qt512: patch qtwebengine against CVE-2019-5786

[xantoz]

Motivation for this change

qtwebengine is vulnerable to CVE-2019-5786

See: https://codereview.qt-project.org/#/c/255162/

Things done

Took the patch at http://code.qt.io/cgit/qt/qtwebengine-chromium.git/patch/?id=43316b15
and modified it so it would apply (only the paths needed to be changed).

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Assured whether relevant documentation is up to date
• Fits CONTRIBUTING.md.

---

[xantoz]

Changed qt-5.12 in the commit message and PR title to qt512 to match the attribute name.

[andir]

@xantoz thank you for the PR.

It looks like a good thing to fix. Do you have any idea about older versions of QT? I could imagine most of them (that are based of the same engine) have this issue.

We currently have 5.12, 5.11, 5.9, 5.6, 4.8 (and also qt3) in nixpkgs. Checking if the same patch applies to older versions would be good.

[xantoz]

@andir I have checked against 5.11, and the patch does not apply. I haven't been able to find file_reader_loader.cc in there to start with. So backporting this patch to 5.11 and older will take some extra detective work.

With that in mind, I went ahead with only patching 5.12.

[andir]

Ported to 19.03 in e750a2e

[xantoz]

Thanks for the merge.
I'd just like to point out that qt-5.12.2 has been released since, which fixes this and some other bugs/CVEs in qtwebengine: https://code.qt.io/cgit/qt/qtwebengine.git/tree/dist/changes-5.12.2/?h=v5.12.2