commit: 94676230c246ba7f32acd763397dd702f3a369d0 Author: Ionen Wolkens <ionen <AT> gentoo <DOT> org> AuthorDate: Thu Jun 5 07:50:47 2025 +0000 Commit: Ionen Wolkens <ionen <AT> gentoo <DOT> org> CommitDate: Thu Jun 5 08:26:13 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=94676230
dev-qt/qtwebengine: backport CVE-2025-5419 fix Not the only issue, but this one is known exploited in the wild giving it higher priority (rest will likely wait until Qt 6.9.2 like usual). Bug: https://bugs.gentoo.org/957076 Signed-off-by: Ionen Wolkens <ionen <AT> gentoo.org> .../files/qtwebengine-6.9.1-CVE-2025-5419.patch | 36 ++++++++++++++++++++++ ...ne-6.9.1.ebuild => qtwebengine-6.9.1-r1.ebuild} | 1 + 2 files changed, 37 insertions(+) diff --git a/dev-qt/qtwebengine/files/qtwebengine-6.9.1-CVE-2025-5419.patch b/dev-qt/qtwebengine/files/qtwebengine-6.9.1-CVE-2025-5419.patch new file mode 100644 index 000000000000..f42c854f46ca --- /dev/null +++ b/dev-qt/qtwebengine/files/qtwebengine-6.9.1-CVE-2025-5419.patch @@ -0,0 +1,36 @@ +https://bugs.gentoo.org/957076 +https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/650558 +--- a/src/3rdparty/chromium/v8/src/compiler/turboshaft/store-store-elimination-reducer-inl.h ++++ b/src/3rdparty/chromium/v8/src/compiler/turboshaft/store-store-elimination-reducer-inl.h +@@ -325,8 +325,9 @@ + // access once available. + const bool is_on_heap_store = store.kind.tagged_base; +- const bool is_field_store = !store.index().valid(); ++ const bool is_fixed_offset_store = !store.index().valid(); + const uint8_t size = store.stored_rep.SizeInBytes(); +- // For now we consider only stores of fields of objects on the heap. +- if (is_on_heap_store && is_field_store) { ++ // For now we consider only stores of fixed offsets of objects on the ++ // heap. ++ if (is_on_heap_store && is_fixed_offset_store) { + bool is_eliminable_store = false; + switch (table_.GetObservability(store.base(), store.offset, size)) { +@@ -415,9 +416,14 @@ + // access once available. + const bool is_on_heap_load = load.kind.tagged_base; +- const bool is_field_load = !load.index().valid(); ++ const bool is_fixed_offset_load = !load.index().valid(); + // For now we consider only loads of fields of objects on the heap. +- if (is_on_heap_load && is_field_load) { +- table_.MarkPotentiallyAliasingStoresAsObservable(load.base(), +- load.offset); ++ if (is_on_heap_load) { ++ if (is_fixed_offset_load) { ++ table_.MarkPotentiallyAliasingStoresAsObservable(load.base(), ++ load.offset); ++ } else { ++ // A dynamically indexed load might alias any fixed offset. ++ table_.MarkAllStoresAsObservable(); ++ } + } + break; diff --git a/dev-qt/qtwebengine/qtwebengine-6.9.1.ebuild b/dev-qt/qtwebengine/qtwebengine-6.9.1-r1.ebuild similarity index 99% rename from dev-qt/qtwebengine/qtwebengine-6.9.1.ebuild rename to dev-qt/qtwebengine/qtwebengine-6.9.1-r1.ebuild index 02532f6ac935..2c63e4e725dc 100644 --- a/dev-qt/qtwebengine/qtwebengine-6.9.1.ebuild +++ b/dev-qt/qtwebengine/qtwebengine-6.9.1-r1.ebuild @@ -110,6 +110,7 @@ PATCHES=( "${WORKDIR}"/patches/${PN} ) PATCHES+=( # add extras as needed here, may merge in set if carries across versions "${FILESDIR}"/${PN}-6.8.3-gperf3.2.patch + "${FILESDIR}"/${PN}-6.9.1-CVE-2025-5419.patch ) python_check_deps() {
