2cad1d38b57 [Backport] CVE-2020-6540: Heap buffer overflow in Skia
e1f5ffc2a12 [Backport] CVE-2020-6569: Integer overflow in WebUSB
75b417b86b4 [Backport] CVE-2020-6570: Side-channel information leakage in WebRTC
0785cd83782 [Backport] CVE-2020-6573: Use after free in video
3ddb1e9639a [Backport] CVE-2020-6575: Race in Mojo
e967bb155a0 [Backport] CVE-2020-6576: Use after free in offscreen canvas
40cebfb3051 [Backport] CVE-2020-15959: Insufficient policy enforcement in networking
405e7526583 [Backport] CVE-2020-15965: Out of bounds write in V8
295feb590b1 [Backport] CVE-2020-15963 and CVE-2020-15966
43812fd40d4 [Backport] CVE-2020-15961: Insufficient policy enforcement in extensions
08a25bf9dd2 Only upgrade to WebSocket when WebSocket was requested
2f75c909270 [Backport] CVE-2020-15962: Insufficient policy enforcement in serial
06afd03d826 [Backport] CVE-2020-15960: Out of bounds read in storage
9e5518f06ad [Backport] Security bug 1111149
b627f77e859 [Backport] CVE-2020-15964: Insufficient data validation in media
bc35c7711ad Fix assert when checking if RendererAppContainer feature is enabled
06b27f95d60 [Backport] CVE-2020-6571: Incorrect security UI in Omnibox
8227b9613d1 CVE-2020-15999: Heap buffer overflow in freetype
cc1e87a0d71 [Backport] CVE-2020-15978 Insufficient data validation in navigation
308da5d58b4 [Backport] CVE-2020-15969: Use after free in WebRTC.
9f5fde5b649 [Backport] CVE-2020-15968: Use after free in Blink
97b92535b31 [Backport] CVE-2020-15972: Use after free in audio.
873abc1112c [Backport] CVE-2020-15979: Inappropriate implementation in V8.
c0343ceec47 [Backport] CVE-2020-15976: Use after free in WebXR
e874d48f9e6 [Backport] CVE-2020-15992 Insufficient policy enforcement in networking
956ce06c56c [Backport] CVE-2020-15974: Integer overflow in Blink
4662223422d [Backport] Security bug 1125199
74e26aab318 [Backport] Security bug 1107824
33e9e655166 [Backport] CVE-2020-15977: Insufficient data validation in dialogs.
f6db4999b0e [Backport] CVE-2020—15973: Insufficient policy enforcement in extensions (1/2)
466da17a0cd [Backport] CVE-2020—15973: Insufficient policy enforcement in extensions (2/2)
027c3d7bae7 [Backport] CVE-2020-15989: Uninitialized Use in PDFium
14e9b6f6d3a [Backport] CVE-2020-16003: Use after free in printing
8527c994fe3 [Backport] CVE-2020-16002: Use after free in PDFium
4f461642a79 [Backport] CVE-2020-16001: Use after free in media.
99877493b32 Fixup: [Backport] CVE-2020-16001: Use after free in media
489d6e637e5 [Backport] CVE-2020-15987: Use after free in WebRTC (1/2)
6ef8f4ed829 [Backport] CVE-2020-15987: Use after free in WebRTC (2/2)
9d173d02d5e [Backport] Security bug 1106091
327474aed0e [Backport] CVE-2020-6557: Inappropriate implementation in networking
55b3d183921 [Backport] CVE-2020-15985: Inappropriate implementation in Blink.

Task-number: QTBUG-87967
Change-Id: Ibca52ab97ac407679e4bac5c6b7dc2285f8bcd37
Reviewed-by: Allan Sandfeld Jensen 
---
 src/3rdparty | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/3rdparty b/src/3rdparty
index c5637fa90..55b3d1839 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit c5637fa9071bb6d53b5d21ac713f2a5191f8c16f
+Subproject commit 55b3d183921d3ecbbbc0cee5f54a4420aec5c639
-- 
cgit v1.2.3


From 0a45a566f195c738d1561c691e7a767bd36bf9d7 Mon Sep 17 00:00:00 2001
From: Peter Varga 
Date: Fri, 30 Oct 2020 10:58:05 +0100
Subject: Do not set audio device for desktop capture if audio loopback is
 unsupported

Desktop audio capture requires loopback device. If creation of the
loopback device fails, it aborts the screen capture too.

Chromium does not support audio loopback on Linux and macOS:
https://crbug.com/223639

This is still the case in Chrome 88.
The fix is based on: https://codereview.chromium.org/24153018

Change-Id: Ifb13bce3b79193203c0bf52e1f2a1b3936e017c7
Reviewed-by: Allan Sandfeld Jensen 
---
 src/core/media_capture_devices_dispatcher.cpp | 13 ++++++++++---
 src/core/media_capture_devices_dispatcher.h   |  2 ++
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/core/media_capture_devices_dispatcher.cpp b/src/core/media_capture_devices_dispatcher.cpp
index 693cfa2e3..ac74c509c 100644
--- a/src/core/media_capture_devices_dispatcher.cpp
+++ b/src/core/media_capture_devices_dispatcher.cpp
@@ -272,7 +272,8 @@ void MediaCaptureDevicesDispatcher::handleMediaAccessPermissionResponse(content:
                 break;
             }
         } else if (desktopVideoRequested) {
-            getDevicesForDesktopCapture(&devices, getDefaultScreenId(), desktopAudioRequested,
+            bool captureAudio = desktopAudioRequested && m_loopbackAudioSupported;
+            getDevicesForDesktopCapture(&devices, getDefaultScreenId(), captureAudio,
                                         request.video_type, request.audio_type);
         }
     }
@@ -309,6 +310,10 @@ MediaCaptureDevicesDispatcher::MediaCaptureDevicesDispatcher()
     // content::NOTIFICATION_WEB_CONTENTS_DESTROYED, and that will result in
     // possible use after free.
     DCHECK_CURRENTLY_ON(BrowserThread::UI);
+#if defined(OS_WIN)
+    // Currently loopback audio capture is supported only on Windows.
+    m_loopbackAudioSupported = true;
+#endif
     m_notificationsRegistrar.Add(this, content::NOTIFICATION_WEB_CONTENTS_DESTROYED,
                                  content::NotificationService::AllSources());
 }
@@ -383,9 +388,11 @@ void MediaCaptureDevicesDispatcher::processDesktopCaptureAccessRequest(content::
     }
 
     // Audio is only supported for screen capture streams.
-    bool capture_audio = (mediaId.type == content::DesktopMediaID::TYPE_SCREEN && request.audio_type == MediaStreamType::GUM_DESKTOP_AUDIO_CAPTURE);
+    bool audioRequested = request.audio_type == MediaStreamType::GUM_DESKTOP_AUDIO_CAPTURE;
+    bool audioSupported = (mediaId.type == content::DesktopMediaID::TYPE_SCREEN && m_loopbackAudioSupported);
+    bool captureAudio = (audioRequested && audioSupported);
 
-    getDevicesForDesktopCapture(&devices, mediaId, capture_audio, request.video_type, request.audio_type);
+    getDevicesForDesktopCapture(&devices, mediaId, captureAudio, request.video_type, request.audio_type);
 
     if (devices.empty())
         std::move(callback).Run(devices, MediaStreamRequestResult::INVALID_STATE,
diff --git a/src/core/media_capture_devices_dispatcher.h b/src/core/media_capture_devices_dispatcher.h
index 6a67a53e9..17cb5d5c9 100644
--- a/src/core/media_capture_devices_dispatcher.h
+++ b/src/core/media_capture_devices_dispatcher.h
@@ -127,6 +127,8 @@ private:
 
     content::NotificationRegistrar m_notificationsRegistrar;
 
+    bool m_loopbackAudioSupported = false;
+
     DISALLOW_COPY_AND_ASSIGN(MediaCaptureDevicesDispatcher);
 };
 
-- 
cgit v1.2.3


From 35c7e9134a1a5e0390c42ea2df06a749255497ff Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen 
Date: Tue, 3 Nov 2020 22:32:39 +0100
Subject: Update Chromium
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Including security issue under active exploit.

Submodule src/3rdparty 55b3d183..fb6ab5e4:
  > [Backport] Security bug 1137608
  > [Backport] CVE-2020-16011: Heap buffer overflow in UI on Windows.
  > [Backport] CVE-2020-16009: Inappropriate implementation in V8
  > [Backport] CVE-2020-16008: Stack buffer overflow in WebRTC
  > [Backport] CVE-2020-16005: Insufficient policy enforcement in ANGLE
  > Fix assert when running tests build with -no-webengine-webrtc

Change-Id: Ic9ee45fbd78c999881454e5e0e3091489f637aae
Reviewed-by: Michael Brüning 
---
 dist/changes-5.15.2 | 7 ++++++-
 src/3rdparty        | 2 +-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/dist/changes-5.15.2 b/dist/changes-5.15.2
index de6ffc584..8d48468b1 100644
--- a/dist/changes-5.15.2
+++ b/dist/changes-5.15.2
@@ -39,7 +39,7 @@ Chromium
 --------
 
   - The Chromium version has been updated to 83.0.4103.122
-  - Security fixes from Chromium up to version 86.0.4240.111, including:
+  - Security fixes from Chromium up to version 86.0.4240.183, including:
     - CVE-2020-6540: Heap buffer overflow in Skia
     - CVE-2020-6557: Inappropriate implementation in networking
     - CVE-2020-6561: Inappropriate implementation in Content Security Policy
@@ -75,8 +75,13 @@ Chromium
     - CVE-2020-16001: Use after free in media.
     - CVE-2020-16002: Use after free in PDFium
     - CVE-2020-16003: Use after free in printing
+    - CVE-2020-16005: Insufficient policy enforcement in ANGLE
+    - CVE-2020-16008: Stack buffer overflow in WebRTC
+    - CVE-2020-16009: Inappropriate implementation in V8
+    - CVE-2020-16011: Heap buffer overflow in UI on Windows.
     - Security bug 1106091
     - Security bug 1107824
     - Security bug 1111149
     - Security bug 1125199
+    - Security bug 1137608
 
diff --git a/src/3rdparty b/src/3rdparty
index 55b3d1839..fb6ab5e48 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit 55b3d183921d3ecbbbc0cee5f54a4420aec5c639
+Subproject commit fb6ab5e483876298235be1c6a6013b426c82b759
-- 
cgit v1.2.3


From 5537ff4437ea7a5f9ea140071343f88bf48deddc Mon Sep 17 00:00:00 2001
From: Michal Klocek 
Date: Sat, 7 Nov 2020 02:22:36 +0100
Subject: Fix opengl headers inclusion issues

Chromium gl bindings headers get mixed with qt opengl headers.
This results in GLDEBUGPROC missing definition errors.

Fixes compilation for apalis-imx6 on zeus.

Task-number: QTBUG-88219
Change-Id: I0a18ceff3336ab457c2d9f35ef17c28c01bbe035
Reviewed-by: Allan Sandfeld Jensen 
---
 src/core/ozone/gl_ozone_egl_qt.cpp | 14 ++------------
 1 file changed, 2 insertions(+), 12 deletions(-)

diff --git a/src/core/ozone/gl_ozone_egl_qt.cpp b/src/core/ozone/gl_ozone_egl_qt.cpp
index c33570d44..04b336990 100644
--- a/src/core/ozone/gl_ozone_egl_qt.cpp
+++ b/src/core/ozone/gl_ozone_egl_qt.cpp
@@ -40,14 +40,6 @@
 #if defined(USE_OZONE)
 #include 
 #include 
-
-#if QT_CONFIG(opengl)
-#include 
-QT_BEGIN_NAMESPACE
-Q_GUI_EXPORT QOpenGLContext *qt_gl_global_share_context();
-QT_END_NAMESPACE
-#endif
-
 #include "gl_context_qt.h"
 #include "gl_ozone_egl_qt.h"
 #include "gl_surface_egl_qt.h"
@@ -90,10 +82,8 @@ bool GLOzoneEGLQt::LoadGLES2Bindings(gl::GLImplementation /*implementation*/)
 #if QT_CONFIG(opengl)
     if (!get_proc_address) {
         // QTBUG-63341 most likely libgles2 not linked with libegl -> fallback to qpa
-        if (QOpenGLContext *context = qt_gl_global_share_context()) {
-            get_proc_address = reinterpret_cast(
-                context->getProcAddress("eglGetProcAddress"));
-        }
+        get_proc_address =
+                reinterpret_cast(GLContextHelper::getEglGetProcAddress());
     }
 #endif
 
-- 
cgit v1.2.3