From nobody Sun May 19 05:28:49 2024 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Vhq4K5Fv6z5KnQN; Sun, 19 May 2024 05:28:49 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Vhq4K4Wkkz4dFY; Sun, 19 May 2024 05:28:49 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1716096529; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CS4ofTztLszGIHy9Bkt8ylJLdZBG6KxrJJ22dD5qjoA=; b=QR6PHAB1X273KCy7RIUC6bMv1o1Z1BdRP3W2BwrCY7Xv9PeQlgV6BkGl2TgsIu/5YHBDxS 6vXme4yqSldYqdD4rh1HlFi4/yVIkF4paqFXLKlLQpsMYkZBGcbUTx7lQlDPxvQxvI0pFQ f62i3LH6dwiyk/fixIJqeutcHQzXpRcRaSy2/OXmnmzCrOXWJ6/fIbS8RN0sBxaWxqZSjr SyZMHmGEMCagZKdJpjZBA6XQ/tSe8hrY8PIRnFzEb1+v/OKEQJB/8C6zai8uUfbH4AbNmj ah0Ei7vKd2GA96Ims5tDTXxY1BcHdna6bUcLcxTMgDt5LNnEoeBQQWFtMUkuQw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1716096529; a=rsa-sha256; cv=none; b=hqevpvH1EtTzLgUX+QjDvIGNHkTkahmwpE3fng9p27/r6ekO/lx44BS7es2ye+QEj6FP70 cP8GqFjFLWNNGjftJ+W+7mqBNLEdc5PktOyYJbLEpGtBG56FSCdNOhnuYZk/dgsIvqAkkI ZzG/ZKlMWbtcswWfGeic1u7gmxF+cTXIIWX2DnrvXP3zCf4afgORF3Hb6eyUdJWQ7IEYoj +bVFXOKNgm2FpiXCpS9WR/UeMk4hqcGnX6cMW8Md7ebeR4eul0BxVH0SgDHv+7lP3fyIgD zZlTqFAlnceEareqnMGwEasAyMwFp2X4bv6k84O1BNH9dDSTO3ljgodf8Koa3Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1716096529; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CS4ofTztLszGIHy9Bkt8ylJLdZBG6KxrJJ22dD5qjoA=; b=mP+LKfS4hW/lVvV4TCQuZCEDoXr1opLMlIjClMJjM77ZkvlcbN259jLX32UyJ9gOs1uAIK o8HD3NCAV3nV3i9AwLbK4QHR50iDE6Q5Vo1LuysCBC1FIHLXkeU8McXFMCgRtyYfo+yHeO KSTjECvJ7dUKONPbYOrVJIRJzeARU8WFpWwBi62Wq2FBDQuJfUhbIDw/ygUmeyNrvmb1oh j/hi2j7VfrNCQxrhjJxRqSHOPB9JmJQK9VXDONmTrZTFaimhvxMHvp89hkfaU3yK7pBEzP et1kEFHouCPjyqyNml7RogWaC+2lLNSCTaT0FXn4yg+JjPSNTXPCnSbXm+yjlA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Vhq4K3549zxP1; Sun, 19 May 2024 05:28:49 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 44J5Sn5s038357; Sun, 19 May 2024 05:28:49 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 44J5SnE6038354; Sun, 19 May 2024 05:28:49 GMT (envelope-from git) Date: Sun, 19 May 2024 05:28:49 GMT Message-Id: <202405190528.44J5SnE6038354@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: "Jason E. Hale" Subject: git: 3fc81b9f8145 - main - www/qt5-webengine: Address a few CVEs in chromium List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-main@freebsd.org Sender: owner-dev-commits-ports-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jhale X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 3fc81b9f8145ade3e1dd6945f603875d0c41f296 Auto-Submitted: auto-generated The branch main has been updated by jhale: URL: https://cgit.FreeBSD.org/ports/commit/?id=3fc81b9f8145ade3e1dd6945f603875d0c41f296 commit 3fc81b9f8145ade3e1dd6945f603875d0c41f296 Author: Jason E. Hale AuthorDate: 2024-05-19 05:25:08 +0000 Commit: Jason E. Hale CommitDate: 2024-05-19 05:28:42 +0000 www/qt5-webengine: Address a few CVEs in chromium MFH: 2024Q2 Security: d58455cc-159e-11ef-83d8-4ccc6adda413 --- www/qt5-webengine/Makefile | 2 +- www/qt5-webengine/files/patch-security-rollup | 273 ++++++++++++++++++++++++++ 2 files changed, 274 insertions(+), 1 deletion(-) diff --git a/www/qt5-webengine/Makefile b/www/qt5-webengine/Makefile index 9b1dbab6880c..0f6a5f3dca02 100644 --- a/www/qt5-webengine/Makefile +++ b/www/qt5-webengine/Makefile @@ -19,7 +19,7 @@ PORTNAME= webengine DISTVERSION= ${QT5_VERSION}${QT5_KDE_PATCH} -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= www PKGNAMEPREFIX= qt5- diff --git a/www/qt5-webengine/files/patch-security-rollup b/www/qt5-webengine/files/patch-security-rollup new file mode 100644 index 000000000000..e0554d3d7c61 --- /dev/null +++ b/www/qt5-webengine/files/patch-security-rollup @@ -0,0 +1,273 @@ +Add security patches to this file. + +Addresses the following security issues: + +- Security bug 329674887 +- CVE-2024-3157 +- CVE-2024-3516 + +From a3580d0a0fc78016093fd96d72f1449589642292 Mon Sep 17 00:00:00 2001 +From: Marco Paniconi +Date: Wed, 13 Mar 2024 10:58:17 -0700 +Subject: [PATCH] [Backport] Security bug 329674887 (1/2) + +Cherry-pick of patch orignally reviewed on +https://chromium-review.googlesource.com/c/webm/libvpx/+/5370376: +Fix to buffer alloc for vp9_bitstream_worker_data + +The code was using the bitstream_worker_data when it +wasn't allocated for big enough size. This is because +the existing condition was to only re-alloc the +bitstream_worker_data when current dest_size was larger +than the current frame_size. But under resolution change +where frame_size is increased, beyond the current dest_size, +we need to allow re-alloc to the new size. + +The existing condition to re-alloc when dest_size is +larger than frame_size (which is not required) is kept +for now. + +Also increase the dest_size to account for image format. + +Added tests, for both ROW_MT=0 and 1, that reproduce +the failures in the bugs below. + +Note: this issue only affects the REALTIME encoding path. + +Bug: b/329088759, b/329674887, b/329179808 + +Change-Id: Icd65dbc5317120304d803f648d4bd9405710db6f +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554667 +Reviewed-by: Allan Sandfeld Jensen +--- + .../source/libvpx/vp9/encoder/vp9_bitstream.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c b/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c +index 3eff4ce830d1..22db39714922 100644 +--- src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c ++++ src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c +@@ -963,6 +963,14 @@ void vp9_bitstream_encode_tiles_buffer_dealloc(VP9_COMP *const cpi) { + } + } + ++static int encode_tiles_buffer_alloc_size(VP9_COMP *const cpi) { ++ VP9_COMMON *const cm = &cpi->common; ++ const int image_bps = ++ (8 + 2 * (8 >> (cm->subsampling_x + cm->subsampling_y))) * ++ (1 + (cm->bit_depth > 8)); ++ return cpi->oxcf.width * cpi->oxcf.height * image_bps / 8; ++} ++ + static int encode_tiles_buffer_alloc(VP9_COMP *const cpi) { + int i; + const size_t worker_data_size = +@@ -972,7 +980,7 @@ static int encode_tiles_buffer_alloc(VP9_COMP *const cpi) { + if (!cpi->vp9_bitstream_worker_data) return 1; + for (i = 1; i < cpi->num_workers; ++i) { + cpi->vp9_bitstream_worker_data[i].dest_size = +- cpi->oxcf.width * cpi->oxcf.height; ++ encode_tiles_buffer_alloc_size(cpi); + cpi->vp9_bitstream_worker_data[i].dest = + vpx_malloc(cpi->vp9_bitstream_worker_data[i].dest_size); + if (!cpi->vp9_bitstream_worker_data[i].dest) return 1; +@@ -989,8 +997,8 @@ static size_t encode_tiles_mt(VP9_COMP *cpi, uint8_t *data_ptr) { + int tile_col = 0; + + if (!cpi->vp9_bitstream_worker_data || +- cpi->vp9_bitstream_worker_data[1].dest_size > +- (cpi->oxcf.width * cpi->oxcf.height)) { ++ cpi->vp9_bitstream_worker_data[1].dest_size != ++ encode_tiles_buffer_alloc_size(cpi)) { + vp9_bitstream_encode_tiles_buffer_dealloc(cpi); + if (encode_tiles_buffer_alloc(cpi)) return 0; + } +From 7c81b9390d837ffbaccb1846db64960b4a79626f Mon Sep 17 00:00:00 2001 +From: Marco Paniconi +Date: Sat, 16 Mar 2024 10:39:28 -0700 +Subject: [PATCH] [Backport] Security bug 329674887 (2/2) + +Cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/webm/libvpx/+/5375794: +vp9: fix to integer overflow test + +failure for the 16k test: issue introduced +in: c29e637283 + +Bug: b/329088759, b/329674887, b/329179808 + +Change-Id: I88e8a36b7f13223997c3006c84aec9cfa48c0bcf +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554668 +Reviewed-by: Allan Sandfeld Jensen +--- + .../libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c b/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c +index 22db3971492..645ba6ebb3a 100644 +--- src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c ++++ src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c +@@ -968,7 +968,9 @@ static int encode_tiles_buffer_alloc_size(VP9_COMP *const cpi) { + const int image_bps = + (8 + 2 * (8 >> (cm->subsampling_x + cm->subsampling_y))) * + (1 + (cm->bit_depth > 8)); +- return cpi->oxcf.width * cpi->oxcf.height * image_bps / 8; ++ const int64_t size = ++ (int64_t)cpi->oxcf.width * cpi->oxcf.height * image_bps / 8; ++ return (int)size; + } + + static int encode_tiles_buffer_alloc(VP9_COMP *const cpi) { +From 11ecd608320b14500f912e827b5b0eab285b8142 Mon Sep 17 00:00:00 2001 +From: kylechar +Date: Tue, 9 Apr 2024 17:14:26 +0000 +Subject: [PATCH] [Backport] CVE-2024-3157: Out of bounds write in Compositing + +Cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/chromium/src/+/5420432: +Validate buffer length + +The BitmapInSharedMemory mojo traits were only validating row length and +not total buffer length. + +(cherry picked from commit 1a19ff70bd54847d818566bd7a1e7c384c419746) + +(cherry picked from commit f15315f1cb7897e208947a40d538aac693283d7f) + +Bug: 331237485 +Change-Id: Ia2318899c44e9e7ac72fc7183954e6ce2c702179 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5396796 +Commit-Queue: Kyle Charbonneau +Cr-Original-Original-Commit-Position: refs/heads/main@{#1278417} +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5420432 +Commit-Queue: danakj +Cr-Original-Commit-Position: refs/branch-heads/6312@{#786} +Cr-Original-Branched-From: 6711dcdae48edaf98cbc6964f90fac85b7d9986e-refs/heads/main@{#1262506} +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5433678 +Reviewed-by: danakj +Reviewed-by: Kyle Charbonneau +Cr-Commit-Position: refs/branch-heads/6099@{#2003} +Cr-Branched-From: e6ee4500f7d6549a9ac1354f8d056da49ef406be-refs/heads/main@{#1217362} +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554669 +Reviewed-by: Allan Sandfeld Jensen +--- + .../cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc b/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc +index f602fa100477..c6d84002b3e4 100644 +--- src/3rdparty/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc ++++ src/3rdparty/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc +@@ -69,6 +69,10 @@ bool StructTraits::Read( + if (!mapping_ptr->IsValid()) + return false; + ++ if (mapping_ptr->size() < image_info.computeByteSize(data.row_bytes())) { ++ return false; ++ } ++ + if (!sk_bitmap->installPixels(image_info, mapping_ptr->memory(), + data.row_bytes(), &DeleteSharedMemoryMapping, + mapping_ptr.get())) { +From 060d3aa868d6f4403a9416fe34b48ffbfcfe19cb Mon Sep 17 00:00:00 2001 +From: Shahbaz Youssefi +Date: Mon, 25 Mar 2024 14:46:56 -0400 +Subject: [PATCH] [Backport] CVE-2024-3516: Heap buffer overflow in ANGLE + +Cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/angle/angle/+/5391986: +Translator: Disallow samplers in structs in interface blocks + +As disallowed by the spec: + +> Types and declarators are the same as for other uniform variable +> declarations outside blocks, with these exceptions: +> +> * opaque types are not allowed + +Bug: chromium:328859176 +Change-Id: Ib94977860102329e520e635c3757827c93ca2163 +Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5391986 +Auto-Submit: Shahbaz Youssefi +Reviewed-by: Geoff Lang +Commit-Queue: Shahbaz Youssefi +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554670 +Reviewed-by: Allan Sandfeld Jensen +--- + .../src/compiler/translator/ParseContext.cpp | 33 ++++++++++++------- + 1 file changed, 21 insertions(+), 12 deletions(-) + +diff --git a/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp b/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp +index 84a0c8fd9e0d..3e8a4a71ff67 100644 +--- src/3rdparty/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp ++++ src/3rdparty/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp +@@ -34,27 +34,39 @@ namespace + + const int kWebGLMaxStructNesting = 4; + +-bool ContainsSampler(const TStructure *structType); ++struct IsSamplerFunc ++{ ++ bool operator()(TBasicType type) { return IsSampler(type); } ++}; ++struct IsOpaqueFunc ++{ ++ bool operator()(TBasicType type) { return IsOpaqueType(type); } ++}; ++ ++template ++bool ContainsOpaque(const TStructure *structType); + +-bool ContainsSampler(const TType &type) ++template ++bool ContainsOpaque(const TType &type) + { +- if (IsSampler(type.getBasicType())) ++ if (OpaqueFunc{}(type.getBasicType())) + { + return true; + } + if (type.getBasicType() == EbtStruct) + { +- return ContainsSampler(type.getStruct()); ++ return ContainsOpaque(type.getStruct()); + } + + return false; + } + +-bool ContainsSampler(const TStructure *structType) ++template ++bool ContainsOpaque(const TStructure *structType) + { + for (const auto &field : structType->fields()) + { +- if (ContainsSampler(*field->type())) ++ if (ContainsOpaque(*field->type())) + return true; + } + return false; +@@ -915,7 +927,7 @@ bool TParseContext::checkIsNotOpaqueType(const TSourceLoc &line, + { + if (pType.type == EbtStruct) + { +- if (ContainsSampler(pType.userDef)) ++ if (ContainsOpaque(pType.userDef)) + { + std::stringstream reasonStream = sh::InitializeStream(); + reasonStream << reason << " (structure contains a sampler)"; +@@ -3900,12 +3912,9 @@ TIntermDeclaration *TParseContext::addInterfaceBlock( + { + TField *field = (*fieldList)[memberIndex]; + TType *fieldType = field->type(); +- if (IsOpaqueType(fieldType->getBasicType())) ++ if (ContainsOpaque(*fieldType)) + { +- std::string reason("unsupported type - "); +- reason += fieldType->getBasicString(); +- reason += " types are not allowed in interface blocks"; +- error(field->line(), reason.c_str(), fieldType->getBasicString()); ++ error(field->line(), "Opaque types are not allowed in interface blocks", blockName); + } + + const TQualifier qualifier = fieldType->getQualifier();