Bug#876999: libqt5webkit5: Segfault in JSC::JSRopeString::resolveRope (WebKit memcpy bug)

Gregor Riepl Wed, 27 Sep 2017 07:50:54 -0700

Package: libqt5webkit5
Version: 5.9.1+dfsg-5
Severity: important
Tags: patch upstream


Dear Maintainer,

When running a Python3 application that uses QtWebKit5, I'm getting the
following segfault:

Thread 1 "python3" received signal SIGSEGV, Segmentation fault.
0x00007fffefc5592f in JSC::JSRopeString::resolveRope(JSC::ExecState*) const ()
from /usr/lib/x86_64-linux-gnu/libQt5WebKit.so.5
(gdb) bt
#0  0x00007fffefc5592f in JSC::JSRopeString::resolveRope(JSC::ExecState*) const
() at /usr/lib/x86_64-linux-gnu/libQt5WebKit.so.5
#1  0x00007fffefc8a570 in  () at /usr/lib/x86_64-linux-gnu/libQt5WebKit.so.5
#2  0x00007fffefa37584 in  () at /usr/lib/x86_64-linux-gnu/libQt5WebKit.so.5
#3  0x00007fff8979c4d5 in  ()
#4  0x00007fffffffc708 in  ()
#5  0xffff00000000002d in  ()
#6  0x00007fff00000000 in  ()
#7  0x00007fff5162db50 in  ()
#8  0x00007fff00000000 in  ()
#9  0x00007fff56754028 in  ()
#10 0x8000000080000000 in  ()
#11 0x6adccedb23bda099 in  ()
#12 0x00007fffc926b580 in  ()
#13 0x00007fff896c9b00 in  ()
#14 0x00007fffc926b590 in  ()
#15 0x00007fff81bfcf98 in  ()
#16 0x0000000000000000 in  ()

This has already been analysed (as seen here:
https://github.com/annulen/webkit/issues/562 ) and seems to be an aliasing bug
in WebKit's string copy routine: https://bugs.webkit.org/show_bug.cgi?id=173407
The bug never caused problems before due to gcc hiding it.

Upstream has already fixed the bug, but libqt5webkit5 in Debian sid is still
affected.
Please update the package with the upstream fix.

Thank you.



-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'stable'), (100, 
'unstable-debug'), (100, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.12.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libqt5webkit5 depends on:
ii  dpkg                                  1.18.24
ii  libc6                                 2.24-17
ii  libgl1-mesa-glx [libgl1]              13.0.6-1+b2
ii  libglib2.0-0                          2.54.0-1
ii  libgstreamer-plugins-base1.0-0        1.12.3-1
ii  libgstreamer1.0-0                     1.12.3-1
ii  libicu57                              57.1-6
ii  libjpeg62-turbo                       1:1.5.2-2
ii  libpng16-16                           1.6.32-2
ii  libqt5core5a [qtbase-abi-5-9-0]       5.9.1+dfsg-9
ii  libqt5gui5                            5.9.1+dfsg-9
ii  libqt5network5                        5.9.1+dfsg-9
ii  libqt5opengl5                         5.9.1+dfsg-9
ii  libqt5printsupport5                   5.9.1+dfsg-9
ii  libqt5qml5 [qtdeclarative-abi-5-9-1]  5.9.1-6
ii  libqt5quick5                          5.9.1-6
ii  libqt5sql5                            5.9.1+dfsg-9
ii  libqt5widgets5                        5.9.1+dfsg-9
ii  libsqlite3-0                          3.20.1-1
ii  libstdc++6                            7.2.0-5
ii  libwebp6                              0.6.0-3
ii  libx11-6                              2:1.6.4-3
ii  libxcomposite1                        1:0.4.4-2
ii  libxml2                               2.9.4+dfsg1-4
ii  libxrender1                           1:0.9.10-1
ii  libxslt1.1                            1.1.29-2.1
ii  zlib1g                                1:1.2.8.dfsg-5

libqt5webkit5 recommends no packages.

libqt5webkit5 suggests no packages.

-- no debconf information

Bug#876999: libqt5webkit5: Segfault in JSC::JSRopeString::resolveRope (WebKit memcpy bug)

Reply via email to