[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.2.3-2-36-g0136662
Michael Gilbert
michael.s.gilbert at gmail.com
Wed Sep 8 00:08:20 UTC 2010
The following commit has been merged in the debian/unstable branch:
commit 71dacccbdf0c67886e86799277bd93a695140f36
Author: Michael Gilbert <michael.s.gilbert at gmail.com>
Date: Mon Sep 6 21:58:40 2010 -0400
fix cve-2010-2651
diff --git a/debian/changelog b/debian/changelog
index 9094c21..0a765ac 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,7 @@
webkit (1.2.4-2) unstable; urgency=high
* fix cve-2010-2646: security origin bypass using IFRAME elements.
+ * fix cve-2010-2651: vulnerability in css style rendering.
-- Michael Gilbert <michael.s.gilbert at gmail.com> Mon, 06 Sep 2010 21:36:40 -0400
diff --git a/debian/patches/cve-2010-2651.patch b/debian/patches/cve-2010-2651.patch
new file mode 100644
index 0000000..09fe1f8
--- /dev/null
+++ b/debian/patches/cve-2010-2651.patch
@@ -0,0 +1,38 @@
+description: fix cve-2010-2651
+author: Michael Gilbert <michael.s.gilbert at gmail.com>
+origin: http://trac.webkit.org/changeset/59247
+Index: webkit-1.2.4/WebCore/rendering/RenderBlock.cpp
+===================================================================
+--- webkit-1.2.4.orig/WebCore/rendering/RenderBlock.cpp 2010-09-03 15:18:07.000000000 -0400
++++ webkit-1.2.4/WebCore/rendering/RenderBlock.cpp 2010-09-06 21:50:51.000000000 -0400
+@@ -4651,10 +4651,12 @@
+
+ // Drill into inlines looking for our first text child.
+ RenderObject* currChild = firstLetterBlock->firstChild();
+- while (currChild && currChild->needsLayout() && ((!currChild->isReplaced() && !currChild->isRenderButton() && !currChild->isMenuList()) || currChild->isFloatingOrPositioned()) && !currChild->isText()) {
++ while (currChild && ((!currChild->isReplaced() && !currChild->isRenderButton() && !currChild->isMenuList()) || currChild->isFloatingOrPositioned()) && !currChild->isText()) {
+ if (currChild->isFloatingOrPositioned()) {
+- if (currChild->style()->styleType() == FIRST_LETTER)
++ if (currChild->style()->styleType() == FIRST_LETTER) {
++ currChild = currChild->firstChild();
+ break;
++ }
+ currChild = currChild->nextSibling();
+ } else
+ currChild = currChild->firstChild();
+@@ -4671,11 +4673,11 @@
+
+ // If the child already has style, then it has already been created, so we just want
+ // to update it.
+- if (currChild->style()->styleType() == FIRST_LETTER) {
++ if (firstLetterContainer->style()->styleType() == FIRST_LETTER) {
+ RenderStyle* pseudo = firstLetterBlock->getCachedPseudoStyle(FIRST_LETTER,
+- firstLetterContainer->firstLineStyle());
+- currChild->setStyle(pseudo);
+- for (RenderObject* genChild = currChild->firstChild(); genChild; genChild = genChild->nextSibling()) {
++ firstLetterContainer->parent()->firstLineStyle());
++ firstLetterContainer->setStyle(pseudo);
++ for (RenderObject* genChild = firstLetterContainer->firstChild(); genChild; genChild = genChild->nextSibling()) {
+ if (genChild->isText())
+ genChild->setStyle(pseudo);
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 12314ef..a9873a1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
02-pool-fixup-and-sparc-support.patch
04-spoof-user-agent-to-google.patch
cve-2010-2646.patch
+cve-2010-2651.patch
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list