[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.2.1-2-29-g5dbcb1c

Michael Gilbert michael.s.gilbert at gmail.com
Tue Jun 29 04:11:32 UTC 2010 

The following commit has been merged in the debian/unstable branch:
commit 57952a2f6e1d8529c6c9350c2fa7ee45763b065c
Author: Michael Gilbert <michael.s.gilbert at gmail.com>
Date:   Mon Jun 28 21:47:10 2010 -0400

    fix cve-2010-1664

diff --git a/WebCore/dom/make_names.pl b/WebCore/dom/make_names.pl
index 2d92a05..67cf340 100755
--- a/WebCore/dom/make_names.pl
+++ b/WebCore/dom/make_names.pl
@@ -287,8 +287,10 @@ sub printConstructorInterior
     # Handle media elements.
     if ($tags{$tagName}{wrapperOnlyIfMediaIsAvailable}) {
         print F <<END
-    if (!MediaPlayer::isAvailable())
+    Settings* settings = document->settings();
+    if (!MediaPlayer::isAvailable() || (settings && !settings->isMediaEnabled()))
         return HTMLElement::create($constructorTagName, document);
+
 END
 ;
     }
@@ -638,7 +640,7 @@ printElementIncludes($F);
 print F <<END
 #include <wtf/HashMap.h>
 
-#if ENABLE(DASHBOARD_SUPPORT)
+#if ENABLE(DASHBOARD_SUPPORT) || ENABLE(VIDEO)
 #include "Document.h"
 #include "Settings.h"
 #endif
@@ -839,7 +841,8 @@ sub printWrapperFunctions
                 print F <<END
 static JSNode* create${JSInterfaceName}Wrapper(ExecState* exec, JSDOMGlobalObject* globalObject, PassRefPtr<$parameters{namespace}Element> element)
 {
-    if (!MediaPlayer::isAvailable())
+    Settings* settings = element->document()->settings();
+    if (!MediaPlayer::isAvailable() || (settings && !settings->isMediaEnabled()))
         return CREATE_DOM_NODE_WRAPPER(exec, globalObject, $parameters{namespace}Element, element.get());
     return CREATE_DOM_NODE_WRAPPER(exec, globalObject, ${JSInterfaceName}, element.get());
 }
@@ -857,14 +860,29 @@ END
 ;
             }
         } elsif ($wrapperFactoryType eq "V8") {
+            if ($tags{$tagName}{wrapperOnlyIfMediaIsAvailable}) {
+                print F <<END
+static v8::Handle<v8::Value> create${JSInterfaceName}Wrapper($parameters{namespace}Element* element)
+{
+    Settings* settings = element->document()->settings();
+    if (!MediaPlayer::isAvailable() || (settings && !settings->isMediaEnabled()))
+        return toV8(static_cast<$parameters{namespace}Element*>(element));
+    return toV8(static_cast<${JSInterfaceName}*>(element));
+}
+
+END
+;
+            } else {
             print F <<END
 static v8::Handle<v8::Value> create${JSInterfaceName}Wrapper($parameters{namespace}Element* element)
 {
     return toV8(static_cast<${JSInterfaceName}*>(element));
 }
 
+
 END
 ;
+            }
         }
 
         if ($conditional) {
@@ -895,7 +913,16 @@ sub printWrapperFactoryCppFile
 
     printElementIncludes($F);
 
-    print F "\n#include <wtf/StdLibExtras.h>\n\n";
+    print F <<END
+#include <wtf/StdLibExtras.h>
+
+#if ENABLE(VIDEO)
+#include "Document.h"
+#include "Settings.h"
+#endif
+
+END
+;
 
     if ($wrapperFactoryType eq "JS") {    
         print F <<END
diff --git a/WebCore/page/Settings.cpp b/WebCore/page/Settings.cpp
index d60de12..18d310a 100644
--- a/WebCore/page/Settings.cpp
+++ b/WebCore/page/Settings.cpp
@@ -72,6 +72,7 @@ Settings::Settings(Page* page)
     , m_privateBrowsingEnabled(false)
     , m_caretBrowsingEnabled(false)
     , m_areImagesEnabled(true)
+    , m_isMediaEnabled(true)
     , m_arePluginsEnabled(false)
     , m_localStorageEnabled(false)
     , m_isJavaScriptEnabled(false)
@@ -263,6 +264,11 @@ void Settings::setImagesEnabled(bool areImagesEnabled)
     m_areImagesEnabled = areImagesEnabled;
 }
 
+void Settings::setMediaEnabled(bool isMediaEnabled)
+{
+    m_isMediaEnabled = isMediaEnabled;
+}
+
 void Settings::setPluginsEnabled(bool arePluginsEnabled)
 {
     m_arePluginsEnabled = arePluginsEnabled;
diff --git a/WebCore/page/Settings.h b/WebCore/page/Settings.h
index 20cd847..6ca7d41 100644
--- a/WebCore/page/Settings.h
+++ b/WebCore/page/Settings.h
@@ -134,6 +134,9 @@ namespace WebCore {
         void setImagesEnabled(bool);
         bool areImagesEnabled() const { return m_areImagesEnabled; }
 
+        void setMediaEnabled(bool);
+        bool isMediaEnabled() const { return m_isMediaEnabled; }
+
         void setPluginsEnabled(bool);
         bool arePluginsEnabled() const { return m_arePluginsEnabled; }
 
@@ -326,6 +329,7 @@ namespace WebCore {
         bool m_privateBrowsingEnabled : 1;
         bool m_caretBrowsingEnabled : 1;
         bool m_areImagesEnabled : 1;
+        bool m_isMediaEnabled : 1;
         bool m_arePluginsEnabled : 1;
         bool m_localStorageEnabled : 1;
         bool m_isJavaScriptEnabled : 1;
diff --git a/WebCore/svg/graphics/SVGImage.cpp b/WebCore/svg/graphics/SVGImage.cpp
index 86862c3..e5e13b5 100644
--- a/WebCore/svg/graphics/SVGImage.cpp
+++ b/WebCore/svg/graphics/SVGImage.cpp
@@ -247,6 +247,7 @@ bool SVGImage::dataChanged(bool allDataReceived)
         // The comment said that the Cache code does not know about CachedImages
         // holding Frames and won't know to break the cycle. But 
         m_page.set(new Page(m_chromeClient.get(), dummyContextMenuClient, dummyEditorClient, dummyDragClient, dummyInspectorClient, 0, 0));
+        m_page->settings()->setMediaEnabled(false);
         m_page->settings()->setJavaScriptEnabled(false);
         m_page->settings()->setPluginsEnabled(false);
 
diff --git a/debian/changelog b/debian/changelog
index 9e3fa61..fdb0fcd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -14,6 +14,8 @@ webkit (1.2.1-3) UNRELEASED; urgency=low
   * Fix cve-2010-1422: keyboard focus hijack.
   * Fix cve-2010-1501: add check to prevent cross-site request forgery (this
     may be duplicated as cve-2010-1767 in mitre's cve database).
+  * Fix cve-2010-1664: possible code execution due to improper html5 media
+    handling.
 
  -- Michael Gilbert <michael.s.gilbert at gmail.com>  Thu, 27 May 2010 20:36:41 -0400
 
diff --git a/debian/patches/cve-2010-1664.patch b/debian/patches/cve-2010-1664.patch
new file mode 100644
index 0000000..e5c3ce9
--- /dev/null
+++ b/debian/patches/cve-2010-1664.patch
@@ -0,0 +1,144 @@
+description: fix cve-2010-1664
+author: Michael Gilbert <michael.s.gilbert at gmail.com>
+origin: http://trac.webkit.org/changeset/57922
+Index: webkit-1.2.1/WebCore/dom/make_names.pl
+===================================================================
+--- webkit-1.2.1.orig/WebCore/dom/make_names.pl	2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/dom/make_names.pl	2010-06-28 21:46:05.000000000 -0400
+@@ -287,8 +287,10 @@
+     # Handle media elements.
+     if ($tags{$tagName}{wrapperOnlyIfMediaIsAvailable}) {
+         print F <<END
+-    if (!MediaPlayer::isAvailable())
++    Settings* settings = document->settings();
++    if (!MediaPlayer::isAvailable() || (settings && !settings->isMediaEnabled()))
+         return HTMLElement::create($constructorTagName, document);
++
+ END
+ ;
+     }
+@@ -638,7 +640,7 @@
+ print F <<END
+ #include <wtf/HashMap.h>
+ 
+-#if ENABLE(DASHBOARD_SUPPORT)
++#if ENABLE(DASHBOARD_SUPPORT) || ENABLE(VIDEO)
+ #include "Document.h"
+ #include "Settings.h"
+ #endif
+@@ -839,7 +841,8 @@
+                 print F <<END
+ static JSNode* create${JSInterfaceName}Wrapper(ExecState* exec, JSDOMGlobalObject* globalObject, PassRefPtr<$parameters{namespace}Element> element)
+ {
+-    if (!MediaPlayer::isAvailable())
++    Settings* settings = element->document()->settings();
++    if (!MediaPlayer::isAvailable() || (settings && !settings->isMediaEnabled()))
+         return CREATE_DOM_NODE_WRAPPER(exec, globalObject, $parameters{namespace}Element, element.get());
+     return CREATE_DOM_NODE_WRAPPER(exec, globalObject, ${JSInterfaceName}, element.get());
+ }
+@@ -857,14 +860,29 @@
+ ;
+             }
+         } elsif ($wrapperFactoryType eq "V8") {
++            if ($tags{$tagName}{wrapperOnlyIfMediaIsAvailable}) {
++                print F <<END
++static v8::Handle<v8::Value> create${JSInterfaceName}Wrapper($parameters{namespace}Element* element)
++{
++    Settings* settings = element->document()->settings();
++    if (!MediaPlayer::isAvailable() || (settings && !settings->isMediaEnabled()))
++        return toV8(static_cast<$parameters{namespace}Element*>(element));
++    return toV8(static_cast<${JSInterfaceName}*>(element));
++}
++
++END
++;
++            } else {
+             print F <<END
+ static v8::Handle<v8::Value> create${JSInterfaceName}Wrapper($parameters{namespace}Element* element)
+ {
+     return toV8(static_cast<${JSInterfaceName}*>(element));
+ }
+ 
++
+ END
+ ;
++            }
+         }
+ 
+         if ($conditional) {
+@@ -895,7 +913,16 @@
+ 
+     printElementIncludes($F);
+ 
+-    print F "\n#include <wtf/StdLibExtras.h>\n\n";
++    print F <<END
++#include <wtf/StdLibExtras.h>
++
++#if ENABLE(VIDEO)
++#include "Document.h"
++#include "Settings.h"
++#endif
++
++END
++;
+ 
+     if ($wrapperFactoryType eq "JS") {    
+         print F <<END
+Index: webkit-1.2.1/WebCore/page/Settings.h
+===================================================================
+--- webkit-1.2.1.orig/WebCore/page/Settings.h	2010-06-28 21:36:35.000000000 -0400
++++ webkit-1.2.1/WebCore/page/Settings.h	2010-06-28 21:45:46.000000000 -0400
+@@ -134,6 +134,9 @@
+         void setImagesEnabled(bool);
+         bool areImagesEnabled() const { return m_areImagesEnabled; }
+ 
++        void setMediaEnabled(bool);
++        bool isMediaEnabled() const { return m_isMediaEnabled; }
++
+         void setPluginsEnabled(bool);
+         bool arePluginsEnabled() const { return m_arePluginsEnabled; }
+ 
+@@ -326,6 +329,7 @@
+         bool m_privateBrowsingEnabled : 1;
+         bool m_caretBrowsingEnabled : 1;
+         bool m_areImagesEnabled : 1;
++        bool m_isMediaEnabled : 1;
+         bool m_arePluginsEnabled : 1;
+         bool m_localStorageEnabled : 1;
+         bool m_isJavaScriptEnabled : 1;
+Index: webkit-1.2.1/WebCore/page/Settings.cpp
+===================================================================
+--- webkit-1.2.1.orig/WebCore/page/Settings.cpp	2010-06-28 21:36:35.000000000 -0400
++++ webkit-1.2.1/WebCore/page/Settings.cpp	2010-06-28 21:45:46.000000000 -0400
+@@ -72,6 +72,7 @@
+     , m_privateBrowsingEnabled(false)
+     , m_caretBrowsingEnabled(false)
+     , m_areImagesEnabled(true)
++    , m_isMediaEnabled(true)
+     , m_arePluginsEnabled(false)
+     , m_localStorageEnabled(false)
+     , m_isJavaScriptEnabled(false)
+@@ -263,6 +264,11 @@
+     m_areImagesEnabled = areImagesEnabled;
+ }
+ 
++void Settings::setMediaEnabled(bool isMediaEnabled)
++{
++    m_isMediaEnabled = isMediaEnabled;
++}
++
+ void Settings::setPluginsEnabled(bool arePluginsEnabled)
+ {
+     m_arePluginsEnabled = arePluginsEnabled;
+Index: webkit-1.2.1/WebCore/svg/graphics/SVGImage.cpp
+===================================================================
+--- webkit-1.2.1.orig/WebCore/svg/graphics/SVGImage.cpp	2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/svg/graphics/SVGImage.cpp	2010-06-28 21:45:46.000000000 -0400
+@@ -247,6 +247,7 @@
+         // The comment said that the Cache code does not know about CachedImages
+         // holding Frames and won't know to break the cycle. But 
+         m_page.set(new Page(m_chromeClient.get(), dummyContextMenuClient, dummyEditorClient, dummyDragClient, dummyInspectorClient, 0, 0));
++        m_page->settings()->setMediaEnabled(false);
+         m_page->settings()->setJavaScriptEnabled(false);
+         m_page->settings()->setPluginsEnabled(false);
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 325c2ed..e30cb0f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -15,3 +15,4 @@ cve-2010-1418-part3.patch
 cve-2010-1422.patch
 cve-2010-1421.patch
 cve-2010-1501+1767.patch
+cve-2010-1664.patch

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list