diff options
-rw-r--r-- | main/webkit/APKBUILD | 38 | ||||
-rw-r--r-- | main/webkit/cve-2010-2646.patch | 110 | ||||
-rw-r--r-- | main/webkit/cve-2010-2651.patch | 38 | ||||
-rw-r--r-- | main/webkit/cve-2010-2900.patch | 29 | ||||
-rw-r--r-- | main/webkit/cve-2010-2901.patch | 98 | ||||
-rw-r--r-- | main/webkit/cve-2010-3115.patch | 16 | ||||
-rw-r--r-- | main/webkit/cve-2010-3116.patch | 17 | ||||
-rw-r--r-- | main/webkit/cve-2010-3120.patch | 27 |
8 files changed, 368 insertions, 5 deletions
diff --git a/main/webkit/APKBUILD b/main/webkit/APKBUILD index f8d433254..4eac1ff86 100644 --- a/main/webkit/APKBUILD +++ b/main/webkit/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=webkit pkgver=1.2.4 -pkgrel=0 +pkgrel=1 pkgdesc="portable web rendering engine WebKit for GTK+" url="http://webkitgtk.org/" license="LGPL BSD" @@ -16,12 +16,33 @@ makedepends=" " install= subpackages="$pkgname-dev gtklauncher" -source="http://webkitgtk.org/$pkgname-$pkgver.tar.gz" +source="http://webkitgtk.org/$pkgname-$pkgver.tar.gz + cve-2010-2646.patch + cve-2010-2651.patch + cve-2010-2900.patch + cve-2010-2901.patch + cve-2010-3115.patch + cve-2010-3116.patch + cve-2010-3120.patch + " depends_dev="gtk+-dev libsoup-dev gstreamer-dev" +_builddir="$srcdir"/$pkgname-$pkgver + +prepare() { + cd "$_builddir" + for i in $source; do + case "$i" in + *.patch) + msg "Applying $i" + patch -p1 -i "$srcdir"/$i || return 1 + ;; + esac + done +} build() { - cd "$srcdir"/$pkgname-$pkgver + cd "$_builddir" ./configure --prefix=/usr \ --sysconfdir=/etc \ --mandir=/usr/share/man \ @@ -30,7 +51,7 @@ build() { } package() { - cd "$srcdir"/$pkgname-$pkgver + cd "$_builddir" make DESTDIR="$pkgdir" install } @@ -42,4 +63,11 @@ gtklauncher() { "$subpkgdir"/usr/bin/GtkLauncher } -md5sums="dc3a92dd0e8c2e70263fbfdf809b51a5 webkit-1.2.4.tar.gz" +md5sums="dc3a92dd0e8c2e70263fbfdf809b51a5 webkit-1.2.4.tar.gz +3d2c4af2fa46388876de7a5747f50de0 cve-2010-2646.patch +4db553a178f951b857486bcc0955b663 cve-2010-2651.patch +abfec5aeaa5005279993d731dc919680 cve-2010-2900.patch +fa980cb721e6a2b43107633dc3782d62 cve-2010-2901.patch +fc5553d85c14f29128985bddc195782c cve-2010-3115.patch +b4787ffaac3f102e7bb267839a261496 cve-2010-3116.patch +b3e21cb4755c6cbab31dbe5063883c04 cve-2010-3120.patch" diff --git a/main/webkit/cve-2010-2646.patch b/main/webkit/cve-2010-2646.patch new file mode 100644 index 000000000..40568164c --- /dev/null +++ b/main/webkit/cve-2010-2646.patch @@ -0,0 +1,110 @@ +description: fix cve-2010-2646 +author: Michael Gilbert <michael.s.gilbert@gmail.com> +origin: http://trac.webkit.org/changeset/58873 +Index: webkit-1.2.4/WebCore/storage/StorageEventDispatcher.cpp +=================================================================== +--- webkit-1.2.4.orig/WebCore/storage/StorageEventDispatcher.cpp 2010-09-07 01:13:45.000000000 -0400 ++++ webkit-1.2.4/WebCore/storage/StorageEventDispatcher.cpp 2010-09-07 01:14:42.000000000 -0400 +@@ -54,8 +54,12 @@ + frames.append(frame); + } + +- for (unsigned i = 0; i < frames.size(); ++i) +- frames[i]->document()->enqueueStorageEvent(StorageEvent::create(eventNames().storageEvent, key, oldValue, newValue, sourceFrame->document()->url(), frames[i]->domWindow()->sessionStorage())); ++ for (unsigned i = 0; i < frames.size(); ++i) { ++ ExceptionCode ec = 0; ++ Storage* storage = frames[i]->domWindow()->sessionStorage(ec); ++ if (!ec) ++ frames[i]->document()->enqueueStorageEvent(StorageEvent::create(eventNames().storageEvent, key, oldValue, newValue, sourceFrame->document()->url(), storage)); ++ } + } else { + // Send events to every page. + const HashSet<Page*>& pages = page->group().pages(); +Index: webkit-1.2.4/WebCore/page/DOMWindow.h +=================================================================== +--- webkit-1.2.4.orig/WebCore/page/DOMWindow.h 2010-09-07 01:13:45.000000000 -0400 ++++ webkit-1.2.4/WebCore/page/DOMWindow.h 2010-09-07 01:14:42.000000000 -0400 +@@ -206,7 +206,7 @@ + + #if ENABLE(DOM_STORAGE) + // HTML 5 key/value storage +- Storage* sessionStorage() const; ++ Storage* sessionStorage(ExceptionCode&) const; + Storage* localStorage(ExceptionCode&) const; + #endif + +Index: webkit-1.2.4/WebCore/page/DOMWindow.cpp +=================================================================== +--- webkit-1.2.4.orig/WebCore/page/DOMWindow.cpp 2010-09-07 01:13:45.000000000 -0400 ++++ webkit-1.2.4/WebCore/page/DOMWindow.cpp 2010-09-07 01:14:42.000000000 -0400 +@@ -567,7 +567,7 @@ + } + + #if ENABLE(DOM_STORAGE) +-Storage* DOMWindow::sessionStorage() const ++Storage* DOMWindow::sessionStorage(ExceptionCode& ec) const + { + if (m_sessionStorage) + return m_sessionStorage.get(); +@@ -576,6 +576,11 @@ + if (!document) + return 0; + ++ if (!document->securityOrigin()->canAccessLocalStorage()) { ++ ec = SECURITY_ERR; ++ return 0; ++ } ++ + Page* page = document->page(); + if (!page) + return 0; +@@ -593,16 +598,16 @@ + { + if (m_localStorage) + return m_localStorage.get(); +- ++ + Document* document = this->document(); + if (!document) + return 0; +- ++ + if (!document->securityOrigin()->canAccessLocalStorage()) { + ec = SECURITY_ERR; + return 0; + } +- ++ + Page* page = document->page(); + if (!page) + return 0; +Index: webkit-1.2.4/WebCore/page/SecurityOrigin.h +=================================================================== +--- webkit-1.2.4.orig/WebCore/page/SecurityOrigin.h 2010-09-07 01:13:45.000000000 -0400 ++++ webkit-1.2.4/WebCore/page/SecurityOrigin.h 2010-09-07 01:14:42.000000000 -0400 +@@ -120,6 +120,11 @@ + bool canAccessLocalStorage() const { return !isUnique(); } + bool canAccessCookies() const { return !isUnique(); } + ++ // Technically, we should always allow access to sessionStorage, but we ++ // currently don't handle creating a sessionStorage area for unique ++ // origins. ++ bool canAccessSessionStorage() const { return !isUnique(); } ++ + bool isSecureTransitionTo(const KURL&) const; + + // The local SecurityOrigin is the most privileged SecurityOrigin. +Index: webkit-1.2.4/WebCore/page/DOMWindow.idl +=================================================================== +--- webkit-1.2.4.orig/WebCore/page/DOMWindow.idl 2010-09-07 01:14:36.000000000 -0400 ++++ webkit-1.2.4/WebCore/page/DOMWindow.idl 2010-09-07 01:14:42.000000000 -0400 +@@ -164,7 +164,8 @@ + raises(DOMException); + #endif + #if defined(ENABLE_DOM_STORAGE) && ENABLE_DOM_STORAGE +- readonly attribute [EnabledAtRuntime] Storage sessionStorage; ++ readonly attribute [EnabledAtRuntime] Storage sessionStorage ++ getter raises(DOMException); + readonly attribute [EnabledAtRuntime] Storage localStorage + getter raises(DOMException); + #endif diff --git a/main/webkit/cve-2010-2651.patch b/main/webkit/cve-2010-2651.patch new file mode 100644 index 000000000..09fe1f8c4 --- /dev/null +++ b/main/webkit/cve-2010-2651.patch @@ -0,0 +1,38 @@ +description: fix cve-2010-2651 +author: Michael Gilbert <michael.s.gilbert@gmail.com> +origin: http://trac.webkit.org/changeset/59247 +Index: webkit-1.2.4/WebCore/rendering/RenderBlock.cpp +=================================================================== +--- webkit-1.2.4.orig/WebCore/rendering/RenderBlock.cpp 2010-09-03 15:18:07.000000000 -0400 ++++ webkit-1.2.4/WebCore/rendering/RenderBlock.cpp 2010-09-06 21:50:51.000000000 -0400 +@@ -4651,10 +4651,12 @@ + + // Drill into inlines looking for our first text child. + RenderObject* currChild = firstLetterBlock->firstChild(); +- while (currChild && currChild->needsLayout() && ((!currChild->isReplaced() && !currChild->isRenderButton() && !currChild->isMenuList()) || currChild->isFloatingOrPositioned()) && !currChild->isText()) { ++ while (currChild && ((!currChild->isReplaced() && !currChild->isRenderButton() && !currChild->isMenuList()) || currChild->isFloatingOrPositioned()) && !currChild->isText()) { + if (currChild->isFloatingOrPositioned()) { +- if (currChild->style()->styleType() == FIRST_LETTER) ++ if (currChild->style()->styleType() == FIRST_LETTER) { ++ currChild = currChild->firstChild(); + break; ++ } + currChild = currChild->nextSibling(); + } else + currChild = currChild->firstChild(); +@@ -4671,11 +4673,11 @@ + + // If the child already has style, then it has already been created, so we just want + // to update it. +- if (currChild->style()->styleType() == FIRST_LETTER) { ++ if (firstLetterContainer->style()->styleType() == FIRST_LETTER) { + RenderStyle* pseudo = firstLetterBlock->getCachedPseudoStyle(FIRST_LETTER, +- firstLetterContainer->firstLineStyle()); +- currChild->setStyle(pseudo); +- for (RenderObject* genChild = currChild->firstChild(); genChild; genChild = genChild->nextSibling()) { ++ firstLetterContainer->parent()->firstLineStyle()); ++ firstLetterContainer->setStyle(pseudo); ++ for (RenderObject* genChild = firstLetterContainer->firstChild(); genChild; genChild = genChild->nextSibling()) { + if (genChild->isText()) + genChild->setStyle(pseudo); + } diff --git a/main/webkit/cve-2010-2900.patch b/main/webkit/cve-2010-2900.patch new file mode 100644 index 000000000..1420be2a0 --- /dev/null +++ b/main/webkit/cve-2010-2900.patch @@ -0,0 +1,29 @@ +description: fix cve-2010-2900 +author: Michael Gilbert <michael.s.gilbert@gmail.com> +origin: http://trac.webkit.org/changeset/63219 +Index: webkit-1.2.4/WebCore/html/HTMLCanvasElement.cpp +=================================================================== +--- webkit-1.2.4.orig/WebCore/html/HTMLCanvasElement.cpp 2010-09-06 22:28:56.000000000 -0400 ++++ webkit-1.2.4/WebCore/html/HTMLCanvasElement.cpp 2010-09-06 22:29:28.000000000 -0400 +@@ -64,6 +64,9 @@ + // in exchange for a smaller maximum canvas size. + const float HTMLCanvasElement::MaxCanvasArea = 32768 * 8192; // Maximum canvas area in CSS pixels + ++//In Skia, we will also limit width/height to 32767. ++static const float MaxSkiaDim = 32767.0F; // Maximum width/height in CSS pixels. ++ + HTMLCanvasElement::HTMLCanvasElement(const QualifiedName& tagName, Document* doc) + : HTMLElement(tagName, doc) + , m_size(defaultWidth, defaultHeight) +@@ -293,6 +296,11 @@ + if (!(wf >= 1 && hf >= 1 && wf * hf <= MaxCanvasArea)) + return IntSize(); + ++#if PLATFORM(SKIA) ++ if (wf > MaxSkiaDim || hf > MaxSkiaDim) ++ return IntSize(); ++#endif ++ + return IntSize(static_cast<unsigned>(wf), static_cast<unsigned>(hf)); + } + diff --git a/main/webkit/cve-2010-2901.patch b/main/webkit/cve-2010-2901.patch new file mode 100644 index 000000000..a130342d4 --- /dev/null +++ b/main/webkit/cve-2010-2901.patch @@ -0,0 +1,98 @@ +description: fix cve-2010-2901 +author: Michael Gilbert <michael.s.gilbert@gmail.com> +origin: http://trac.webkit.org/changeset/63048 +Index: webkit-1.2.4/WebCore/rendering/RenderObject.cpp +=================================================================== +--- webkit-1.2.4.orig/WebCore/rendering/RenderObject.cpp 2010-09-06 22:55:29.000000000 -0400 ++++ webkit-1.2.4/WebCore/rendering/RenderObject.cpp 2010-09-06 22:56:03.000000000 -0400 +@@ -560,6 +560,19 @@ + return 0; + } + ++RenderBoxModelObject* RenderObject::enclosingBoxModelObject() const ++{ ++ RenderObject* curr = const_cast<RenderObject*>(this); ++ while (curr) { ++ if (curr->isBoxModelObject()) ++ return toRenderBoxModelObject(curr); ++ curr = curr->parent(); ++ } ++ ++ ASSERT_NOT_REACHED(); ++ return 0; ++} ++ + RenderBlock* RenderObject::firstLineBlock() const + { + return 0; +Index: webkit-1.2.4/WebCore/rendering/RenderObject.h +=================================================================== +--- webkit-1.2.4.orig/WebCore/rendering/RenderObject.h 2010-09-06 22:55:29.000000000 -0400 ++++ webkit-1.2.4/WebCore/rendering/RenderObject.h 2010-09-06 22:56:03.000000000 -0400 +@@ -193,7 +193,8 @@ + + // Convenience function for getting to the nearest enclosing box of a RenderObject. + RenderBox* enclosingBox() const; +- ++ RenderBoxModelObject* enclosingBoxModelObject() const; ++ + virtual bool isEmpty() const { return firstChild() == 0; } + + #ifndef NDEBUG +Index: webkit-1.2.4/WebCore/rendering/InlineFlowBox.cpp +=================================================================== +--- webkit-1.2.4.orig/WebCore/rendering/InlineFlowBox.cpp 2010-09-06 22:55:28.000000000 -0400 ++++ webkit-1.2.4/WebCore/rendering/InlineFlowBox.cpp 2010-09-06 22:56:24.000000000 -0400 +@@ -639,11 +639,24 @@ + // outlines. + if (renderer()->style()->visibility() == VISIBLE && renderer()->hasOutline() && !isRootInlineBox()) { + RenderInline* inlineFlow = toRenderInline(renderer()); +- if ((inlineFlow->continuation() || inlineFlow->isInlineContinuation()) && !boxModelObject()->hasSelfPaintingLayer()) { ++ ++ RenderBlock* cb = 0; ++ bool containingBlockPaintsContinuationOutline = inlineFlow->continuation() || inlineFlow->isInlineContinuation(); ++ if (containingBlockPaintsContinuationOutline) { ++ cb = renderer()->containingBlock()->containingBlock(); ++ ++ for (RenderBoxModelObject* box = boxModelObject(); box != cb; box = box->parent()->enclosingBoxModelObject()) { ++ if (box->hasSelfPaintingLayer()) { ++ containingBlockPaintsContinuationOutline = false; ++ break; ++ } ++ } ++ } ++ ++ if (containingBlockPaintsContinuationOutline) { + // Add ourselves to the containing block of the entire continuation so that it can + // paint us atomically. +- RenderBlock* block = renderer()->containingBlock()->containingBlock(); +- block->addContinuationWithOutline(toRenderInline(renderer()->node()->renderer())); ++ cb->addContinuationWithOutline(toRenderInline(renderer()->node()->renderer())); + } else if (!inlineFlow->isInlineContinuation()) + paintInfo.outlineObjects->add(inlineFlow); + } +Index: webkit-1.2.4/WebCore/rendering/RenderBlock.cpp +=================================================================== +--- webkit-1.2.4.orig/WebCore/rendering/RenderBlock.cpp 2010-09-06 22:55:28.000000000 -0400 ++++ webkit-1.2.4/WebCore/rendering/RenderBlock.cpp 2010-09-06 22:56:03.000000000 -0400 +@@ -1766,8 +1766,18 @@ + if ((paintPhase == PaintPhaseOutline || paintPhase == PaintPhaseChildOutlines)) { + if (inlineContinuation() && inlineContinuation()->hasOutline() && inlineContinuation()->style()->visibility() == VISIBLE) { + RenderInline* inlineRenderer = toRenderInline(inlineContinuation()->node()->renderer()); +- if (!inlineRenderer->hasSelfPaintingLayer()) +- containingBlock()->addContinuationWithOutline(inlineRenderer); ++ RenderBlock* cb = containingBlock(); ++ ++ bool inlineEnclosedInSelfPaintingLayer = false; ++ for (RenderBoxModelObject* box = inlineRenderer; box != cb; box = box->parent()->enclosingBoxModelObject()) { ++ if (box->hasSelfPaintingLayer()) { ++ inlineEnclosedInSelfPaintingLayer = true; ++ break; ++ } ++ } ++ ++ if (!inlineEnclosedInSelfPaintingLayer) ++ cb->addContinuationWithOutline(inlineRenderer); + else if (!inlineRenderer->firstLineBox()) + inlineRenderer->paintOutline(paintInfo.context, tx - x() + inlineRenderer->containingBlock()->x(), + ty - y() + inlineRenderer->containingBlock()->y()); diff --git a/main/webkit/cve-2010-3115.patch b/main/webkit/cve-2010-3115.patch new file mode 100644 index 000000000..84661767f --- /dev/null +++ b/main/webkit/cve-2010-3115.patch @@ -0,0 +1,16 @@ +description: fix cve-2010-3115 +author: Michael Gilbert <michael.s.gilbert@gmail.com> +origin: http://trac.webkit.org/changeset/63925 +Index: webkit-1.2.4/WebCore/page/History.cpp +=================================================================== +--- webkit-1.2.4.orig/WebCore/page/History.cpp 2010-09-03 16:12:23.000000000 -0400 ++++ webkit-1.2.4/WebCore/page/History.cpp 2010-09-06 22:08:52.000000000 -0400 +@@ -82,7 +82,7 @@ + + KURL History::urlForState(const String& urlString) + { +- KURL baseURL = m_frame->loader()->baseURL(); ++ KURL baseURL = m_frame->document()->url(); + if (urlString.isEmpty()) + return baseURL; + diff --git a/main/webkit/cve-2010-3116.patch b/main/webkit/cve-2010-3116.patch new file mode 100644 index 000000000..73639baeb --- /dev/null +++ b/main/webkit/cve-2010-3116.patch @@ -0,0 +1,17 @@ +description: fix cve-2010-3116
+author: Michael Gilbert <michael.s.gilbert@gmail.com>
+origin: http://trac.webkit.org/changeset/64293
+Index: webkit-1.2.4/WebCore/page/Page.cpp +=================================================================== +--- webkit-1.2.4.orig/WebCore/page/Page.cpp 2010-09-03 15:18:06.000000000 -0400 ++++ webkit-1.2.4/WebCore/page/Page.cpp 2010-09-06 22:11:32.000000000 -0400 +@@ -192,6 +192,9 @@ + frame->pageDestroyed(); + + m_editorClient->pageDestroyed(); ++ if (m_pluginData) ++ m_pluginData->disconnectPage(); ++ + #if ENABLE(INSPECTOR) + m_inspectorController->inspectedPageDestroyed(); + #endif diff --git a/main/webkit/cve-2010-3120.patch b/main/webkit/cve-2010-3120.patch new file mode 100644 index 000000000..976affc37 --- /dev/null +++ b/main/webkit/cve-2010-3120.patch @@ -0,0 +1,27 @@ +description: fix cve-2010-3120 +author: Michael Gilbert <michael.s.gilbert@gmail.com> +origin: http://trac.webkit.org/changeset/65329 +Index: webkit-1.2.4/WebCore/page/Geolocation.cpp +=================================================================== +--- webkit-1.2.4.orig/WebCore/page/Geolocation.cpp 2010-09-03 15:18:06.000000000 -0400 ++++ webkit-1.2.4/WebCore/page/Geolocation.cpp 2010-09-06 22:14:03.000000000 -0400 +@@ -252,6 +252,9 @@ + + void Geolocation::getCurrentPosition(PassRefPtr<PositionCallback> successCallback, PassRefPtr<PositionErrorCallback> errorCallback, PassRefPtr<PositionOptions> options) + { ++ if (!m_frame) ++ return; ++ + RefPtr<GeoNotifier> notifier = startRequest(successCallback, errorCallback, options); + ASSERT(notifier); + +@@ -260,6 +263,9 @@ + + int Geolocation::watchPosition(PassRefPtr<PositionCallback> successCallback, PassRefPtr<PositionErrorCallback> errorCallback, PassRefPtr<PositionOptions> options) + { ++ if (!m_frame) ++ return 0; ++ + RefPtr<GeoNotifier> notifier = startRequest(successCallback, errorCallback, options); + ASSERT(notifier); + |