Hello community,
here is the log from the commit of package libwebkit
checked in at Wed Sep 24 00:45:35 CEST 2008.
--------
--- libwebkit/libwebkit.changes 2008-08-26 15:31:42.000000000 +0200
+++ /d/STABLE/libwebkit/libwebkit.changes 2008-09-19 03:06:25.965506000 +0200
@@ -1,0 +2,6 @@
+Fri Sep 19 01:55:08 CEST 2008 - maw@suse.de
+
+- Add libwebkit-use-after-free.patch (bnc#427349, bwo#19618,
+ and CVE-2008-3632).
+
+-------------------------------------------------------------------
New:
----
libwebkit-use-after-free.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libwebkit.spec ++++++
--- /var/tmp/diff_new_pack.V14414/_old 2008-09-24 00:45:05.000000000 +0200
+++ /var/tmp/diff_new_pack.V14414/_new 2008-09-24 00:45:05.000000000 +0200
@@ -25,11 +25,12 @@
Summary: Library for rendering web content, GTK+ Port
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Version: 1.0.1
-Release: 2
+Release: 3
Source: webkit-%{version}.tar.bz2
Patch0: webkit-cairo-canvas-r34625-for-1.0.1.patch
Patch1: webkit-fix-gcc43.patch
Patch2: libwebkit-no-return-in-nonvoid.patch
+Patch3: libwebkit-use-after-free.patch
%define debug_package_requires libwebkit-1_0-1 = %{version}-%{release}
%description
@@ -85,6 +86,7 @@
Group: Development/Libraries/C and C++
Summary: Library for rendering web content, GTK+ Port
Requires: libwebkit-1_0-1 = %{version} gtk2-devel
+# Requires: libcurl-devel libicu-devel libjpeg-devel libxml2-devel libxslt-devel sqlite3-devel
Provides: WebKitGtk-devel = %{version}
Obsoletes: WebKitGtk-devel <= %{version}
@@ -138,6 +140,7 @@
%patch0 -p 1
%patch1
%patch2
+%patch3 -p1
%build
%ifarch ppc64
@@ -176,6 +179,9 @@
%{_bindir}/jsc
%changelog
+* Fri Sep 19 2008 maw@suse.de
+- Add libwebkit-use-after-free.patch (bnc#427349, bwo#19618,
+ and CVE-2008-3632).
* Tue Aug 26 2008 ajorgensen@novell.com
- Fix for -debug* requiring wrong package
* Sat Aug 23 2008 ajorgensen@novell.com
++++++ libwebkit-use-after-free.patch ++++++
Index: webkit-1.0.1/WebCore/ChangeLog
===================================================================
--- webkit-1.0.1.orig/WebCore/ChangeLog
+++ webkit-1.0.1/WebCore/ChangeLog
@@ -1,3 +1,32 @@
+2008-06-26 Eric Seidel
+
+ Reviewed by Beth Dakin.
+
+ CSS @import statements can cause DocLoader to use
+ a dead Frame pointer.
+ https://bugs.webkit.org/show_bug.cgi?id=19618
+
+ The fix is to get rid of the Frame pointer on DocLoader.
+
+ I also took this opportunity to clean up Document::detach
+ a little to make it clear why we clear the m_frame pointer
+ there, and to note that in the future we should stop
+ using Node::detach to mean "tear down the whole rendering
+ tree and detach from the frame".
+
+ Test: I don't know how to make a good test for this, the test
+ we have is network timing dependent and does not make a good
+ layout test.
+
+ * dom/Document.cpp:
+ (WebCore::Document::Document):
+ (WebCore::Document::detach):
+ (WebCore::Document::clearFramePointer):
+ * dom/Document.h:
+ * loader/DocLoader.cpp:
+ (WebCore::DocLoader::frame):
+ * loader/DocLoader.h:
+
2008-06-15 Darin Adler
Reviewed by Mitz.
Index: webkit-1.0.1/WebCore/dom/Document.cpp
===================================================================
--- webkit-1.0.1.orig/WebCore/dom/Document.cpp
+++ webkit-1.0.1/WebCore/dom/Document.cpp
@@ -308,8 +308,7 @@ Document::Document(Frame* frame, bool is
m_axObjectCache = 0;
- // FIXME: DocLoader probably no longer needs the frame argument
- m_docLoader = new DocLoader(frame, this);
+ m_docLoader = new DocLoader(this);
visuallyOrdered = false;
m_bParsing = false;
@@ -1285,9 +1284,12 @@ void Document::detach()
if (render)
render->destroy();
-
- // FIXME: is this needed or desirable?
- m_frame = 0;
+
+ // This is required, as our Frame might delete itself as soon as it detaches
+ // us. However, this violates Node::detach() symantics, as it's never
+ // possible to re-attach. Eventually Document::detach() should be renamed
+ // or this call made explicit in each of the callers of Document::detach().
+ clearFramePointer();
if (m_renderArena) {
delete m_renderArena;
@@ -1295,6 +1297,11 @@ void Document::detach()
}
}
+void Document::clearFramePointer()
+{
+ m_frame = 0;
+}
+
void Document::removeAllEventListenersFromAllNodes()
{
m_windowEventListeners.clear();
Index: webkit-1.0.1/WebCore/dom/Document.h
===================================================================
--- webkit-1.0.1.orig/WebCore/dom/Document.h
+++ webkit-1.0.1/WebCore/dom/Document.h
@@ -377,6 +377,8 @@ public:
virtual void attach();
virtual void detach();
+ void clearFramePointer();
+
RenderArena* renderArena() { return m_renderArena; }
void clearAXObjectCache();
Index: webkit-1.0.1/WebCore/loader/DocLoader.cpp
===================================================================
--- webkit-1.0.1.orig/WebCore/loader/DocLoader.cpp
+++ webkit-1.0.1/WebCore/loader/DocLoader.cpp
@@ -42,10 +42,9 @@
namespace WebCore {
-DocLoader::DocLoader(Frame *frame, Document* doc)
+DocLoader::DocLoader(Document* doc)
: m_cache(cache())
, m_cachePolicy(CachePolicyVerify)
- , m_frame(frame)
, m_doc(doc)
, m_requestCount(0)
, m_autoLoadImages(true)
@@ -64,6 +63,11 @@ DocLoader::~DocLoader()
m_cache->removeDocLoader(this);
}
+Frame* DocLoader::frame() const
+{
+ return m_doc->frame();
+}
+
void DocLoader::checkForReload(const KURL& fullURL)
{
if (m_allowStaleResources)
@@ -147,8 +151,8 @@ CachedResource* DocLoader::requestResour
m_docResources.remove(it);
}
}
-
- if (m_frame && m_frame->loader()->isReloading())
+
+ if (frame() && frame()->loader()->isReloading())
setCachePolicy(CachePolicyReload);
checkForReload(fullURL);
@@ -196,14 +200,14 @@ void DocLoader::removeCachedResource(Cac
void DocLoader::setLoadInProgress(bool load)
{
m_loadInProgress = load;
- if (!load && m_frame)
- m_frame->loader()->loadDone();
+ if (!load && frame())
+ frame()->loader()->loadDone();
}
void DocLoader::checkCacheObjectStatus(CachedResource* resource)
{
// Return from the function for objects that we didn't load from the cache or if we don't have a frame.
- if (!resource || !m_frame)
+ if (!resource || !frame())
return;
switch (resource->status()) {
@@ -217,7 +221,7 @@ void DocLoader::checkCacheObjectStatus(C
}
// FIXME: If the WebKit client changes or cancels the request, WebCore does not respect this and continues the load.
- m_frame->loader()->loadedResourceFromMemoryCache(resource);
+ frame()->loader()->loadedResourceFromMemoryCache(resource);
}
void DocLoader::incrementRequestCount()
Index: webkit-1.0.1/WebCore/loader/DocLoader.h
===================================================================
--- webkit-1.0.1.orig/WebCore/loader/DocLoader.h
+++ webkit-1.0.1/WebCore/loader/DocLoader.h
@@ -51,7 +51,7 @@ friend class Cache;
friend class HTMLImageLoader;
public:
- DocLoader(Frame*, Document*);
+ DocLoader(Document*);
~DocLoader();
CachedImage* requestImage(const String& url);
@@ -76,7 +76,7 @@ public:
CachePolicy cachePolicy() const { return m_cachePolicy; }
void setCachePolicy(CachePolicy);
- Frame* frame() const { return m_frame; }
+ Frame* frame() const; // Can be NULL
Document* doc() const { return m_doc; }
void removeCachedResource(CachedResource*) const;
@@ -108,8 +108,7 @@ private:
HashSet<String> m_reloadedURLs;
mutable HashMap m_docResources;
CachePolicy m_cachePolicy;
- Frame* m_frame;
- Document *m_doc;
+ Document* m_doc;
int m_requestCount;
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org