[Pkg-chromium-commit] chromium-browser/chromium-browser.squeeze: 735 * Fixed CVE-2011-1290: Integer overflow in style elements

Fri Mar 11 13:01:20 UTC 2011

Branch name: chromium-browser/chromium-browser.squeeze
Branch location : bzr+ssh://bzr.debian.org/bzr/pkg-chromium/chromium-browser/chromium-browser.squeeze
Browse location: http://bzr.debian.org/loggerhead/pkg-chromium
Revision No: 735
Revision Id: iuculano at debian.org-20110311130120-2g4rrj2cj1bxldus
Committer: Giuseppe Iuculano <iuculano at debian.org>
Message : * Fixed CVE-2011-1290: Integer overflow in style elements
* Removed mips from arch to avoid flood of given-back build log


--------------------------------------------------------
  ** Added :
        - debian/patches/75712.patch

  ** Modified :
        - debian/changelog
        - debian/control
        - debian/patches/series

-------------- next part --------------
=== modified file 'debian/changelog'

--- a/debian/changelog	2011-03-11 12:41:03 +0000
+++ b/debian/changelog	2011-03-11 13:01:20 +0000
@@ -3,8 +3,10 @@
   * Fixed CVE-2011-0779: does not properly handle a missing key in an extension,
     which allows remote attackers to cause a denial of service
    (application crash) via a crafted extension.
+  * Fixed CVE-2011-1290: Integer overflow in style elements
+  * Removed mips from arch to avoid flood of given-back build log
 
- -- Giuseppe Iuculano <iuculano at debian.org>  Fri, 11 Mar 2011 13:39:25 +0100
+ -- Giuseppe Iuculano <iuculano at debian.org>  Fri, 11 Mar 2011 13:56:22 +0100
 
 chromium-browser (6.0.472.63~r59945-5+squeeze3) stable-security; urgency=low
 

=== modified file 'debian/control'
--- a/debian/control	2010-09-01 13:38:33 +0000
+++ b/debian/control	2011-03-11 13:01:20 +0000
@@ -62,7 +62,7 @@
 Standards-Version: 3.9.0
 
 Package: chromium-browser
-Architecture: i386 amd64 armel mips
+Architecture: i386 amd64 armel
 Depends: ${shlibs:Depends}, ${misc:Depends},
 	libnss3-1d (>= 3.12.3),
 	xdg-utils,
@@ -82,7 +82,7 @@
  This package contains the Chromium browser
 
 Package: chromium-browser-dbg
-Architecture: i386 amd64 armel mips
+Architecture: i386 amd64 armel
 Section: debug
 Priority: extra
 Depends: ${shlibs:Depends}, ${misc:Depends}, chromium-browser (= ${binary:Version})

=== added file 'debian/patches/75712.patch'
--- a/debian/patches/75712.patch	1970-01-01 00:00:00 +0000
+++ b/debian/patches/75712.patch	2011-03-11 13:01:20 +0000
@@ -0,0 +1,17 @@
+--- a/src/third_party/WebKit/WebCore/dom/StyleElement.cpp
++++ b/src/third_party/WebKit/WebCore/dom/StyleElement.cpp
+@@ -64,8 +64,12 @@ void StyleElement::process(Element* e, i
+     unsigned resultLength = 0;
+     for (Node* c = e->firstChild(); c; c = c->nextSibling()) {
+         Node::NodeType nodeType = c->nodeType();
+-        if (nodeType == Node::TEXT_NODE || nodeType == Node::CDATA_SECTION_NODE || nodeType == Node::COMMENT_NODE)
+-            resultLength += c->nodeValue().length();
++        if (nodeType == Node::TEXT_NODE || nodeType == Node::CDATA_SECTION_NODE || nodeType == Node::COMMENT_NODE) {
++	    unsigned length = c->nodeValue().length();
++	    if (length > std::numeric_limits<unsigned>::max() - resultLength)
++		CRASH();
++	    resultLength += length;
++	}
+     }
+     UChar* text;
+     String sheetText = String::createUninitialized(resultLength, text);

=== modified file 'debian/patches/series'
--- a/debian/patches/series	2011-03-11 12:41:03 +0000
+++ b/debian/patches/series	2011-03-11 13:01:20 +0000
@@ -72,3 +72,4 @@
 72028.patch
 73746.patch
 62791.patch
+75712.patch

