Possible to Update qtbase-5 to v5.15.8?

  • Done
  • quality assurance status badge
Details
6 participants
  • Leo Famulari
  • Maxim Cournoyer
  • Florian Bruhin
  • Philip McGrath
  • phodina
  • Jaft
Owner
unassigned
Submitted by
Jaft
Severity
normal
Merged with
J
J
Jaft wrote on 4 Jan 2022 18:35
(address . bug-guix@gnu.org)
28974452.1530175.1641317754644@mail.yahoo.com
Partially because it's the latest version but primarily because there's a bug in the current version for QTwebengine.
As detailed at r/qutebrowser - Comment by u/The-Compiler on ”WebGL blacklisted on Guix”, most text gets broken (https://bugs.chromium.org/p/chromium/issues/detail?id=1164975);I haven't tried other browsers but I've experienced this with Qutebrowser, currently.
It seems the issue was addressed in QT v5.15.7 so an update to, at least, that would, theoretically, solve the problem.


|
|
|
| | |

|

|
|
| |
r/qutebrowser - Comment by u/The-Compiler on ”WebGL blacklisted on Guix”

4 votes and 8 comments so far on Reddit
|

|

|
Attachment: file
L
L
Leo Famulari wrote on 4 Jan 2022 19:03
(name . Jaft via Bug reports for GNU Guix)(address . bug-guix@gnu.org)(address . 53011@debbugs.gnu.org)
YdSL7iyzCSGUixNT@jasmine.lan
On Tue, Jan 04, 2022 at 05:35:54PM +0000, Jaft via Bug reports for GNU Guix wrote:
Toggle quote (2 lines)
> As detailed at r/qutebrowser - Comment by u/The-Compiler on ”WebGL blacklisted on Guix”

I'm copying this report here:

------
I have installed Qutebrowser on Guix but when I open pages like Github
the page does not render some of It's elements (this happens with alot
of other pages aswell) so I lunched qutebrowser from the terminal to see
anything suspicious and found these error messages:

Error Messages

The error messages of WebGL being blacklisted come up exactly when I
launch pages like Github.

BTW: no config was used. However, the error also happens with my config.

I am running the latest version of Qutebrowser BTW.
------

And the "Error Messages" are unfortunately an image, which I've
attached.
Attachment: error messages.webp
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmHUi+4ACgkQJkb6MLrK
fwiyjBAAkGhKhzcU5iJuvRuJv/Nc6RDA3Wf49I2ZMO2uBo9676obrEYowOu4Exeg
U9cnGSYG+miKVxQoOSpIgxTVsp1HPLBJ5kZktNKt+ZV0ZbN0zbFQve/WmKfO7sWI
wflE8eg4PC41pEfsD7P3SgvpdvEk2eJdhqVwMm0ADPdo5ffGAvUufbmVxZ39+qGd
8qGK3uguBXbp87890iHzlZFPD8GNtOZRVZ0EHFE3Cio38iWnq6Yhazhu4+5seSsH
142EBWwy6dQlNZ6yRTxkfMZxyix5+/QB2OoWHzrhQKuXkagfb1K2DD8djt/fc59C
0TppoDkdmC2Em/NK4r0o5cWOxCAa+k/sTNm4KRaZM7hI2HjvHSC49hF51nRgjtgg
zvXIKWF0ejX5QKw9cwdwRGFwIiJwwaO+DFTA+oTlf7yhpH3Nq8ayaz3s+PhReC/A
8Iq+uSWLUKxrBkvd49SAYtW+0OJlUdj4J5DjpIpXC8PZ0hwWEltofS6ggyf6nPjY
pA474kNlgKKnYGTH2Gdr1/3KrdXS2e/OrJRe0UFYYmI8k9dUDklT9pbmkeNFTIws
92K/WiAFtFdnXhpWDfQFKSrALr6yD5+pGtXEGPdO+5nyGlT0erIDjijzu5TI9wmM
ETrSyd+BBCzURs4lyHGT+2upaAuawreBEkSkzb2FSxQrhb/nmAA=
=IkJ1
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 4 Jan 2022 19:04
(name . Jaft via Bug reports for GNU Guix)(address . bug-guix@gnu.org)(address . 53011@debbugs.gnu.org)
YdSMOd9lJ5p3C0b+@jasmine.lan
On Tue, Jan 04, 2022 at 05:35:54PM +0000, Jaft via Bug reports for GNU Guix wrote:
Toggle quote (4 lines)
> Partially because it's the latest version but primarily because there's a bug in the current version for QTwebengine.
> As detailed at r/qutebrowser - Comment by u/The-Compiler on ”WebGL blacklisted on Guix”, most text gets broken (https://bugs.chromium.org/p/chromium/issues/detail?id=1164975); I haven't tried other browsers but I've experienced this with Qutebrowser, currently.
> It seems the issue was addressed in QT v5.15.7 so an update to, at least, that would, theoretically, solve the problem.

I wonder if this is related to https://issues.guix.gnu.org/52993
("There is a problem with text rendering in the anki").
F
F
Florian Bruhin wrote on 4 Jan 2022 19:04
Re: Possible to Update qtbase-5 to v5.15.8?
(name . Jaft)(address . wamm_kd_schmelingski@yahoo.com)(address . 53011@debbugs.gnu.org)
20220104180457.tgkrnle4nc6ougdr@aragog
Hey,

qutebrowser upstream here.

On Tue, Jan 04, 2022 at 05:35:54PM +0000, Jaft wrote:
Toggle quote (2 lines)
> Partially because it's the latest version but primarily because there's a bug in the current version for QTwebengine.

Note that qtbase releases after 5.15.2 are commercial-only
unfortunately:


However, QtWebEngine source releases are exempt from that, due to
containing third-party LGPL code, so its source for newer releases is
publicly available:

Most distributions I'm aware of are still keeping updated with those
releases, as they should work just fine against an older qtbase.

Alternatively, to fix the issues with missing text, backporting this
patch should suffice:

However, newer QtWebEngine releases come with a variety of security
fixes and even a Chromium upgrade (from 83 to 87), so I'd highly
recommend keeping it up to date.

Florian

--
me@the-compiler.org | https://www.qutebrowser.org
https://bruhin.software/| https://github.com/sponsors/The-Compiler/
GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc
I love long mails! | https://email.is-not-s.ms/
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEE4E5WAAJAG47w528KkW6wyP1VoHIFAmHUjEQACgkQkW6wyP1V
oHJswg//d7pKHALwrCJ3l22Wo3Awz4lDDuzbC9MzVuoe8A1CmZYvuteOXjYXRMQ0
4nJUDO9JM9nEBRPAYOkBYag3+s0Cn1/UKfKac8QDf7GXQbDnk3Nh+uVBBXsurTby
SVq5VE5I+c1OcJpsQqcc5EzSeTim5P9yKUVrF5BcEMisgP6h1B4wRFfw3MtC6aJy
XGEFus9RahzhEMmKBTonQSWBfuRozENHomuWvkEbojCMrvhLxnoDV5fBYc8phBhV
ex92pejYOvjdGUWHqYCDyV7CfFV0nwqrW+zcxYDpFGqkesxBAOPwEObx4M2aqKAa
bm6dAuL/5F98fzFsYpOFXabksd+/mQsnfnMshf70OPMcydmVPBNBjs/6Vs5/FFtR
HfcNri+xhsMDmnr9KLLF4cXDF620FwEKDlx2g0MBacLzzJzbfIKvdLU+rI+BD5d5
D2o/V8yGG0rv/cdrQ1HHZJ2YgiCdVZ7zeIB5UjxADrqLJykd0GNacnIi19RKivjt
wSszJ6QiMBryILUPDwkMTkjtjmQNcKDXKfxQH57DUcrpc230GkRMoz03qbI2iK/d
YHNzDjdhkeLf2Y8Xjye3O1kUBoqLST+fbRO5pcHjL4SlSMcuo4DCTp1GLRwdJ6mf
ayOq/StQnVoQ4dcdkflM4BXFzJfnkgaFpSzw/rpjbWiGXZnFYWo=
=9VqE
-----END PGP SIGNATURE-----


F
F
Florian Bruhin wrote on 4 Jan 2022 21:32
(address . 53011@debbugs.gnu.org)
20220104203210.s4b52rccx2xrzexm@aragog
As for qutebrowser, this can be considered a duplicate of:
https://issues.guix.gnu.org/52672("qutebrowser 2.4.0 text rendering
broken").

The Anki bug could indeed be the same. If I remember correctly, Anki
does use QtWebEngine.

--
me@the-compiler.org | https://www.qutebrowser.org
https://bruhin.software/| https://github.com/sponsors/The-Compiler/
GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc
I love long mails! | https://email.is-not-s.ms/
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEE4E5WAAJAG47w528KkW6wyP1VoHIFAmHUrsYACgkQkW6wyP1V
oHLxfg/+KoIeWbVcHBfppqmMvt644ask8tIoZj4pHu7p8J5D/5J+8I7MheYmzXhv
SM0h+i0xrOwhCIngWBFcgHqVt3xvwrtPU/fi0Nwbj6aHqmPezzn4Q2DzZPZ/n58a
8kSE2ry+aWCDwbocAwGpJe/+9javQ3FyHZLZtivbl1Nn8/K96zREUY6dRfemAHwz
Z68vOq0tTZ3BFJZEP0YsKACf2vpplJ7ADJRPJN8CXdlBuZNBeEH5OGdksqXPNdeh
DnAjjzcanIJyMDvvE/vnBb8sGUGACnCyJyDsZJ3SD5LkluYq0NqGUw1S3Ab+yuMn
eKUNHuz+htiRqMBrLPPuoZxzBqbqL4OJWJGfBrMCHDoUduz8fheaEvBat6fIBTQ5
JBhMpdP3e3FtpfFOxrB+780Cyjq4sH8l414NsduIk7BTRB0+gu2OrcRg8ZgBI/Vt
LfFyIHya3N8TJPWbzdGyg/K9xDj3QS7lzkUXcnonj6MVZLV6DQfqUm/XiV0+13zL
TLaOcoUuIL7XEHIWvkq1PjHsTUAo9fFZDCe/HbnnB16ekcW/aUQt37a0nH+sH1An
Tu4SFK/Jm2bBl+BmeJKVgx/S3bdZ3aGTbSG8mQb0hKz4gRHMSgbe65ZVBU/l7aii
T5rsStMY3FUtDHTPVilpmWS7+QwwmXXAwV5CUQYTJrtmhSWFwTY=
=dbxl
-----END PGP SIGNATURE-----


P
P
Philip McGrath wrote on 5 Jan 2022 08:07
dbddd30e-7507-bbb3-aa69-0a3691214459@philipmcgrath.com
Hi,

On 1/4/22 13:04, Florian Bruhin wrote:
Toggle quote (32 lines)
> Hey,
>
> qutebrowser upstream here.
>
> On Tue, Jan 04, 2022 at 05:35:54PM +0000, Jaft wrote:
>> Partially because it's the latest version but primarily because there's a bug in the current version for QTwebengine.
>
> Note that qtbase releases after 5.15.2 are commercial-only
> unfortunately:
>
> https://www.qt.io/blog/qt-offering-changes-2020
> https://www.qt.io/blog/commercial-lts-qt-5.15.3-released
>
> However, QtWebEngine source releases are exempt from that, due to
> containing third-party LGPL code, so its source for newer releases is
> publicly available:
> https://code.qt.io/cgit/qt/qtwebengine.git/refs/tags
>
> Most distributions I'm aware of are still keeping updated with those
> releases, as they should work just fine against an older qtbase.
>
> Alternatively, to fix the issues with missing text, backporting this
> patch should suffice:
> https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/374232
>
> However, newer QtWebEngine releases come with a variety of security
> fixes and even a Chromium upgrade (from 83 to 87), so I'd highly
> recommend keeping it up to date.
>
> Florian
>

As some of you may know, KDE maintains a carefully curated patch
collection for Qt 5 consisting strictly of backports from the current
(QT6-based) development branch of Qt and fixes for removed
functionality. (They do not increment the Qt version number, to avoid
any further confusion.) AIUI, this is the same way The Qt Company
creates their non-public releases for customers using non-free licenses
(or at least it's what they say they do), though the KDE developers,
quite reasonably, only backport patches of interest to free software.

Announcement:

Using these patches should be as easy as pointing the origin of the
relevant Guix packages to the kde/5.15 branches of the corresponding

I think this would be the best way to update Guix's qtbase-5 and other
packages in general. But, as Florian explains, the situation with
QtWebEngine is even less complicated.

-Philip
L
L
Leo Famulari wrote on 5 Jan 2022 20:08
Re: bug#53011: Possible to Update qtbase-5 to v5.15.8?
(name . Florian Bruhin)(address . me@the-compiler.org)
YdXsmASThUQWcivv@jasmine.lan
On Tue, Jan 04, 2022 at 07:04:57PM +0100, Florian Bruhin wrote:
Toggle quote (4 lines)
> Alternatively, to fix the issues with missing text, backporting this
> patch should suffice:
> https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/374232

I'm testing this now.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmHV7JgACgkQJkb6MLrK
fwivqQ/6ArK2Wh2q/bxfP2Gkf3Ch2sFbt0uf/DXqT+hNnccgbIvh9WWvuNygHFZx
PV2srDWWkVE4rDtbpoaeYLQ8JYmw3hYjBckyAjI1sSZ1YIYCcZs02lGI0+r//MZN
YfATAsZnOPkpHmuf42R1I3fSZ+DDBoNlKpVqlcGeEx67qbsCSrMUy+mlo8TYjIFY
lI1an5JhXDcIjqncwt7Crr0wBxr2Fs+vAzT62CaBcqxeEgbzy2yRJK8aJPquC9kZ
duw66y8glnHccgAQjdo2DpOeRAien/y9exyGPX74L57SoefaHmSwitMsGjkxLlCV
4BLiBR54QvCALOYO+6XvlT6lXoW6Aw4OeOgACByIKZBt2mon4VktqqHf0o2FkUGJ
fC/i3b6O43LXRboBGk4P5kvO4BNbv2zRDny4TyTm3Vc6no0ul0nUY+XbiEecIDUj
4Sg/xkhWE41Ks6x3GNVMb2XGVkLOKEk5ZxaU5/KvCY157GDnnhx+ZJ49V5Y4ZOI/
ZqrjW2oYpscG9ofO1ao7P70utuTHyLwoEkFdtWYoSgUOYuZ+FyEYV2uXs8HF8Esb
4I/aObNY5iJxKXjq2C4G4dbkYQaY2yJqfVB1m+MSe6h8FdDi/Zaz4I0cCcx7HPZ8
5Xu39DnO10ks4RusPGNiIInvRCBO5lYSAvAuibVXxtZCUATmS2o=
=qGQD
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 5 Jan 2022 20:09
(no subject)
(address . control@debbugs.gnu.org)
YdXszSH9ZgP4XW7M@jasmine.lan
merge 52672 53011
L
L
Leo Famulari wrote on 5 Jan 2022 20:09
Re: bug#53011: Possible to Update qtbase-5 to v5.15.8?
(name . Florian Bruhin)(address . me@the-compiler.org)
YdXtBPzCpUxnO3Ne@jasmine.lan
On Wed, Jan 05, 2022 at 02:08:08PM -0500, Leo Famulari wrote:
Toggle quote (7 lines)
> On Tue, Jan 04, 2022 at 07:04:57PM +0100, Florian Bruhin wrote:
> > Alternatively, to fix the issues with missing text, backporting this
> > patch should suffice:
> > https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/374232
>
> I'm testing this now.

Oh, the patch does not apply to the source code of our qtwebengine
package. So, I hope that somebody else will take a look and try to fix
this bug.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmHV7QQACgkQJkb6MLrK
fwjkehAAs5PFkZyzNIK5J3itqMGRMtGkPYUKq90W8qPVz1hcf4ew3KIvP4ejxh1C
WrpFI4BYAyoy4m5Ul3EicEFupB2F27JiKV2K3mw0zJhNOuE2zyPVE8JkUF/jM6b6
Er7EYs44nwMPl/BYIy41ED+KubeKNuqOFKneKfq4G1IT8GukqwCibE7O+prozLQs
q0L3QhJeLsIT8IzEzVRz2N7WrE6wSyp7388F7F7o/S2BXxJOAEg0m4UJS5XIFdW8
N1SZ9NfMdeHMkYQSJNHj1Ly3Y9Rmi4EOpqd0+nCLZb5pEBNtzHbXXJOCptXapelW
zD5mXm4zPeSYRruhAFrnnWAWfxsqJ0Kda4/N2ciYH188/oOfKFNBMm17qWKD1+AC
l4TAH4VRfC8f0gedBFl8jd9utCPPEmS2AF/HjxnKPkXhHc7usTzdp6BBqZJ19uI/
ioROSkhdfuILHYwCu0GZNbaOtUSHuK3VQiSs7N7ssox0hmVmmVQylw4MsV6ayNni
IImFefPIOApQZMIpKm6oz74cUivldzuRQ8DBbO8HGfZOQ3R53BgLvVLCsEPpfBIY
sZLVyt+QrVm/YECn+DhtClwLmPaZqaMQCuDu+k5766fIesPET8ryS0g5QRZo13d8
q3+PfqL7naug0QQYQ/hSTWvTySfRrq6IqU/AuOBGh1YfmNZzYBI=
=R6FB
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 5 Jan 2022 20:10
[PATCH] gnu: Fix text rendering in QtWebEngine.
(address . 53011@debbugs.gnu.org)
f8d52c62079ae0966119bf49e7f93180794b836e.1641409834.git.leo@famulari.name
NOTE: The patch does not apply to our qtwebengine source.

* gnu/packages/patches/qtwebengine-fix-text-rendering.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/qt.scm (qtwebengine)[source]: Use it.
---
gnu/local.mk | 1 +
.../qtwebengine-fix-text-rendering.patch | 348 ++++++++++++++++++
gnu/packages/qt.scm | 1 +
3 files changed, 350 insertions(+)
create mode 100644 gnu/packages/patches/qtwebengine-fix-text-rendering.patch

Toggle diff (380 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index be185a0abf..c94d1bc125 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1725,6 +1725,7 @@ dist_patch_DATA = \
%D%/packages/patches/quagga-reproducible-build.patch \
%D%/packages/patches/quassel-qt-514-compat.patch \
%D%/packages/patches/quickswitch-fix-dmenu-check.patch \
+ %D%/packages/patches/qtwebengine-fix-text-rendering.patch \
%D%/packages/patches/qtwebkit-pbutils-include.patch \
%D%/packages/patches/qtwebkit-fix-building-with-bison-3.7.patch \
%D%/packages/patches/qtwebkit-fix-building-with-python-3.9.patch \
diff --git a/gnu/packages/patches/qtwebengine-fix-text-rendering.patch b/gnu/packages/patches/qtwebengine-fix-text-rendering.patch
new file mode 100644
index 0000000000..b432a440f6
--- /dev/null
+++ b/gnu/packages/patches/qtwebengine-fix-text-rendering.patch
@@ -0,0 +1,348 @@
+Fix text rendering in QtWebEngine:
+
+https://issues.guix.gnu.org/52672
+
+Patch copied from upstream:
+
+https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/374232
+
+From be0320febb694d850b76396346ef7ba5b45b7f0d Mon Sep 17 00:00:00 2001
+From: Allan Sandfeld Jensen <allan.jensen@qt.io>
+Date: Thu, 16 Sep 2021 13:17:58 +0200
+Subject: [PATCH] [Backport] Linux sandbox: fix fstatat() crash
+
+This is a reland of https://crrev.com/c/2801873.
+
+Glibc has started rewriting fstat(fd, stat_buf) to
+fstatat(fd, "", stat_buf, AT_EMPTY_PATH). This works because when
+AT_EMPTY_PATH is specified, and the second argument is an empty string,
+then fstatat just performs an fstat on fd like normal.
+
+Unfortunately, fstatat() also allows stat-ing arbitrary pathnames like
+with fstatat(AT_FDCWD, "/i/am/a/file", stat_buf, 0);
+The baseline policy needs to prevent this usage of fstatat() since it
+doesn't allow access to arbitrary pathnames.
+
+Sadly, if the second argument is not an empty string, AT_EMPTY_PATH is
+simply ignored by current kernels.
+
+This means fstatat() is completely unsandboxable with seccomp, since
+we *need* to verify that the second argument is the empty string, but
+we can't dereference pointers in seccomp (due to limitations of BPF,
+and the difficulty of addressing these limitations due to TOCTOU
+issues).
+
+So, this CL Traps (raises a SIGSYS via seccomp) on any fstatat syscall.
+The signal handler, which runs in the sandboxed process, checks for
+AT_EMPTY_PATH and the empty string, and then rewrites any applicable
+fstatat() back into the old-style fstat().
+
+Bug: 1164975
+Change-Id: I3df6c04c0d781eb1f181d707ccaaead779337291
+Reviewed-by: Robert Sesek <rsesek@chromium.org>
+Commit-Queue: Matthew Denton <mpdenton@chromium.org>
+Cr-Commit-Position: refs/heads/master@{#903873}
+Reviewed-by: Peter Varga <pvarga@inf.u-szeged.hu>
+---
+
+diff --git a/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
+index 3c67b12..ca19290 100644
+--- a/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
++++ b/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
+@@ -20,6 +20,7 @@
+ #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
+ #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
+ #include "sandbox/linux/services/syscall_wrappers.h"
++#include "sandbox/linux/system_headers/linux_stat.h"
+ #include "sandbox/linux/system_headers/linux_syscalls.h"
+
+ #if !defined(SO_PEEK_OFF)
+@@ -257,6 +258,13 @@
+ return RestrictKillTarget(current_pid, sysno);
+ }
+
++ // The fstatat syscalls are file system syscalls, which will be denied below
++ // with fs_denied_errno. However some allowed fstat syscalls are rewritten by
++ // libc implementations to fstatat syscalls, and we need to rewrite them back.
++ if (sysno == __NR_fstatat_default) {
++ return RewriteFstatatSIGSYS(fs_denied_errno);
++ }
++
+ if (SyscallSets::IsFileSystem(sysno) ||
+ SyscallSets::IsCurrentDirectory(sysno)) {
+ return Error(fs_denied_errno);
+diff --git a/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc b/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
+index 64ec1ce..814b700 100644
+--- a/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
++++ b/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc
+@@ -50,7 +50,8 @@
+
+ namespace {
+
+-// This also tests that read(), write() and fstat() are allowed.
++// This also tests that read(), write(), fstat(), and fstatat(.., "", ..,
++// AT_EMPTY_PATH) are allowed.
+ void TestPipeOrSocketPair(base::ScopedFD read_end, base::ScopedFD write_end) {
+ BPF_ASSERT_LE(0, read_end.get());
+ BPF_ASSERT_LE(0, write_end.get());
+@@ -59,6 +60,20 @@
+ BPF_ASSERT_EQ(0, sys_ret);
+ BPF_ASSERT(S_ISFIFO(stat_buf.st_mode) || S_ISSOCK(stat_buf.st_mode));
+
++ sys_ret = fstatat(read_end.get(), "", &stat_buf, AT_EMPTY_PATH);
++ BPF_ASSERT_EQ(0, sys_ret);
++ BPF_ASSERT(S_ISFIFO(stat_buf.st_mode) || S_ISSOCK(stat_buf.st_mode));
++
++ // Make sure fstatat with anything other than an empty string is denied.
++ sys_ret = fstatat(read_end.get(), "/", &stat_buf, AT_EMPTY_PATH);
++ BPF_ASSERT_EQ(sys_ret, -1);
++ BPF_ASSERT_EQ(EPERM, errno);
++
++ // Make sure fstatat without AT_EMPTY_PATH is denied.
++ sys_ret = fstatat(read_end.get(), "", &stat_buf, 0);
++ BPF_ASSERT_EQ(sys_ret, -1);
++ BPF_ASSERT_EQ(EPERM, errno);
++
+ const ssize_t kTestTransferSize = 4;
+ static const char kTestString[kTestTransferSize] = {'T', 'E', 'S', 'T'};
+ ssize_t transfered = 0;
+diff --git a/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc b/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc
+index 76eb324..13e7180 100644
+--- a/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc
++++ b/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc
+@@ -6,6 +6,7 @@
+
+ #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
+
++#include <fcntl.h>
+ #include <stddef.h>
+ #include <stdint.h>
+ #include <string.h>
+@@ -22,6 +23,7 @@
+ #include "sandbox/linux/seccomp-bpf/syscall.h"
+ #include "sandbox/linux/services/syscall_wrappers.h"
+ #include "sandbox/linux/system_headers/linux_seccomp.h"
++#include "sandbox/linux/system_headers/linux_stat.h"
+ #include "sandbox/linux/system_headers/linux_syscalls.h"
+
+ #if defined(__mips__)
+@@ -355,6 +357,24 @@
+ return -ENOSYS;
+ }
+
++intptr_t SIGSYSFstatatHandler(const struct arch_seccomp_data& args,
++ void* fs_denied_errno) {
++ if (args.nr == __NR_fstatat_default) {
++ if (*reinterpret_cast<const char*>(args.args[1]) == '\0' &&
++ args.args[3] == static_cast<uint64_t>(AT_EMPTY_PATH)) {
++ return syscall(__NR_fstat_default, static_cast<int>(args.args[0]),
++ reinterpret_cast<default_stat_struct*>(args.args[2]));
++ }
++ return -reinterpret_cast<intptr_t>(fs_denied_errno);
++ }
++
++ CrashSIGSYS_Handler(args, fs_denied_errno);
++
++ // Should never be reached.
++ RAW_CHECK(false);
++ return -ENOSYS;
++}
++
+ bpf_dsl::ResultExpr CrashSIGSYS() {
+ return bpf_dsl::Trap(CrashSIGSYS_Handler, NULL);
+ }
+@@ -387,6 +407,11 @@
+ return bpf_dsl::Trap(SIGSYSSchedHandler, NULL);
+ }
+
++bpf_dsl::ResultExpr RewriteFstatatSIGSYS(int fs_denied_errno) {
++ return bpf_dsl::Trap(SIGSYSFstatatHandler,
++ reinterpret_cast<void*>(fs_denied_errno));
++}
++
+ void AllocateCrashKeys() {
+ #if !defined(OS_NACL_NONSFI)
+ if (seccomp_crash_key)
+diff --git a/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h b/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h
+index 7a958b9..8cd735c 100644
+--- a/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h
++++ b/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h
+@@ -62,6 +62,19 @@
+ // sched_setparam(), sched_setscheduler()
+ SANDBOX_EXPORT intptr_t SIGSYSSchedHandler(const arch_seccomp_data& args,
+ void* aux);
++// If the fstatat() syscall is functionally equivalent to an fstat() syscall,
++// then rewrite the syscall to the equivalent fstat() syscall which can be
++// adequately sandboxed.
++// If the fstatat() is not functionally equivalent to an fstat() syscall, we
++// fail with -fs_denied_errno.
++// If the syscall is not an fstatat() at all, crash in the same way as
++// CrashSIGSYS_Handler.
++// This is necessary because glibc and musl have started rewriting fstat(fd,
++// stat_buf) as fstatat(fd, "", stat_buf, AT_EMPTY_PATH). We rewrite the latter
++// back to the former, which is actually sandboxable.
++SANDBOX_EXPORT intptr_t
++SIGSYSFstatatHandler(const struct arch_seccomp_data& args,
++ void* fs_denied_errno);
+
+ // Variants of the above functions for use with bpf_dsl.
+ SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYS();
+@@ -72,6 +85,7 @@
+ SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSFutex();
+ SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSPtrace();
+ SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteSchedSIGSYS();
++SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteFstatatSIGSYS(int fs_denied_errno);
+
+ // Allocates a crash key so that Seccomp information can be recorded.
+ void AllocateCrashKeys();
+diff --git a/chromium/sandbox/linux/syscall_broker/broker_process.cc b/chromium/sandbox/linux/syscall_broker/broker_process.cc
+index d72c9d2..36df5e4 100644
+--- a/chromium/sandbox/linux/syscall_broker/broker_process.cc
++++ b/chromium/sandbox/linux/syscall_broker/broker_process.cc
+@@ -122,44 +122,49 @@
+ }
+
+ bool BrokerProcess::IsSyscallBrokerable(int sysno, bool fast_check) const {
++ // The syscalls unavailable on aarch64 are all blocked by Android's default
++ // seccomp policy, even on non-aarch64 architectures. I.e., the syscalls XX()
++ // with a corresponding XXat() versions are typically unavailable in aarch64
++ // and are default disabled in Android. So, we should refuse to broker them
++ // to be consistent with the platform's restrictions.
+ switch (sysno) {
+-#if !defined(__aarch64__)
++#if !defined(__aarch64__) && !defined(OS_ANDROID)
+ case __NR_access:
+ #endif
+ case __NR_faccessat:
+ return !fast_check || allowed_command_set_.test(COMMAND_ACCESS);
+
+-#if !defined(__aarch64__)
++#if !defined(__aarch64__) && !defined(OS_ANDROID)
+ case __NR_mkdir:
+ #endif
+ case __NR_mkdirat:
+ return !fast_check || allowed_command_set_.test(COMMAND_MKDIR);
+
+-#if !defined(__aarch64__)
++#if !defined(__aarch64__) && !defined(OS_ANDROID)
+ case __NR_open:
+ #endif
+ case __NR_openat:
+ return !fast_check || allowed_command_set_.test(COMMAND_OPEN);
+
+-#if !defined(__aarch64__)
++#if !defined(__aarch64__) && !defined(OS_ANDROID)
+ case __NR_readlink:
+ #endif
+ case __NR_readlinkat:
+ return !fast_check || allowed_command_set_.test(COMMAND_READLINK);
+
+-#if !defined(__aarch64__)
++#if !defined(__aarch64__) && !defined(OS_ANDROID)
+ case __NR_rename:
+ #endif
+ case __NR_renameat:
+ case __NR_renameat2:
+ return !fast_check || allowed_command_set_.test(COMMAND_RENAME);
+
+-#if !defined(__aarch64__)
++#if !defined(__aarch64__) && !defined(OS_ANDROID)
+ case __NR_rmdir:
+ return !fast_check || allowed_command_set_.test(COMMAND_RMDIR);
+ #endif
+
+-#if !defined(__aarch64__)
++#if !defined(__aarch64__) && !defined(OS_ANDROID)
+ case __NR_stat:
+ case __NR_lstat:
+ #endif
+@@ -184,7 +189,7 @@
+ return !fast_check || allowed_command_set_.test(COMMAND_STAT);
+ #endif
+
+-#if !defined(__aarch64__)
++#if !defined(__aarch64__) && !defined(OS_ANDROID)
+ case __NR_unlink:
+ return !fast_check || allowed_command_set_.test(COMMAND_UNLINK);
+ #endif
+diff --git a/chromium/sandbox/linux/syscall_broker/broker_process_unittest.cc b/chromium/sandbox/linux/syscall_broker/broker_process_unittest.cc
+index b1d7106..15e00d5 100644
+--- a/chromium/sandbox/linux/syscall_broker/broker_process_unittest.cc
++++ b/chromium/sandbox/linux/syscall_broker/broker_process_unittest.cc
+@@ -1596,52 +1596,52 @@
+ const base::flat_map<BrokerCommand, base::flat_set<int>> kSysnosForCommand = {
+ {COMMAND_ACCESS,
+ {__NR_faccessat,
+-#if defined(__NR_access)
++#if defined(__NR_access) && !defined(OS_ANDROID)
+ __NR_access
+ #endif
+ }},
+ {COMMAND_MKDIR,
+ {__NR_mkdirat,
+-#if defined(__NR_mkdir)
++#if defined(__NR_mkdir) && !defined(OS_ANDROID)
+ __NR_mkdir
+ #endif
+ }},
+ {COMMAND_OPEN,
+ {__NR_openat,
+-#if defined(__NR_open)
++#if defined(__NR_open) && !defined(OS_ANDROID)
+ __NR_open
+ #endif
+ }},
+ {COMMAND_READLINK,
+ {__NR_readlinkat,
+-#if defined(__NR_readlink)
++#if defined(__NR_readlink) && !defined(OS_ANDROID)
+ __NR_readlink
+ #endif
+ }},
+ {COMMAND_RENAME,
+ {__NR_renameat,
+-#if defined(__NR_rename)
++#if defined(__NR_rename) && !defined(OS_ANDROID)
+ __NR_rename
+ #endif
+ }},
+ {COMMAND_UNLINK,
+ {__NR_unlinkat,
+-#if defined(__NR_unlink)
++#if defined(__NR_unlink) && !defined(OS_ANDROID)
+ __NR_unlink
+ #endif
+ }},
+ {COMMAND_RMDIR,
+ {__NR_unlinkat,
+-#if defined(__NR_rmdir)
++#if defined(__NR_rmdir) && !defined(OS_ANDROID)
+ __NR_rmdir
+ #endif
+ }},
+ {COMMAND_STAT,
+ {
+-#if defined(__NR_stat)
++#if defined(__NR_stat) && !defined(OS_ANDROID)
+ __NR_stat,
+ #endif
+-#if defined(__NR_lstat)
++#if defined(__NR_lstat) && !defined(OS_ANDROID)
+ __NR_lstat,
+ #endif
+ #if defined(__NR_fstatat)
+diff --git a/chromium/sandbox/linux/system_headers/linux_stat.h b/chromium/sandbox/linux/system_headers/linux_stat.h
+index 35788eb..83b89ef 100644
+--- a/chromium/sandbox/linux/system_headers/linux_stat.h
++++ b/chromium/sandbox/linux/system_headers/linux_stat.h
+@@ -157,6 +157,10 @@
+ };
+ #endif
+
++#if !defined(AT_EMPTY_PATH)
++#define AT_EMPTY_PATH 0x1000
++#endif
++
+ // On 32-bit systems, we default to the 64-bit stat struct like libc
+ // implementations do. Otherwise we default to the normal stat struct which is
+ // already 64-bit.
diff --git a/gnu/packages/qt.scm b/gnu/packages/qt.scm
index 01bf961bbf..55f141cd24 100644
--- a/gnu/packages/qt.scm
+++ b/gnu/packages/qt.scm
@@ -1549,6 +1549,7 @@ (define-public qtwebengine
(sha256
(base32
"1q4idxdm81sx102xc12ixj0xpfx52d6vwvs3jpapnkyq8c7cmby8"))
+ (patches (search-patches "qtwebengine-fix-text-rendering.patch"))
(modules '((ice-9 ftw)
(ice-9 match)
(srfi srfi-1)
--
2.34.0
J
J
Jaft wrote on 2 Feb 2022 20:15
Re: bug#53011: Possible to Update qtbase-5 to v5.15.8?
(name . 53011@debbugs.gnu.org)(address . 53011@debbugs.gnu.org)
621108953.5364096.1643829354936@mail.yahoo.com
I don't know if it's the best method to handle this but I tried just applying the patch manually with substitute*s.
Whatever point the codebase in the patch is, what's being pulled down by Guix doesn't seem to be there yet as one of the files was entirely missing but adding the file manually didn't seem to disturb anything and everything was able to build alright, for me.
I'm now typing this from Qutebrowser, built with my altered QTwebengine, and I've got proper text rendering (at least, for the sites I first noticed text rendering failing at and sites that had worked properly, to begin with).
On Wednesday, January 5, 2022, 01:09:58 PM CST, Leo Famulari <leo@famulari.name> wrote:
On Wed, Jan 05, 2022 at 02:08:08PM -0500, Leo Famulari wrote:
Toggle quote (7 lines)
> On Tue, Jan 04, 2022 at 07:04:57PM +0100, Florian Bruhin wrote:
> > Alternatively, to fix the issues with missing text, backporting this
> > patch should suffice:
> > https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/374232
>
> I'm testing this now.

Oh, the patch does not apply to the source code of our qtwebengine
package. So, I hope that somebody else will take a look and try to fix
this bug.
Attachment: file
Attachment: qtwebengine.patch
P
P
phodina wrote on 2 Jul 2022 00:08
Qt patches for 5.15.5
(name . 53011@debbugs.gnu.org)(address . 53011@debbugs.gnu.org)
HyZWGi6khtMJKizbwzhh5e29hlQNprpU1F3B084AZi2-DtxdtvZAcbo1q4c0RIcAivfJfg7iKByUBJelwlQQKQIVlYxw3UIxs97w89vg_08=@protonmail.com
Hi,

I'm attempting to update the Qt packages to 5.15.5 in this ticket https://issues.guix.gnu.org/56293.

Could somebody check the QtWebengine? It's the only thing that does not build even when I try to build it based on the Linux from scratch.

----
Petr
Attachment: file
M
M
Maxim Cournoyer wrote on 29 Mar 2023 02:38
Re: bug#53011: Possible to Update qtbase-5 to v5.15.8?
(name . Jaft)(address . wamm_kd_schmelingski@yahoo.com)
878rfg75od.fsf@gmail.com
Hi,

Jaft <wamm_kd_schmelingski@yahoo.com> writes:

Toggle quote (8 lines)
> Partially because it's the latest version but primarily because there's a bug in the current version for QTwebengine.
> As detailed at r/qutebrowser - Comment by u/The-Compiler on ”WebGL
> blacklisted on Guix”, most text gets broken
> (https://bugs.chromium.org/p/chromium/issues/detail?id=1164975); I
> haven't tried other browsers but I've experienced this with
> Qutebrowser, currently.
> It seems the issue was addressed in QT v5.15.7 so an update to, at least, that would, theoretically, solve the problem.

I've updated the Qt 5 packages to 5.15.8 on staging; feel free to give
it a shot in the next week or so, after which I'll consider merging the
staging branch to master if there are no blockers.

--
Thanks,
Maxim
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 53011@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 53011
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch