summaryrefslogtreecommitdiffstats
path: root/main/webkit
diff options
context:
space:
mode:
Diffstat (limited to 'main/webkit')
-rw-r--r--main/webkit/APKBUILD38
-rw-r--r--main/webkit/cve-2010-2646.patch110
-rw-r--r--main/webkit/cve-2010-2651.patch38
-rw-r--r--main/webkit/cve-2010-2900.patch29
-rw-r--r--main/webkit/cve-2010-2901.patch98
-rw-r--r--main/webkit/cve-2010-3115.patch16
-rw-r--r--main/webkit/cve-2010-3116.patch17
-rw-r--r--main/webkit/cve-2010-3120.patch27
8 files changed, 368 insertions, 5 deletions
diff --git a/main/webkit/APKBUILD b/main/webkit/APKBUILD
index f8d433254..4eac1ff86 100644
--- a/main/webkit/APKBUILD
+++ b/main/webkit/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=webkit
pkgver=1.2.4
-pkgrel=0
+pkgrel=1
pkgdesc="portable web rendering engine WebKit for GTK+"
url="http://webkitgtk.org/"
license="LGPL BSD"
@@ -16,12 +16,33 @@ makedepends="
"
install=
subpackages="$pkgname-dev gtklauncher"
-source="http://webkitgtk.org/$pkgname-$pkgver.tar.gz"
+source="http://webkitgtk.org/$pkgname-$pkgver.tar.gz
+ cve-2010-2646.patch
+ cve-2010-2651.patch
+ cve-2010-2900.patch
+ cve-2010-2901.patch
+ cve-2010-3115.patch
+ cve-2010-3116.patch
+ cve-2010-3120.patch
+ "
depends_dev="gtk+-dev libsoup-dev gstreamer-dev"
+_builddir="$srcdir"/$pkgname-$pkgver
+
+prepare() {
+ cd "$_builddir"
+ for i in $source; do
+ case "$i" in
+ *.patch)
+ msg "Applying $i"
+ patch -p1 -i "$srcdir"/$i || return 1
+ ;;
+ esac
+ done
+}
build() {
- cd "$srcdir"/$pkgname-$pkgver
+ cd "$_builddir"
./configure --prefix=/usr \
--sysconfdir=/etc \
--mandir=/usr/share/man \
@@ -30,7 +51,7 @@ build() {
}
package() {
- cd "$srcdir"/$pkgname-$pkgver
+ cd "$_builddir"
make DESTDIR="$pkgdir" install
}
@@ -42,4 +63,11 @@ gtklauncher() {
"$subpkgdir"/usr/bin/GtkLauncher
}
-md5sums="dc3a92dd0e8c2e70263fbfdf809b51a5 webkit-1.2.4.tar.gz"
+md5sums="dc3a92dd0e8c2e70263fbfdf809b51a5 webkit-1.2.4.tar.gz
+3d2c4af2fa46388876de7a5747f50de0 cve-2010-2646.patch
+4db553a178f951b857486bcc0955b663 cve-2010-2651.patch
+abfec5aeaa5005279993d731dc919680 cve-2010-2900.patch
+fa980cb721e6a2b43107633dc3782d62 cve-2010-2901.patch
+fc5553d85c14f29128985bddc195782c cve-2010-3115.patch
+b4787ffaac3f102e7bb267839a261496 cve-2010-3116.patch
+b3e21cb4755c6cbab31dbe5063883c04 cve-2010-3120.patch"
diff --git a/main/webkit/cve-2010-2646.patch b/main/webkit/cve-2010-2646.patch
new file mode 100644
index 000000000..40568164c
--- /dev/null
+++ b/main/webkit/cve-2010-2646.patch
@@ -0,0 +1,110 @@
+description: fix cve-2010-2646
+author: Michael Gilbert <michael.s.gilbert@gmail.com>
+origin: http://trac.webkit.org/changeset/58873
+Index: webkit-1.2.4/WebCore/storage/StorageEventDispatcher.cpp
+===================================================================
+--- webkit-1.2.4.orig/WebCore/storage/StorageEventDispatcher.cpp 2010-09-07 01:13:45.000000000 -0400
++++ webkit-1.2.4/WebCore/storage/StorageEventDispatcher.cpp 2010-09-07 01:14:42.000000000 -0400
+@@ -54,8 +54,12 @@
+ frames.append(frame);
+ }
+
+- for (unsigned i = 0; i < frames.size(); ++i)
+- frames[i]->document()->enqueueStorageEvent(StorageEvent::create(eventNames().storageEvent, key, oldValue, newValue, sourceFrame->document()->url(), frames[i]->domWindow()->sessionStorage()));
++ for (unsigned i = 0; i < frames.size(); ++i) {
++ ExceptionCode ec = 0;
++ Storage* storage = frames[i]->domWindow()->sessionStorage(ec);
++ if (!ec)
++ frames[i]->document()->enqueueStorageEvent(StorageEvent::create(eventNames().storageEvent, key, oldValue, newValue, sourceFrame->document()->url(), storage));
++ }
+ } else {
+ // Send events to every page.
+ const HashSet<Page*>& pages = page->group().pages();
+Index: webkit-1.2.4/WebCore/page/DOMWindow.h
+===================================================================
+--- webkit-1.2.4.orig/WebCore/page/DOMWindow.h 2010-09-07 01:13:45.000000000 -0400
++++ webkit-1.2.4/WebCore/page/DOMWindow.h 2010-09-07 01:14:42.000000000 -0400
+@@ -206,7 +206,7 @@
+
+ #if ENABLE(DOM_STORAGE)
+ // HTML 5 key/value storage
+- Storage* sessionStorage() const;
++ Storage* sessionStorage(ExceptionCode&) const;
+ Storage* localStorage(ExceptionCode&) const;
+ #endif
+
+Index: webkit-1.2.4/WebCore/page/DOMWindow.cpp
+===================================================================
+--- webkit-1.2.4.orig/WebCore/page/DOMWindow.cpp 2010-09-07 01:13:45.000000000 -0400
++++ webkit-1.2.4/WebCore/page/DOMWindow.cpp 2010-09-07 01:14:42.000000000 -0400
+@@ -567,7 +567,7 @@
+ }
+
+ #if ENABLE(DOM_STORAGE)
+-Storage* DOMWindow::sessionStorage() const
++Storage* DOMWindow::sessionStorage(ExceptionCode& ec) const
+ {
+ if (m_sessionStorage)
+ return m_sessionStorage.get();
+@@ -576,6 +576,11 @@
+ if (!document)
+ return 0;
+
++ if (!document->securityOrigin()->canAccessLocalStorage()) {
++ ec = SECURITY_ERR;
++ return 0;
++ }
++
+ Page* page = document->page();
+ if (!page)
+ return 0;
+@@ -593,16 +598,16 @@
+ {
+ if (m_localStorage)
+ return m_localStorage.get();
+-
++
+ Document* document = this->document();
+ if (!document)
+ return 0;
+-
++
+ if (!document->securityOrigin()->canAccessLocalStorage()) {
+ ec = SECURITY_ERR;
+ return 0;
+ }
+-
++
+ Page* page = document->page();
+ if (!page)
+ return 0;
+Index: webkit-1.2.4/WebCore/page/SecurityOrigin.h
+===================================================================
+--- webkit-1.2.4.orig/WebCore/page/SecurityOrigin.h 2010-09-07 01:13:45.000000000 -0400
++++ webkit-1.2.4/WebCore/page/SecurityOrigin.h 2010-09-07 01:14:42.000000000 -0400
+@@ -120,6 +120,11 @@
+ bool canAccessLocalStorage() const { return !isUnique(); }
+ bool canAccessCookies() const { return !isUnique(); }
+
++ // Technically, we should always allow access to sessionStorage, but we
++ // currently don't handle creating a sessionStorage area for unique
++ // origins.
++ bool canAccessSessionStorage() const { return !isUnique(); }
++
+ bool isSecureTransitionTo(const KURL&) const;
+
+ // The local SecurityOrigin is the most privileged SecurityOrigin.
+Index: webkit-1.2.4/WebCore/page/DOMWindow.idl
+===================================================================
+--- webkit-1.2.4.orig/WebCore/page/DOMWindow.idl 2010-09-07 01:14:36.000000000 -0400
++++ webkit-1.2.4/WebCore/page/DOMWindow.idl 2010-09-07 01:14:42.000000000 -0400
+@@ -164,7 +164,8 @@
+ raises(DOMException);
+ #endif
+ #if defined(ENABLE_DOM_STORAGE) && ENABLE_DOM_STORAGE
+- readonly attribute [EnabledAtRuntime] Storage sessionStorage;
++ readonly attribute [EnabledAtRuntime] Storage sessionStorage
++ getter raises(DOMException);
+ readonly attribute [EnabledAtRuntime] Storage localStorage
+ getter raises(DOMException);
+ #endif
diff --git a/main/webkit/cve-2010-2651.patch b/main/webkit/cve-2010-2651.patch
new file mode 100644
index 000000000..09fe1f8c4
--- /dev/null
+++ b/main/webkit/cve-2010-2651.patch
@@ -0,0 +1,38 @@
+description: fix cve-2010-2651
+author: Michael Gilbert <michael.s.gilbert@gmail.com>
+origin: http://trac.webkit.org/changeset/59247
+Index: webkit-1.2.4/WebCore/rendering/RenderBlock.cpp
+===================================================================
+--- webkit-1.2.4.orig/WebCore/rendering/RenderBlock.cpp 2010-09-03 15:18:07.000000000 -0400
++++ webkit-1.2.4/WebCore/rendering/RenderBlock.cpp 2010-09-06 21:50:51.000000000 -0400
+@@ -4651,10 +4651,12 @@
+
+ // Drill into inlines looking for our first text child.
+ RenderObject* currChild = firstLetterBlock->firstChild();
+- while (currChild && currChild->needsLayout() && ((!currChild->isReplaced() && !currChild->isRenderButton() && !currChild->isMenuList()) || currChild->isFloatingOrPositioned()) && !currChild->isText()) {
++ while (currChild && ((!currChild->isReplaced() && !currChild->isRenderButton() && !currChild->isMenuList()) || currChild->isFloatingOrPositioned()) && !currChild->isText()) {
+ if (currChild->isFloatingOrPositioned()) {
+- if (currChild->style()->styleType() == FIRST_LETTER)
++ if (currChild->style()->styleType() == FIRST_LETTER) {
++ currChild = currChild->firstChild();
+ break;
++ }
+ currChild = currChild->nextSibling();
+ } else
+ currChild = currChild->firstChild();
+@@ -4671,11 +4673,11 @@
+
+ // If the child already has style, then it has already been created, so we just want
+ // to update it.
+- if (currChild->style()->styleType() == FIRST_LETTER) {
++ if (firstLetterContainer->style()->styleType() == FIRST_LETTER) {
+ RenderStyle* pseudo = firstLetterBlock->getCachedPseudoStyle(FIRST_LETTER,
+- firstLetterContainer->firstLineStyle());
+- currChild->setStyle(pseudo);
+- for (RenderObject* genChild = currChild->firstChild(); genChild; genChild = genChild->nextSibling()) {
++ firstLetterContainer->parent()->firstLineStyle());
++ firstLetterContainer->setStyle(pseudo);
++ for (RenderObject* genChild = firstLetterContainer->firstChild(); genChild; genChild = genChild->nextSibling()) {
+ if (genChild->isText())
+ genChild->setStyle(pseudo);
+ }
diff --git a/main/webkit/cve-2010-2900.patch b/main/webkit/cve-2010-2900.patch
new file mode 100644
index 000000000..1420be2a0
--- /dev/null
+++ b/main/webkit/cve-2010-2900.patch
@@ -0,0 +1,29 @@
+description: fix cve-2010-2900
+author: Michael Gilbert <michael.s.gilbert@gmail.com>
+origin: http://trac.webkit.org/changeset/63219
+Index: webkit-1.2.4/WebCore/html/HTMLCanvasElement.cpp
+===================================================================
+--- webkit-1.2.4.orig/WebCore/html/HTMLCanvasElement.cpp 2010-09-06 22:28:56.000000000 -0400
++++ webkit-1.2.4/WebCore/html/HTMLCanvasElement.cpp 2010-09-06 22:29:28.000000000 -0400
+@@ -64,6 +64,9 @@
+ // in exchange for a smaller maximum canvas size.
+ const float HTMLCanvasElement::MaxCanvasArea = 32768 * 8192; // Maximum canvas area in CSS pixels
+
++//In Skia, we will also limit width/height to 32767.
++static const float MaxSkiaDim = 32767.0F; // Maximum width/height in CSS pixels.
++
+ HTMLCanvasElement::HTMLCanvasElement(const QualifiedName& tagName, Document* doc)
+ : HTMLElement(tagName, doc)
+ , m_size(defaultWidth, defaultHeight)
+@@ -293,6 +296,11 @@
+ if (!(wf >= 1 && hf >= 1 && wf * hf <= MaxCanvasArea))
+ return IntSize();
+
++#if PLATFORM(SKIA)
++ if (wf > MaxSkiaDim || hf > MaxSkiaDim)
++ return IntSize();
++#endif
++
+ return IntSize(static_cast<unsigned>(wf), static_cast<unsigned>(hf));
+ }
+
diff --git a/main/webkit/cve-2010-2901.patch b/main/webkit/cve-2010-2901.patch
new file mode 100644
index 000000000..a130342d4
--- /dev/null
+++ b/main/webkit/cve-2010-2901.patch
@@ -0,0 +1,98 @@
+description: fix cve-2010-2901
+author: Michael Gilbert <michael.s.gilbert@gmail.com>
+origin: http://trac.webkit.org/changeset/63048
+Index: webkit-1.2.4/WebCore/rendering/RenderObject.cpp
+===================================================================
+--- webkit-1.2.4.orig/WebCore/rendering/RenderObject.cpp 2010-09-06 22:55:29.000000000 -0400
++++ webkit-1.2.4/WebCore/rendering/RenderObject.cpp 2010-09-06 22:56:03.000000000 -0400
+@@ -560,6 +560,19 @@
+ return 0;
+ }
+
++RenderBoxModelObject* RenderObject::enclosingBoxModelObject() const
++{
++ RenderObject* curr = const_cast<RenderObject*>(this);
++ while (curr) {
++ if (curr->isBoxModelObject())
++ return toRenderBoxModelObject(curr);
++ curr = curr->parent();
++ }
++
++ ASSERT_NOT_REACHED();
++ return 0;
++}
++
+ RenderBlock* RenderObject::firstLineBlock() const
+ {
+ return 0;
+Index: webkit-1.2.4/WebCore/rendering/RenderObject.h
+===================================================================
+--- webkit-1.2.4.orig/WebCore/rendering/RenderObject.h 2010-09-06 22:55:29.000000000 -0400
++++ webkit-1.2.4/WebCore/rendering/RenderObject.h 2010-09-06 22:56:03.000000000 -0400
+@@ -193,7 +193,8 @@
+
+ // Convenience function for getting to the nearest enclosing box of a RenderObject.
+ RenderBox* enclosingBox() const;
+-
++ RenderBoxModelObject* enclosingBoxModelObject() const;
++
+ virtual bool isEmpty() const { return firstChild() == 0; }
+
+ #ifndef NDEBUG
+Index: webkit-1.2.4/WebCore/rendering/InlineFlowBox.cpp
+===================================================================
+--- webkit-1.2.4.orig/WebCore/rendering/InlineFlowBox.cpp 2010-09-06 22:55:28.000000000 -0400
++++ webkit-1.2.4/WebCore/rendering/InlineFlowBox.cpp 2010-09-06 22:56:24.000000000 -0400
+@@ -639,11 +639,24 @@
+ // outlines.
+ if (renderer()->style()->visibility() == VISIBLE && renderer()->hasOutline() && !isRootInlineBox()) {
+ RenderInline* inlineFlow = toRenderInline(renderer());
+- if ((inlineFlow->continuation() || inlineFlow->isInlineContinuation()) && !boxModelObject()->hasSelfPaintingLayer()) {
++
++ RenderBlock* cb = 0;
++ bool containingBlockPaintsContinuationOutline = inlineFlow->continuation() || inlineFlow->isInlineContinuation();
++ if (containingBlockPaintsContinuationOutline) {
++ cb = renderer()->containingBlock()->containingBlock();
++
++ for (RenderBoxModelObject* box = boxModelObject(); box != cb; box = box->parent()->enclosingBoxModelObject()) {
++ if (box->hasSelfPaintingLayer()) {
++ containingBlockPaintsContinuationOutline = false;
++ break;
++ }
++ }
++ }
++
++ if (containingBlockPaintsContinuationOutline) {
+ // Add ourselves to the containing block of the entire continuation so that it can
+ // paint us atomically.
+- RenderBlock* block = renderer()->containingBlock()->containingBlock();
+- block->addContinuationWithOutline(toRenderInline(renderer()->node()->renderer()));
++ cb->addContinuationWithOutline(toRenderInline(renderer()->node()->renderer()));
+ } else if (!inlineFlow->isInlineContinuation())
+ paintInfo.outlineObjects->add(inlineFlow);
+ }
+Index: webkit-1.2.4/WebCore/rendering/RenderBlock.cpp
+===================================================================
+--- webkit-1.2.4.orig/WebCore/rendering/RenderBlock.cpp 2010-09-06 22:55:28.000000000 -0400
++++ webkit-1.2.4/WebCore/rendering/RenderBlock.cpp 2010-09-06 22:56:03.000000000 -0400
+@@ -1766,8 +1766,18 @@
+ if ((paintPhase == PaintPhaseOutline || paintPhase == PaintPhaseChildOutlines)) {
+ if (inlineContinuation() && inlineContinuation()->hasOutline() && inlineContinuation()->style()->visibility() == VISIBLE) {
+ RenderInline* inlineRenderer = toRenderInline(inlineContinuation()->node()->renderer());
+- if (!inlineRenderer->hasSelfPaintingLayer())
+- containingBlock()->addContinuationWithOutline(inlineRenderer);
++ RenderBlock* cb = containingBlock();
++
++ bool inlineEnclosedInSelfPaintingLayer = false;
++ for (RenderBoxModelObject* box = inlineRenderer; box != cb; box = box->parent()->enclosingBoxModelObject()) {
++ if (box->hasSelfPaintingLayer()) {
++ inlineEnclosedInSelfPaintingLayer = true;
++ break;
++ }
++ }
++
++ if (!inlineEnclosedInSelfPaintingLayer)
++ cb->addContinuationWithOutline(inlineRenderer);
+ else if (!inlineRenderer->firstLineBox())
+ inlineRenderer->paintOutline(paintInfo.context, tx - x() + inlineRenderer->containingBlock()->x(),
+ ty - y() + inlineRenderer->containingBlock()->y());
diff --git a/main/webkit/cve-2010-3115.patch b/main/webkit/cve-2010-3115.patch
new file mode 100644
index 000000000..84661767f
--- /dev/null
+++ b/main/webkit/cve-2010-3115.patch
@@ -0,0 +1,16 @@
+description: fix cve-2010-3115
+author: Michael Gilbert <michael.s.gilbert@gmail.com>
+origin: http://trac.webkit.org/changeset/63925
+Index: webkit-1.2.4/WebCore/page/History.cpp
+===================================================================
+--- webkit-1.2.4.orig/WebCore/page/History.cpp 2010-09-03 16:12:23.000000000 -0400
++++ webkit-1.2.4/WebCore/page/History.cpp 2010-09-06 22:08:52.000000000 -0400
+@@ -82,7 +82,7 @@
+
+ KURL History::urlForState(const String& urlString)
+ {
+- KURL baseURL = m_frame->loader()->baseURL();
++ KURL baseURL = m_frame->document()->url();
+ if (urlString.isEmpty())
+ return baseURL;
+
diff --git a/main/webkit/cve-2010-3116.patch b/main/webkit/cve-2010-3116.patch
new file mode 100644
index 000000000..73639baeb
--- /dev/null
+++ b/main/webkit/cve-2010-3116.patch
@@ -0,0 +1,17 @@
+description: fix cve-2010-3116
+author: Michael Gilbert <michael.s.gilbert@gmail.com>
+origin: http://trac.webkit.org/changeset/64293
+Index: webkit-1.2.4/WebCore/page/Page.cpp
+===================================================================
+--- webkit-1.2.4.orig/WebCore/page/Page.cpp 2010-09-03 15:18:06.000000000 -0400
++++ webkit-1.2.4/WebCore/page/Page.cpp 2010-09-06 22:11:32.000000000 -0400
+@@ -192,6 +192,9 @@
+ frame->pageDestroyed();
+
+ m_editorClient->pageDestroyed();
++ if (m_pluginData)
++ m_pluginData->disconnectPage();
++
+ #if ENABLE(INSPECTOR)
+ m_inspectorController->inspectedPageDestroyed();
+ #endif
diff --git a/main/webkit/cve-2010-3120.patch b/main/webkit/cve-2010-3120.patch
new file mode 100644
index 000000000..976affc37
--- /dev/null
+++ b/main/webkit/cve-2010-3120.patch
@@ -0,0 +1,27 @@
+description: fix cve-2010-3120
+author: Michael Gilbert <michael.s.gilbert@gmail.com>
+origin: http://trac.webkit.org/changeset/65329
+Index: webkit-1.2.4/WebCore/page/Geolocation.cpp
+===================================================================
+--- webkit-1.2.4.orig/WebCore/page/Geolocation.cpp 2010-09-03 15:18:06.000000000 -0400
++++ webkit-1.2.4/WebCore/page/Geolocation.cpp 2010-09-06 22:14:03.000000000 -0400
+@@ -252,6 +252,9 @@
+
+ void Geolocation::getCurrentPosition(PassRefPtr<PositionCallback> successCallback, PassRefPtr<PositionErrorCallback> errorCallback, PassRefPtr<PositionOptions> options)
+ {
++ if (!m_frame)
++ return;
++
+ RefPtr<GeoNotifier> notifier = startRequest(successCallback, errorCallback, options);
+ ASSERT(notifier);
+
+@@ -260,6 +263,9 @@
+
+ int Geolocation::watchPosition(PassRefPtr<PositionCallback> successCallback, PassRefPtr<PositionErrorCallback> errorCallback, PassRefPtr<PositionOptions> options)
+ {
++ if (!m_frame)
++ return 0;
++
+ RefPtr<GeoNotifier> notifier = startRequest(successCallback, errorCallback, options);
+ ASSERT(notifier);
+