commit: 90c0da93ba084e79f9e5468d1b3759bc0a351a89 Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> AuthorDate: Sat Jan 14 12:12:33 2023 +0000 Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> CommitDate: Sun Jan 15 12:36:32 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=90c0da93
dev-qt/qtwebengine: add 5.15.8_p20230112 Fixes CVE-2022-4437 and CVE-2022-4438. Snapshotted at: Branch: 5.15 Commit: 38e0df6c6e5a1186b68df9b3d6f4cafbb211f2da Submodule qtwebengine-chromium.git: Branch: 87-based Commit: 97a1254923022e66fa75245c3ace64f58112cba6 Patched with security patches up to Chromium version: 98.0.4758.102 Bug: https://bugs.gentoo.org/888946 Bug: https://bugs.gentoo.org/888181 Signed-off-by: Andreas Sturmlechner <asturm <AT> gentoo.org> dev-qt/qtwebengine/Manifest | 1 + .../qtwebengine-5.15.8_p20230112.ebuild | 284 +++++++++++++++++++++ 2 files changed, 285 insertions(+) diff --git a/dev-qt/qtwebengine/Manifest b/dev-qt/qtwebengine/Manifest index 6f9f75c68502..9e66ddba2e79 100644 --- a/dev-qt/qtwebengine/Manifest +++ b/dev-qt/qtwebengine/Manifest @@ -3,5 +3,6 @@ DIST qtwebengine-5.15.2_p20211019-jumbo-build.patch.bz2 2930 BLAKE2B fca1d140687 DIST qtwebengine-5.15.3_p20220406-patchset.tar.xz 35480 BLAKE2B ce6aeebbb3255196611130d04ee7a3907ba45d6d2a283f2433e2176cf67e473e74137b180de0a9998762cc54439bb06825815e81e9f95f9413ce2956ac9308b7 SHA512 47e29a1429dce2db324929af91c8ef8421c75ae48f5a491db71b434f8017a5b1e7475e9938989e331e8e012220852848565242e09747892e1a8a8d3ab7386840 DIST qtwebengine-5.15.7_p20221122.tar.xz 319323408 BLAKE2B f0f7d566e84a78bae964bf34ccb305d51ae3c0b73bea2b382edca373a5240ab63ce6d90a1f81c8e70fd1f1eb05f9985fccbdae36958afe9dd8fa9c95a72775e0 SHA512 42665d2d7d227aeb04b9f7af0728ea5b07978e221b858fd2855595ad588d709bacbea18ab9e0c3a023579e5e3b80cdf6d3ff721573631ee43626bd37fb424225 DIST qtwebengine-5.15.8_p20230106.tar.xz 319368288 BLAKE2B cbf6abc941cc20d7568c458726ccd371d5c6838b93e034e79767a2f98a00576a89a81eeb2964fb549df5f347cb8927863c15bf082c6abb749ed90cbe69c9677c SHA512 9b65cb69945516ee57945ccf59b2f60182673e7a77e29418269a285c708a5dcd4ddfdd6c23e187280e68d7abee4e1dc2d00da6678393a44e88b88702db337615 +DIST qtwebengine-5.15.8_p20230112.tar.xz 320881876 BLAKE2B 681fb4e2c6dfb80f1f2839092bbbd891a0a0d68f6b31dbdfe8693b8ea9a0ecd9611ba692b0565f32fc2ad199de715cf61e333d796df618572f79d9ed88545ffb SHA512 1806e7a3134579a5cfc0c932cc95ffb15edc515c2ff32b01eee9de8245938f95301610cd7b57451a07a9e38451111973b88c1d64a03f1371e58106bf202b143e DIST qtwebengine-everywhere-src-6.4.0.tar.xz 440346968 BLAKE2B ffe9ad9f71034d14f016a71bf3e6034853d5c2b17a3ab3e8aefc1c3a79896363eb2ce41446f16e126ec313608619900ee7ac41750978c28f135df5bbc2e0be5c SHA512 a024781c675c60ca746abb6cd977872b51e3f4a7ff9f934450b82e9b19883c68c0c6c630c28997624f0caceed3c43e8b0658419ecb18cf08fa9081275bedd2a7 DIST qtwebengine-everywhere-src-6.4.2.tar.xz 440538956 BLAKE2B df94e0e8e22d11614d0d35002c0e404e6735d75e7b43bef1bfd3d5e1230a997625fe8471d8a9154798cc1f9b9c296c2b697ec70fba0428d509d1352d6d3fafee SHA512 47b184a690d4fa5ccccaa3533903068df7b28825aeb16b7c75e3c7cc29fe0cfdf07501c5f0311926c22852f626b0cd59c836d44527261dc7d5c1efbf7e15439b diff --git a/dev-qt/qtwebengine/qtwebengine-5.15.8_p20230112.ebuild b/dev-qt/qtwebengine/qtwebengine-5.15.8_p20230112.ebuild new file mode 100644 index 000000000000..62c77057afa3 --- /dev/null +++ b/dev-qt/qtwebengine/qtwebengine-5.15.8_p20230112.ebuild @@ -0,0 +1,284 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{9,10} ) +PYTHON_REQ_USE="xml(+)" +inherit check-reqs estack flag-o-matic multiprocessing python-any-r1 qt5-build toolchain-funcs + +DESCRIPTION="Library for rendering dynamic web content in Qt5 C++ and QML applications" +HOMEPAGE="https://www.qt.io/"; + +if [[ ${QT5_BUILD_TYPE} == release ]]; then + KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~x86" + if [[ ${PV} == ${QT5_PV}_p* ]]; then + SRC_URI="https://dev.gentoo.org/~asturm/distfiles/${P}.tar.xz"; + S="${WORKDIR}/${P}" + QT5_BUILD_DIR="${S}_build" + fi +else + EGIT_BRANCH="5.15" + EGIT_REPO_URI=( + "https://code.qt.io/qt/${QT5_MODULE}.git"; + "https://github.com/qt/${QT5_MODULE}.git"; + ) + inherit git-r3 +fi + +# ppc64 patchset based on https://github.com/chromium-ppc64le releases +SRC_URI+=" https://dev.gentoo.org/~sam/distfiles/${CATEGORY}/${PN}/${PN}-5.15.2_p20211019-jumbo-build.patch.bz2 + https://dev.gentoo.org/~asturm/distfiles/${PN}-5.15.3_p20220406-patchset.tar.xz + ppc64? ( https://dev.gentoo.org/~gyakovlev/distfiles/${PN}-5.15.2-r1-chromium87-ppc64le.tar.xz )" + +IUSE="alsa bindist designer geolocation +jumbo-build kerberos pulseaudio screencast +system-ffmpeg +system-icu widgets" +REQUIRED_USE="designer? ( widgets )" + +RDEPEND=" + app-arch/snappy:= + dev-libs/glib:2 + dev-libs/nspr + dev-libs/nss + dev-libs/expat + dev-libs/libevent:= + dev-libs/libxml2[icu] + dev-libs/libxslt + dev-libs/re2:= + =dev-qt/qtcore-${QT5_PV}* + =dev-qt/qtdeclarative-${QT5_PV}* + =dev-qt/qtgui-${QT5_PV}* + =dev-qt/qtnetwork-${QT5_PV}* + =dev-qt/qtprintsupport-${QT5_PV}* + =dev-qt/qtwebchannel-${QT5_PV}*[qml] + media-libs/fontconfig + media-libs/freetype + media-libs/harfbuzz:= + media-libs/lcms:2 + media-libs/libjpeg-turbo:= + media-libs/libpng:0= + >=media-libs/libvpx-1.5:=[svc(+)] + media-libs/libwebp:= + media-libs/opus + sys-apps/dbus + sys-apps/pciutils + sys-libs/zlib[minizip] + virtual/libudev + x11-libs/libdrm + x11-libs/libX11 + x11-libs/libXcomposite + x11-libs/libXcursor + x11-libs/libXdamage + x11-libs/libXext + x11-libs/libXfixes + x11-libs/libXi + x11-libs/libxkbfile + x11-libs/libXrandr + x11-libs/libXrender + x11-libs/libXScrnSaver + x11-libs/libXtst + alsa? ( media-libs/alsa-lib ) + designer? ( =dev-qt/designer-${QT5_PV}* ) + geolocation? ( =dev-qt/qtpositioning-${QT5_PV}* ) + kerberos? ( virtual/krb5 ) + pulseaudio? ( media-libs/libpulse ) + screencast? ( media-video/pipewire:= ) + system-ffmpeg? ( media-video/ffmpeg:0= ) + system-icu? ( >=dev-libs/icu-69.1:= ) + widgets? ( + =dev-qt/qtdeclarative-${QT5_PV}*[widgets] + =dev-qt/qtwidgets-${QT5_PV}* + ) +" +DEPEND="${RDEPEND} + media-libs/libglvnd +" +BDEPEND="${PYTHON_DEPS} + dev-util/gperf + dev-util/ninja + dev-util/re2c + net-libs/nodejs[ssl] + sys-devel/bison + sys-devel/flex + ppc64? ( >=dev-util/gn-0.1807 ) +" + +PATCHES=( + "${FILESDIR}/${PN}-5.15.2-disable-fatal-warnings.patch" # downstream, bug 695446 + "${FILESDIR}/${PN}-5.15.3_p20220505-extra-gn.patch" # downstream, bug 774186 + "${FILESDIR}/${PN}-5.15.2_p20210224-chromium-87-v8-icu68.patch" # downstream, bug 757606 + "${FILESDIR}/${PN}-5.15.2_p20210224-disable-git.patch" # downstream snapshot fix + "${FILESDIR}/${PN}-5.15.2_p20211015-pdfium-system-lcms2.patch" # by Debian, QTBUG-61746 + "${FILESDIR}/${PN}-5.15.3_p20220329-clang14.patch" # by FreeBSD, bug 836604 + "${FILESDIR}/${PN}-5.15.3_p20220406-gcc12-includes.patch" # by openSUSE, bug 840326 + "${WORKDIR}/${PN}-5.15.2_p20211019-jumbo-build.patch" # bug 813957 + "${WORKDIR}/${PN}-5.15.3_p20220406-patchset" # bug 698988 (py2--), pipewire-3 + "${FILESDIR}/${PN}-5.15.8_p20230106-v8-opcode-constexpr.patch" # bug 889042 + "${FILESDIR}/${PN}-5.15.8_p20230106-widevine.patch" # bug 888783 +) + +qtwebengine_check-reqs() { + # bug #307861 + eshopts_push -s extglob + if is-flagq '-g?(gdb)?([1-9])'; then + ewarn "You have enabled debug info (probably have -g or -ggdb in your CFLAGS/CXXFLAGS)." + ewarn "You may experience really long compilation times and/or increased memory usage." + ewarn "If compilation fails, please try removing -g/-ggdb before reporting a bug." + fi + eshopts_pop + + [[ ${MERGE_TYPE} == binary ]] && return + + # (check-reqs added for bug #570534) + # + # Estimate the amount of RAM required + # Multiplier is *10 because Bash doesn't do floating point maths. + # Let's crudely assume ~2GB per compiler job for GCC. + local multiplier=20 + + # And call it ~1.5GB for Clang. + if tc-is-clang ; then + multiplier=15 + fi + + local CHECKREQS_DISK_BUILD="7G" + local CHECKREQS_DISK_USR="150M" + if ! has "distcc" ${FEATURES} ; then + # bug #830661 + # Not super realistic to come up with good estimates for distcc right now + local CHECKREQS_MEMORY=$(($(makeopts_jobs)*multiplier/10))G + fi + + check-reqs_${EBUILD_PHASE_FUNC} +} + +pkg_pretend() { + qtwebengine_check-reqs +} + +pkg_setup() { + qtwebengine_check-reqs + python-any-r1_pkg_setup +} + +src_unpack() { + case ${QT5_BUILD_TYPE} in + live) git-r3_src_unpack ;& + release) default ;; + esac +} + +src_prepare() { + if [[ ${PV} == ${QT5_PV}_p* ]]; then + # This is made from git, and for some reason will fail w/o .git directories. + mkdir -p .git src/3rdparty/chromium/.git || die + fi + # We need to make sure this integrates well into Qt 5.15.3 installation. + # Otherwise revdeps fail w/o heavy changes. This is the simplest way to do it. + # See also: https://www.qt.io/blog/building-qt-webengine-against-other-qt-versions + sed -E "/^MODULE_VERSION/s/5\.15\.[0-9]+/${QT5_PV}/" -i .qmake.conf || die + + # QTBUG-88657 - jumbo-build could still make trouble + if ! use jumbo-build; then + sed -i -e 's|use_jumbo_build=true|use_jumbo_build=false|' \ + src/buildtools/config/common.pri || die + fi + + # bug 620444 - ensure local headers are used + find "${S}" -type f -name "*.pr[fio]" | \ + xargs sed -i -e 's|INCLUDEPATH += |&$${QTWEBENGINE_ROOT}_build/include $${QTWEBENGINE_ROOT}/include |' || die + + if use system-icu; then + # Sanity check to ensure that bundled copy of ICU is not used. + # Whole src/3rdparty/chromium/third_party/icu directory cannot be deleted because + # src/3rdparty/chromium/third_party/icu/BUILD.gn is used by build system. + # If usage of headers of bundled copy of ICU occurs, then lists of shim headers in + # shim_headers("icui18n_shim") and shim_headers("icuuc_shim") in + # src/3rdparty/chromium/third_party/icu/BUILD.gn should be updated. + local file + while read file; do + echo "#error This file should not be used!" > "${file}" || die + done < <(find src/3rdparty/chromium/third_party/icu -type f "(" -name "*.c" -o -name "*.cpp" -o -name "*.h" ")" 2>/dev/null) + fi + + # src/3rdparty/gn fails with libc++ due to passing of `-static-libstdc++` + if tc-is-clang ; then + if has_version 'sys-devel/clang[default-libcxx(-)]' || has_version 'sys-devel/clang-common[default-libcxx(-)]' ; then + eapply "${FILESDIR}/${PN}-5.15.2_p20210521-clang-libc++.patch" + fi + fi + + if use system-ffmpeg && has_version '>=media-video/ffmpeg-5'; then + eapply "${FILESDIR}/${PN}-5.15.3_p20220406-ffmpeg5.patch" # by Archlinux, bug 831437 + fi + + qt_use_disable_config alsa webengine-alsa src/buildtools/config/linux.pri + qt_use_disable_config pulseaudio webengine-pulseaudio src/buildtools/config/linux.pri + + qt_use_disable_mod designer webenginewidgets src/plugins/plugins.pro + + qt_use_disable_mod widgets widgets src/src.pro + + qt5-build_src_prepare + + # we need to generate ppc64 stuff because upstream does not ship it yet + if use ppc64; then + einfo "Patching for ppc64le and generating build files" + eapply "${FILESDIR}/qtwebengine-5.15.2-enable-ppc64.patch" + pushd src/3rdparty/chromium > /dev/null || die + eapply -p0 "${WORKDIR}/${PN}-ppc64le" + popd > /dev/null || die + pushd src/3rdparty/chromium/third_party/libvpx > /dev/null || die + mkdir -vp source/config/linux/ppc64 || die + mkdir -p source/libvpx/test || die + touch source/libvpx/test/test.mk || die + # clang-format is used to re-format sources + # but we'd rather make it a no-op than introduce a clang dependency + # https://bugs.gentoo.org/849458 + clang-format() { : ; } + export -f clang-format || die + ./generate_gni.sh || die + popd >/dev/null || die + fi +} + +src_configure() { + export NINJA_PATH=/usr/bin/ninja + export NINJAFLAGS="${NINJAFLAGS:--j$(makeopts_jobs "${MAKEOPTS}" 999) -l$(makeopts_loadavg "${MAKEOPTS}" 0) -v}" + + local myqmakeargs=( + -- + -no-build-qtpdf + -printing-and-pdf + -system-opus + -system-webp + $(qt_use alsa) + $(qt_use !bindist proprietary-codecs) + $(qt_use geolocation webengine-geolocation) + $(qt_use kerberos webengine-kerberos) + $(qt_use pulseaudio) + $(usex screencast -webengine-webrtc-pipewire '') + $(usex system-ffmpeg -system-ffmpeg -qt-ffmpeg) + $(qt_use system-icu webengine-icu) + ) + qt5-build_src_configure +} + +src_install() { + qt5-build_src_install + + # bug 601472 + if [[ ! -f ${D}${QT5_LIBDIR}/libQt5WebEngine.so ]]; then + die "${CATEGORY}/${PF} failed to build anything. Please report to https://bugs.gentoo.org/"; + fi +} + +pkg_preinst() { + elog "This version of Qt WebEngine is based on Chromium version 87.0.4280.144," + elog "with additional security fixes from newer versions. Extensive as it is, the" + elog "list of backports is impossible to evaluate, but always bound to be behind" + elog "Chromium's release schedule." + elog "In addition, various online services may deny service based on an outdated" + elog "user agent version (and/or other checks). Google is already known to do so." + elog + elog "tldr: Your web browsing experience will be compromised." +}
