Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-115701

Missing backported CVE fixes

    XMLWordPrintable

Details

    • Bug
    • Resolution: Out of scope
    • P2: Important
    • None
    • 6.4.3
    • WebEngine
    • None
    • All

    Description

      In Qt 6.4.3, WebEngine should be based on 102.0.5005.177 Chromium with security patches up to 110.0.5481.78 backported. However, a bunch of the CVEs prior to 110.0.5481.78 are not included. Below, I included some examples of fixes that available in Chromium prior to, but not available in WebEngine.

      I have looked for the [Backport] commit messages and cross-checked with Google's numbering system. Do I need to look somewhere else for these backported security updates in WebEngine?

       

       

      CVE                        Note                                     
      `CVE-2022-2157` Fixed in `103.0.5060.53`  
      `CVE-2022-2161` Fixed in `103.0.5060.53`  
      `CVE-2022-2163` Fixed in `103.0.5060.134`
      `CVE-2022-2415` Fixed in `103.0.5060.53`  
      `CVE-2022-2603` Fixed in `104.0.5112.79`  
      `CVE-2022-2604` Fixed in `104.0.5112.79`  
      `CVE-2022-2608` Fixed in `104.0.5112.79`  
      `CVE-2022-2623` Fixed in `104.0.5112.79`  
      `CVE-2022-2742` Fixed in `104.0.5112.79`  
      `CVE-2022-2743` Fixed in `104.0.5112.79`  
      `CVE-2022-2852` Fixed in `104.0.5112.101`
      `CVE-2022-2858` Fixed in `104.0.5112.101`
      `CVE-2022-3043` Fixed in `105.0.5195.52`  
      `CVE-2022-3049` Fixed in `105.0.5195.52`  
      `CVE-2022-3050` Fixed in `105.0.5195.52`  
      `CVE-2022-3051` Fixed in `105.0.5195.52`  
      `CVE-2022-3052` Fixed in `105.0.5195.52`  
      `CVE-2022-3058` Fixed in `105.0.5195.52`  
      `CVE-2022-3071` Fixed in `105.0.5195.52`  
      `CVE-2022-3195` Fixed in `105.0.5195.125`
      `CVE-2022-3305` Fixed in `106.0.5249.61`  
      `CVE-2022-3306` Fixed in `106.0.5249.61`  
      `CVE-2022-3448` Fixed in `106.0.5249.119`
      `CVE-2022-3449` Fixed in `106.0.5249.119`
      `CVE-2022-3655` Fixed in `107.0.5304.68`  
      `CVE-2022-3657` Fixed in `107.0.5304.62`  
      `CVE-2022-3658` Fixed in `107.0.5304.62`  
      `CVE-2022-3659` Fixed in `107.0.5304.62`  
      `CVE-2022-3886` Fixed in `107.0.5304.110`
      `CVE-2022-4176` Fixed in `108.0.5359.71`  
      `CVE-2022-4177` Fixed in `108.0.5359.71`  
      `CVE-2022-4191` Fixed in `108.0.5359.71`  
      `CVE-2022-4192` Fixed in `108.0.5359.71`  
      `CVE-2023-0128` Fixed in `109.0.5414.74`  
      `CVE-2023-0134` Fixed in `109.0.5414.74`  
      `CVE-2023-0135` Fixed in `109.0.5414.74`  
      `CVE-2023-0136` Fixed in `109.0.5414.74`  
      `CVE-2023-0137` Fixed in `109.0.5414.74`  
      `CVE-2023-0473` Fixed in `109.0.5414.119`
      `CVE-2023-0474` Fixed in `109.0.5414.119`
      `CVE-2023-0696` Fixed in `110.0.5481.77`  

       

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            qt_webengine_team Qt WebEngine Team
            ekronborg Emil Kronborg
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes