[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.2.1-2-29-g5dbcb1c

Tue Jun 29 04:11:09 UTC 2010

The following commit has been merged in the debian/unstable branch:
commit c8c16ebd6e1c5d8745b1871ef7a5584de54915bb
Author: Michael Gilbert <michael.s.gilbert at gmail.com>
Date:   Mon Jun 28 20:59:53 2010 -0400

    fix cve-2010-1392

diff --git a/WebCore/rendering/RenderBlock.cpp b/WebCore/rendering/RenderBlock.cpp
index 5e788a4..4a7363d 100644
--- a/WebCore/rendering/RenderBlock.cpp
+++ b/WebCore/rendering/RenderBlock.cpp
@@ -4639,7 +4639,7 @@ void RenderBlock::updateFirstLetter()
 
     // Drill into inlines looking for our first text child.
     RenderObject* currChild = firstLetterBlock->firstChild();
-    while (currChild && currChild->needsLayout() && (!currChild->isReplaced() || currChild->isFloatingOrPositioned()) && !currChild->isText()) {
+    while (currChild && currChild->needsLayout() && ((!currChild->isReplaced() && !currChild->isRenderButton() && !currChild->isMenuList()) || currChild->isFloatingOrPositioned()) && !currChild->isText()) {
         if (currChild->isFloatingOrPositioned()) {
             if (currChild->style()->styleType() == FIRST_LETTER)
                 break;
diff --git a/debian/changelog b/debian/changelog
index 5801793..ce32011 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,7 @@ webkit (1.2.1-3) UNRELEASED; urgency=low
   * Use system libtool.
   * Turn direct source changes into a patch.
   * Fix cve-2010-1368: geolocation info disclosure.
+  * Fix cve-2010-1392: possibly exploitable html button logic error.
 
  -- Michael Gilbert <michael.s.gilbert at gmail.com>  Thu, 27 May 2010 20:36:41 -0400
 
diff --git a/debian/patches/cve-2010-1386.patch b/debian/patches/cve-2010-1386.patch
index 1b74d27..9edeb27 100644
--- a/debian/patches/cve-2010-1386.patch
+++ b/debian/patches/cve-2010-1386.patch
@@ -1,5 +1,6 @@
+description: fix cve-2010-1386
 author: Michael Gilbert <michael.s.gilbert at gmail.com>
-origin: webkit svn56188
+origin: http://trac.webkit.org/changeset/56188
 Index: webkit-1.2.1/WebCore/page/Geolocation.cpp
 ===================================================================
 --- webkit-1.2.1.orig/WebCore/page/Geolocation.cpp	2010-06-28 17:07:35.000000000 -0400
diff --git a/debian/patches/cve-2010-1392.patch b/debian/patches/cve-2010-1392.patch
new file mode 100644
index 0000000..0614f89
--- /dev/null
+++ b/debian/patches/cve-2010-1392.patch
@@ -0,0 +1,17 @@
+description: fix cve-2010-1392
+author: Michael Gilbert <michael.s.gilbert at gmail.com>
+origin: http://trac.webkit.org/changeset/56297
+===================================================================
+Index: webkit-1.2.1/WebCore/rendering/RenderBlock.cpp
+===================================================================
+--- webkit-1.2.1.orig/WebCore/rendering/RenderBlock.cpp	2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/rendering/RenderBlock.cpp	2010-06-28 20:56:40.000000000 -0400
+@@ -4639,7 +4639,7 @@
+ 
+     // Drill into inlines looking for our first text child.
+     RenderObject* currChild = firstLetterBlock->firstChild();
+-    while (currChild && currChild->needsLayout() && (!currChild->isReplaced() || currChild->isFloatingOrPositioned()) && !currChild->isText()) {
++    while (currChild && currChild->needsLayout() && ((!currChild->isReplaced() && !currChild->isRenderButton() && !currChild->isMenuList()) || currChild->isFloatingOrPositioned()) && !currChild->isText()) {
+         if (currChild->isFloatingOrPositioned()) {
+             if (currChild->style()->styleType() == FIRST_LETTER)
+                 break;
diff --git a/debian/patches/series b/debian/patches/series
index bb32afc..525ebed 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@
 
 # security patches
 cve-2010-1386.patch
+cve-2010-1392.patch

-- 
WebKit Debian packaging

