Adding security patches for bug #314193. Make dbus optional, fixes bug #292337.

(Portage version: 2.2_rc67/cvs/Linux x86_64)
author: Ben de Groot <yngwin@gentoo.org> 2010-04-09 22:26:07 +0000
committer: Ben de Groot <yngwin@gentoo.org> 2010-04-09 22:26:07 +0000
commit: d29ce6bb3cd8f6ff59a844c3434b896858c25bc9 (patch)
tree: c3bf4bdc8ef179371fdb456e48fd5341dfd4cf80 /x11-libs/qt-webkit
parent: Mask python3 for stable portage until python-3.x is marked stable. (diff)
download: gentoo-2-d29ce6bb3cd8f6ff59a844c3434b896858c25bc9.tar.gz
gentoo-2-d29ce6bb3cd8f6ff59a844c3434b896858c25bc9.tar.bz2
gentoo-2-d29ce6bb3cd8f6ff59a844c3434b896858c25bc9.zip
9 files changed, 565 insertions, 1 deletions
diff --git a/x11-libs/qt-webkit/ChangeLog b/x11-libs/qt-webkit/ChangeLog
index b07c80ab22af..c821672f8ae4 100644
--- a/x11-libs/qt-webkit/ChangeLog
+++ b/x11-libs/qt-webkit/ChangeLog
@@ -1,6 +1,22 @@
 # ChangeLog for x11-libs/qt-webkit
 # Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/x11-libs/qt-webkit/ChangeLog,v 1.84 2010/04/02 10:01:25 hwoarang Exp $
+# $Header: /var/cvsroot/gentoo-x86/x11-libs/qt-webkit/ChangeLog,v 1.85 2010/04/09 22:26:07 yngwin Exp $
+
+*qt-webkit-4.6.2-r1 (09 Apr 2010)
+*qt-webkit-4.5.3-r3 (09 Apr 2010)
+
+  09 Apr 2010; Ben de Groot <yngwin@gentoo.org> +qt-webkit-4.5.3-r3.ebuild,
+  +files/qt-webkit-4.5.3-cve-2010-0046-css-format-mem-corruption.patch,
+  +files/qt-webkit-4.5.3-cve-2010-0049-freed-line-boxes-ltr-rtl.patch,
+  +files/qt-webkit-4.5.3-cve-2010-0050-crash-misnested-style-tags.patch,
+  +files/qt-webkit-4.5.3-cve-2010-0052-destroyed-input-cached.patch,
+  +qt-webkit-4.6.2-r1.ebuild,
+  +files/qt-webkit-4.6.2-cve-2010-0051-lax-css-parsing-cross-domain-theft.pa
+  tch,
+  +files/qt-webkit-4.6.2-cve-2010-0054-image-element-pointer-name-getter.pat
+  ch:
+  Adding security patches for bug #314193. Make dbus optional, fixes bug
+  #292337.
 
   02 Apr 2010; Markos Chandras <hwoarang@gentoo.org> qt-webkit-4.6.2.ebuild:
   Adjust phonon dependencies
diff --git a/x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0046-css-format-mem-corruption.patch b/x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0046-css-format-mem-corruption.patch
new file mode 100644
index 000000000000..c5755a49ce1a
--- /dev/null
+++ b/x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0046-css-format-mem-corruption.patch
@@ -0,0 +1,25 @@
+diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp.cve-2010-0046-css-format-mem-corruption qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp
+--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp.cve-2010-0046-css-format-mem-corruption	2009-09-29 13:01:35.000000000 +0200
++++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp	2010-02-04 15:00:24.778776273 +0100
+@@ -3085,6 +3085,12 @@ bool CSSParser::parseFontWeight(bool imp
+     return false;
+ }
+ 
++static bool isValidFormatFunction(CSSParserValue* val)
++{
++    CSSParserValueList* args = val->function->args;
++    return equalIgnoringCase(val->function->name, "format(") && (args->current()->unit == CSSPrimitiveValue::CSS_STRING || args->current()->unit == CSSPrimitiveValue::CSS_IDENT);
++}
++
+ bool CSSParser::parseFontFaceSrc()
+ {
+     RefPtr<CSSValueList> values(CSSValueList::createCommaSeparated());
+@@ -3111,7 +3117,7 @@ bool CSSParser::parseFontFaceSrc()
+                     CSSParserValue* a = args->current();
+                     uriValue.clear();
+                     parsedValue = CSSFontFaceSrcValue::createLocal(a->string);
+-                } else if (equalIgnoringCase(val->function->name, "format(") && allowFormat && uriValue) {
++                } else if (allowFormat && uriValue && isValidFormatFunction(val)) {
+                     expectComma = true;
+                     allowFormat = false;
+                     uriValue->setFormat(args->current()->string);
diff --git a/x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0049-freed-line-boxes-ltr-rtl.patch b/x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0049-freed-line-boxes-ltr-rtl.patch
new file mode 100644
index 000000000000..6739bc4e9276
--- /dev/null
+++ b/x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0049-freed-line-boxes-ltr-rtl.patch
@@ -0,0 +1,29 @@
+diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp.cve-2010-0049-freed-line-boxes-ltr-rtl qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp
+--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp.cve-2010-0049-freed-line-boxes-ltr-rtl	2009-09-29 13:01:36.000000000 +0200
++++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp	2010-02-04 15:43:15.707711730 +0100
+@@ -1025,8 +1025,15 @@ void RenderText::position(InlineBox* box
+     if (!s->m_len) {
+         // We want the box to be destroyed.
+         s->remove();
++        if (m_firstTextBox == s)
++            m_firstTextBox = s->nextTextBox();
++        else
++            s->prevTextBox()->setNextLineBox(s->nextTextBox());
++        if (m_lastTextBox == s)
++            m_lastTextBox = s->prevTextBox();
++        else
++            s->nextTextBox()->setPreviousLineBox(s->prevTextBox());
+         s->destroy(renderArena());
+-        m_firstTextBox = m_lastTextBox = 0;
+         return;
+     }
+ 
+@@ -1203,7 +1210,7 @@ void RenderText::checkConsistency() cons
+ #ifdef CHECK_CONSISTENCY
+     const InlineTextBox* prev = 0;
+     for (const InlineTextBox* child = m_firstTextBox; child != 0; child = child->nextTextBox()) {
+-        ASSERT(child->object() == this);
++        ASSERT(child->renderer() == this);
+         ASSERT(child->prevTextBox() == prev);
+         prev = child;
+     }
diff --git a/x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0050-crash-misnested-style-tags.patch b/x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0050-crash-misnested-style-tags.patch
new file mode 100644
index 000000000000..12251e289909
--- /dev/null
+++ b/x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0050-crash-misnested-style-tags.patch
@@ -0,0 +1,13 @@
+diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLParser.cpp.cve-2010-0050-crash-misnested-style-tags qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLParser.cpp
+--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLParser.cpp.cve-2010-0050-crash-misnested-style-tags	2009-09-29 13:01:36.000000000 +0200
++++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLParser.cpp	2010-02-04 15:54:25.399651321 +0100
+@@ -1208,7 +1208,8 @@ void HTMLParser::handleResidualStyleClos
+             prevMaxElem->next = elem;
+             ASSERT(newNodePtr);
+             prevMaxElem->node = newNodePtr;
+-            prevMaxElem->didRefNode = false;
++            newNodePtr->ref();
++            prevMaxElem->didRefNode = true;
+         } else
+             delete elem;
+     }
diff --git a/x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0052-destroyed-input-cached.patch b/x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0052-destroyed-input-cached.patch
new file mode 100644
index 000000000000..0b20a8571d87
--- /dev/null
+++ b/x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0052-destroyed-input-cached.patch
@@ -0,0 +1,21 @@
+diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLInputElement.cpp.cve-2010-0052-destroyed-input-cached qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLInputElement.cpp
+--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLInputElement.cpp.cve-2010-0052-destroyed-input-cached	2009-09-29 13:01:36.000000000 +0200
++++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLInputElement.cpp	2010-02-04 17:50:07.931656712 +0100
+@@ -616,12 +616,15 @@ void HTMLInputElement::parseMappedAttrib
+             m_autocomplete = Off;
+             registerForActivationCallbackIfNeeded();
+         } else {
+-            if (m_autocomplete == Off)
+-                unregisterForActivationCallbackIfNeeded();
++            bool needsToUnregister = m_autocomplete == Off;
++
+             if (attr->isEmpty())
+                 m_autocomplete = Uninitialized;
+             else
+                 m_autocomplete = On;
++
++            if (needsToUnregister)
++                unregisterForActivationCallbackIfNeeded();
+         }
+     } else if (attr->name() == typeAttr) {
+         setInputType(attr->value());
diff --git a/x11-libs/qt-webkit/files/qt-webkit-4.6.2-cve-2010-0051-lax-css-parsing-cross-domain-theft.patch b/x11-libs/qt-webkit/files/qt-webkit-4.6.2-cve-2010-0051-lax-css-parsing-cross-domain-theft.patch
new file mode 100644
index 000000000000..e4e32b33c743
--- /dev/null
+++ b/x11-libs/qt-webkit/files/qt-webkit-4.6.2-cve-2010-0051-lax-css-parsing-cross-domain-theft.patch
@@ -0,0 +1,267 @@
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSGrammar.y.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSGrammar.y
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSGrammar.y.cve-2010-0051-lax-css-parsing-cross-domain-theft	2010-02-11 16:55:20.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSGrammar.y	2010-02-25 17:07:29.114742034 +0100
+@@ -416,7 +416,9 @@ valid_rule:
+   ;
+ 
+ rule:
+-    valid_rule
++    valid_rule {
++        static_cast<CSSParser*>(parser)->m_hadSyntacticallyValidCSSRule = true;
++    }
+   | invalid_rule
+   | invalid_at
+   | invalid_import
+@@ -1517,8 +1519,12 @@ invalid_rule:
+     ;
+ 
+ invalid_block:
+-    '{' error invalid_block_list error closing_brace
+-  | '{' error closing_brace
++    '{' error invalid_block_list error closing_brace {
++        static_cast<CSSParser*>(parser)->invalidBlockHit();
++    }
++  | '{' error closing_brace {
++        static_cast<CSSParser*>(parser)->invalidBlockHit();
++    }
+     ;
+ 
+ invalid_block_list:
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft	2010-02-11 16:55:20.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp	2010-02-25 17:13:34.292803953 +0100
+@@ -25,6 +25,7 @@
+ #include "CachedCSSStyleSheet.h"
+ #include "DocLoader.h"
+ #include "Document.h"
++#include "SecurityOrigin.h"
+ #include "MediaList.h"
+ #include "Settings.h"
+ #include <wtf/StdLibExtras.h>
+@@ -60,11 +61,21 @@ void CSSImportRule::setCSSStyleSheet(con
+         m_styleSheet->setParent(0);
+     m_styleSheet = CSSStyleSheet::create(this, url, charset);
+ 
++    bool crossOriginCSS = false;
++    bool validMIMEType = false;
+     CSSStyleSheet* parent = parentStyleSheet();
+     bool strict = !parent || parent->useStrictParsing();
+-    String sheetText = sheet->sheetText(strict);
++    bool enforceMIMEType = strict;
++
++    String sheetText = sheet->sheetText(enforceMIMEType, &validMIMEType);
+     m_styleSheet->parseString(sheetText, strict);
+ 
++    if (!parent || !parent->doc() || !parent->doc()->securityOrigin()->canRequest(KURL(ParsedURLString, url)))
++        crossOriginCSS = true;
++
++    if (crossOriginCSS && !validMIMEType && !m_styleSheet->hasSyntacticallyValidCSSHeader())
++        m_styleSheet = CSSStyleSheet::create(this, url, charset);
++
+     if (strict && parent && parent->doc() && parent->doc()->settings() && parent->doc()->settings()->needsSiteSpecificQuirks()) {
+         // Work around <https://bugs.webkit.org/show_bug.cgi?id=28350>.
+         DEFINE_STATIC_LOCAL(const String, slashKHTMLFixesDotCss, ("/KHTMLFixes.css"));
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft	2010-02-25 17:07:29.101741771 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.cpp	2010-02-25 17:07:29.117741744 +0100
+@@ -139,6 +139,7 @@ CSSParser::CSSParser(bool strictParsing)
+     , m_currentShorthand(0)
+     , m_implicitShorthand(false)
+     , m_hasFontFaceOnlyValues(false)
++    , m_hadSyntacticallyValidCSSRule(false)
+     , m_defaultNamespace(starAtom)
+     , m_data(0)
+     , yy_start(1)
+@@ -5175,6 +5176,12 @@ WebKitCSSKeyframeRule* CSSParser::create
+     return keyframePtr;
+ }
+ 
++void CSSParser::invalidBlockHit()
++{
++    if (m_styleSheet && !m_hadSyntacticallyValidCSSRule)
++        m_styleSheet->setHasSyntacticallyValidCSSHeader(false);
++}
++
+ static int cssPropertyID(const UChar* propertyName, unsigned length)
+ {
+     if (!length)
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.h.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.h
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.h.cve-2010-0051-lax-css-parsing-cross-domain-theft	2010-02-11 16:55:20.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.h	2010-02-25 17:07:29.117741744 +0100
+@@ -191,6 +191,7 @@ namespace WebCore {
+         bool addVariableDeclarationBlock(const CSSParserString&);
+         bool checkForVariables(CSSParserValueList*);
+         void addUnresolvedProperty(int propId, bool important);
++        void invalidBlockHit();
+         
+         Vector<CSSSelector*>* reusableSelectorVector() { return &m_reusableSelectorVector; }
+         
+@@ -212,6 +213,7 @@ namespace WebCore {
+         bool m_implicitShorthand;
+ 
+         bool m_hasFontFaceOnlyValues;
++        bool m_hadSyntacticallyValidCSSRule;
+ 
+         Vector<String> m_variableNames;
+         Vector<RefPtr<CSSValue> > m_variableValues;
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft	2010-02-11 16:55:19.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp	2010-02-25 17:07:29.118741824 +0100
+@@ -41,6 +41,7 @@ CSSStyleSheet::CSSStyleSheet(CSSStyleShe
+     , m_loadCompleted(false)
+     , m_strictParsing(!parentSheet || parentSheet->useStrictParsing())
+     , m_isUserStyleSheet(parentSheet ? parentSheet->isUserStyleSheet() : false)
++    , m_hasSyntacticallyValidCSSHeader(true)
+ {
+ }
+ 
+@@ -52,6 +53,7 @@ CSSStyleSheet::CSSStyleSheet(Node* paren
+     , m_loadCompleted(false)
+     , m_strictParsing(false)
+     , m_isUserStyleSheet(false)
++    , m_hasSyntacticallyValidCSSHeader(true)
+ {
+ }
+ 
+@@ -61,6 +63,7 @@ CSSStyleSheet::CSSStyleSheet(CSSRule* ow
+     , m_charset(charset)
+     , m_loadCompleted(false)
+     , m_strictParsing(!ownerRule || ownerRule->useStrictParsing())
++    , m_hasSyntacticallyValidCSSHeader(true)
+ {
+     CSSStyleSheet* parentSheet = ownerRule ? ownerRule->parentStyleSheet() : 0;
+     m_doc = parentSheet ? parentSheet->doc() : 0;
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h.cve-2010-0051-lax-css-parsing-cross-domain-theft	2010-02-11 16:55:20.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h	2010-02-25 17:07:29.118741824 +0100
+@@ -95,6 +95,8 @@ public:
+ 
+     void setIsUserStyleSheet(bool b) { m_isUserStyleSheet = b; }
+     bool isUserStyleSheet() const { return m_isUserStyleSheet; }
++    void setHasSyntacticallyValidCSSHeader(bool b) { m_hasSyntacticallyValidCSSHeader = b; }
++    bool hasSyntacticallyValidCSSHeader() const { return m_hasSyntacticallyValidCSSHeader; }
+ 
+ private:
+     CSSStyleSheet(Node* ownerNode, const String& href, const String& charset);
+@@ -110,6 +112,7 @@ private:
+     bool m_loadCompleted : 1;
+     bool m_strictParsing : 1;
+     bool m_isUserStyleSheet : 1;
++    bool m_hasSyntacticallyValidCSSHeader : 1;
+ };
+ 
+ } // namespace
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft	2010-02-11 16:55:19.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp	2010-02-25 17:07:29.118741824 +0100
+@@ -203,7 +203,10 @@ void ProcessingInstruction::setCSSStyleS
+ #endif
+     RefPtr<CSSStyleSheet> newSheet = CSSStyleSheet::create(this, url, charset);
+     m_sheet = newSheet;
+-    parseStyleSheet(sheet->sheetText());
++    // We don't need the cross-origin security check here because we are
++    // getting the sheet text in "strict" mode. This enforces a valid CSS MIME
++    // type.
++    parseStyleSheet(sheet->sheetText(true));
+     newSheet->setTitle(m_title);
+     newSheet->setMedia(MediaList::create(newSheet.get(), m_media));
+     newSheet->setDisabled(m_alternate);
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft	2010-02-11 16:55:17.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp	2010-02-25 17:07:29.119741915 +0100
+@@ -260,14 +260,27 @@ void HTMLLinkElement::setCSSStyleSheet(c
+     bool strictParsing = !document()->inCompatMode();
+     bool enforceMIMEType = strictParsing;
+ 
++    bool crossOriginCSS = false;
++    bool validMIMEType = false;
+     // Check to see if we should enforce the MIME type of the CSS resource in strict mode.
+     // Running in iWeb 2 is one example of where we don't want to - <rdar://problem/6099748>
+     if (enforceMIMEType && document()->page() && !document()->page()->settings()->enforceCSSMIMETypeInStrictMode())
+         enforceMIMEType = false;
+ 
+-    String sheetText = sheet->sheetText(enforceMIMEType);
++    String sheetText = sheet->sheetText(enforceMIMEType, &validMIMEType);
+     m_sheet->parseString(sheetText, strictParsing);
+ 
++    // If we're loading a stylesheet cross-origin, and the MIME type is not
++    // standard, require the CSS to at least start with a syntactically
++    // valid CSS rule.
++    // This prevents an attacker playing games by injecting CSS strings into
++    // HTML, XML, JSON, etc. etc.
++    if (!document()->securityOrigin()->canRequest(KURL(ParsedURLString, url)))
++        crossOriginCSS = true;
++
++    if (crossOriginCSS && !validMIMEType && !m_sheet->hasSyntacticallyValidCSSHeader())
++        m_sheet = CSSStyleSheet::create(this, url, charset);
++
+     if (strictParsing && document()->settings() && document()->settings()->needsSiteSpecificQuirks()) {
+         // Work around <https://bugs.webkit.org/show_bug.cgi?id=28350>.
+         DEFINE_STATIC_LOCAL(const String, slashKHTMLFixesDotCss, ("/KHTMLFixes.css"));
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft	2010-02-11 16:55:19.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp	2010-02-25 17:07:29.119741915 +0100
+@@ -71,11 +71,11 @@ String CachedCSSStyleSheet::encoding() c
+     return m_decoder->encoding().name();
+ }
+     
+-const String CachedCSSStyleSheet::sheetText(bool enforceMIMEType) const 
++const String CachedCSSStyleSheet::sheetText(bool enforceMIMEType, bool* hasValidMIMEType) const 
+ { 
+     ASSERT(!isPurgeable());
+ 
+-    if (!m_data || m_data->isEmpty() || !canUseSheet(enforceMIMEType))
++    if (!m_data || m_data->isEmpty() || !canUseSheet(enforceMIMEType, hasValidMIMEType))
+         return String();
+     
+     if (!m_decodedSheetText.isNull())
+@@ -122,12 +122,12 @@ void CachedCSSStyleSheet::error()
+     checkNotify();
+ }
+ 
+-bool CachedCSSStyleSheet::canUseSheet(bool enforceMIMEType) const
++bool CachedCSSStyleSheet::canUseSheet(bool enforceMIMEType, bool* hasValidMIMEType) const
+ {
+     if (errorOccurred())
+         return false;
+         
+-    if (!enforceMIMEType)
++    if (!enforceMIMEType && !hasValidMIMEType)
+         return true;
+ 
+     // This check exactly matches Firefox.  Note that we grab the Content-Type
+@@ -138,7 +138,12 @@ bool CachedCSSStyleSheet::canUseSheet(bo
+     // This code defaults to allowing the stylesheet for non-HTTP protocols so
+     // folks can use standards mode for local HTML documents.
+     String mimeType = extractMIMETypeFromMediaType(response().httpHeaderField("Content-Type"));
+-    return mimeType.isEmpty() || equalIgnoringCase(mimeType, "text/css") || equalIgnoringCase(mimeType, "application/x-unknown-content-type");
++    bool typeOK = mimeType.isEmpty() || equalIgnoringCase(mimeType, "text/css") || equalIgnoringCase(mimeType, "application/x-unknown-content-type");
++    if (hasValidMIMEType)
++        *hasValidMIMEType = typeOK;
++    if (!enforceMIMEType)
++        return true;
++    return typeOK;
+ }
+  
+ }
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.h.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.h
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.h.cve-2010-0051-lax-css-parsing-cross-domain-theft	2010-02-11 16:55:19.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.h	2010-02-25 17:07:29.120741848 +0100
+@@ -40,7 +40,7 @@ namespace WebCore {
+         CachedCSSStyleSheet(const String& URL, const String& charset);
+         virtual ~CachedCSSStyleSheet();
+ 
+-        const String sheetText(bool enforceMIMEType = true) const;
++        const String sheetText(bool enforceMIMEType = true, bool* hasValidMIMEType = 0) const;
+ 
+         virtual void didAddClient(CachedResourceClient*);
+         
+@@ -56,7 +56,7 @@ namespace WebCore {
+         void checkNotify();
+     
+     private:
+-        bool canUseSheet(bool enforceMIMEType) const;
++        bool canUseSheet(bool enforceMIMEType, bool* hasValidMIMEType) const;
+ 
+     protected:
+         RefPtr<TextResourceDecoder> m_decoder;
diff --git a/x11-libs/qt-webkit/files/qt-webkit-4.6.2-cve-2010-0054-image-element-pointer-name-getter.patch b/x11-libs/qt-webkit/files/qt-webkit-4.6.2-cve-2010-0054-image-element-pointer-name-getter.patch
new file mode 100644
index 000000000000..f9ce04119680
--- /dev/null
+++ b/x11-libs/qt-webkit/files/qt-webkit-4.6.2-cve-2010-0054-image-element-pointer-name-getter.patch
@@ -0,0 +1,85 @@
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLFormElement.cpp.cve-2010-0054-image-element-pointer-name-getter qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLFormElement.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLFormElement.cpp.cve-2010-0054-image-element-pointer-name-getter	2010-02-11 16:55:17.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLFormElement.cpp	2010-02-25 15:50:05.987741463 +0100
+@@ -515,11 +515,13 @@ bool HTMLFormElement::isURLAttribute(Att
+ 
+ void HTMLFormElement::registerImgElement(HTMLImageElement* e)
+ {
++    ASSERT(imgElements.find(e) == notFound);
+     imgElements.append(e);
+ }
+ 
+ void HTMLFormElement::removeImgElement(HTMLImageElement* e)
+ {
++    ASSERT(imgElements.find(e) == notFound);
+     removeFromVector(imgElements, e);
+ }
+ 
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.cpp.cve-2010-0054-image-element-pointer-name-getter qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.cpp.cve-2010-0054-image-element-pointer-name-getter	2010-02-11 16:55:17.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.cpp	2010-02-25 15:43:45.016742027 +0100
+@@ -209,6 +209,40 @@ void HTMLImageElement::removedFromDocume
+     HTMLElement::removedFromDocument();
+ }
+ 
++void HTMLImageElement::insertedIntoTree(bool deep)
++{
++    if (m_form) {
++        // m_form was set by constructor. In debug builds, check that it's an ancestor indeed.
++#ifndef NDEBUG
++        for (Node* ancestor = parentNode(); /* no end condition - there must be a form ancestor */; ancestor = ancestor->parentNode()) {
++            ASSERT(ancestor);
++            if (ancestor->hasTagName(formTag)) {
++                ASSERT(m_form == static_cast<HTMLFormElement*>(ancestor));
++                break;
++            }
++        }
++#endif
++    } else {
++        for (Node* ancestor = parentNode(); ancestor; ancestor = ancestor->parentNode()) {
++            if (ancestor->hasTagName(formTag)) {
++                m_form = static_cast<HTMLFormElement*>(ancestor);
++                m_form->registerImgElement(this);
++                break;
++            }
++        }
++    }
++
++    HTMLElement::insertedIntoTree(deep);
++}
++
++void HTMLImageElement::removedFromTree(bool deep)
++{
++    if (m_form)
++        m_form->removeImgElement(this);
++    m_form = 0;
++    HTMLElement::removedFromTree(deep);
++}
++
+ int HTMLImageElement::width(bool ignorePendingStylesheets) const
+ {
+     if (!renderer()) {
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.h.cve-2010-0054-image-element-pointer-name-getter qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.h
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.h.cve-2010-0054-image-element-pointer-name-getter	2010-02-11 16:55:17.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.h	2010-02-25 15:41:18.340929598 +0100
+@@ -45,8 +45,6 @@ public:
+ 
+     virtual void attach();
+     virtual RenderObject* createRenderer(RenderArena*, RenderStyle*);
+-    virtual void insertedIntoDocument();
+-    virtual void removedFromDocument();
+ 
+     virtual bool canStartSelection() const { return false; }
+ 
+@@ -105,6 +103,11 @@ public:
+     virtual void addSubresourceAttributeURLs(ListHashSet<KURL>&) const;
+ 
+ private:
++    virtual void insertedIntoDocument();
++    virtual void removedFromDocument();
++    virtual void insertedIntoTree(bool deep);
++    virtual void removedFromTree(bool deep);
++
+     HTMLImageLoader m_imageLoader;
+     String usemap;
+     bool ismap;
diff --git a/x11-libs/qt-webkit/qt-webkit-4.5.3-r3.ebuild b/x11-libs/qt-webkit/qt-webkit-4.5.3-r3.ebuild
new file mode 100644
index 000000000000..b1c153b32e63
--- /dev/null
+++ b/x11-libs/qt-webkit/qt-webkit-4.5.3-r3.ebuild
@@ -0,0 +1,54 @@
+# Copyright 1999-2010 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/x11-libs/qt-webkit/qt-webkit-4.5.3-r3.ebuild,v 1.1 2010/04/09 22:26:07 yngwin Exp $
+
+EAPI="2"
+inherit eutils qt4-build flag-o-matic
+
+DESCRIPTION="The Webkit module for the Qt toolkit"
+SLOT="4"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd"
+IUSE="dbus kde"
+
+DEPEND="~x11-libs/qt-core-${PV}[debug=,ssl]
+	~x11-libs/qt-gui-${PV}[dbus?,debug=]
+	dbus? ( ~x11-libs/qt-dbus-${PV}[debug=] )
+	!kde? ( || ( ~x11-libs/qt-phonon-${PV}:${SLOT}[dbus=,debug=]
+		media-sound/phonon ) )
+	kde? ( media-sound/phonon )"
+RDEPEND="${DEPEND}"
+
+pkg_setup() {
+	QT4_TARGET_DIRECTORIES="
+		src/3rdparty/webkit/WebCore
+		tools/designer/src/plugins/qwebview"
+	QT4_EXTRACT_DIRECTORIES="
+		include/
+		src/
+		tools/"
+	QCONFIG_ADD="webkit"
+	QCONFIG_DEFINE="QT_WEBKIT"
+
+	qt4-build_pkg_setup
+}
+
+src_prepare() {
+	[[ $(tc-arch) == "ppc64" ]] && append-flags -mminimal-toc #241900
+	epatch "${FILESDIR}"/30_webkit_unaligned_access.diff #235685
+	epatch "${FILESDIR}"/${P}-no-javascript-crash.patch #295573
+
+	# patches graciously borrowed from Fedora for bug #314193
+	epatch "${FILESDIR}"/${P}-cve-2010-0046-css-format-mem-corruption.patch
+	epatch "${FILESDIR}"/${P}-cve-2010-0049-freed-line-boxes-ltr-rtl.patch
+	epatch "${FILESDIR}"/${P}-cve-2010-0050-crash-misnested-style-tags.patch
+	epatch "${FILESDIR}"/${P}-cve-2010-0052-destroyed-input-cached.patch
+
+	qt4-build_src_prepare
+}
+
+src_configure() {
+	# This fixes relocation overflows on alpha
+	use alpha && append-ldflags "-Wl,--no-relax"
+	myconf="${myconf} -webkit $(qt_use dbus qdbus)"
+	qt4-build_src_configure
+}
diff --git a/x11-libs/qt-webkit/qt-webkit-4.6.2-r1.ebuild b/x11-libs/qt-webkit/qt-webkit-4.6.2-r1.ebuild
new file mode 100644
index 000000000000..3859ca2a9f29
--- /dev/null
+++ b/x11-libs/qt-webkit/qt-webkit-4.6.2-r1.ebuild
@@ -0,0 +1,54 @@
+# Copyright 1999-2010 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/x11-libs/qt-webkit/qt-webkit-4.6.2-r1.ebuild,v 1.1 2010/04/09 22:26:07 yngwin Exp $
+
+EAPI="2"
+inherit qt4-build
+
+DESCRIPTION="The Webkit module for the Qt toolkit"
+SLOT="4"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 -sparc ~x86 ~x86-fbsd ~x86-freebsd ~amd64-linux ~x86-linux ~ppc-macos ~x86-macos ~x64-solaris ~x86-solaris"
+IUSE="dbus kde"
+
+DEPEND="~x11-libs/qt-core-${PV}[aqua=,debug=,ssl]
+	~x11-libs/qt-gui-${PV}[aqua=,dbus?,debug=]
+	~x11-libs/qt-xmlpatterns-${PV}[aqua=,debug=]
+	dbus? ( ~x11-libs/qt-dbus-${PV}[aqua=,debug=] )
+	!kde? ( || ( ~x11-libs/qt-phonon-${PV}:${SLOT}[aqua=,dbus=,debug=]
+		media-sound/phonon[aqua=] ) )
+	kde? ( || ( media-sound/phonon[aqua=] ~x11-libs/qt-phonon-${PV}:${SLOT}[aqua=,dbus=,debug] ) )"
+RDEPEND="${DEPEND}"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-4.6.0-solaris-strnstr.patch
+	"${FILESDIR}"/${PN}-4.5.3-cve-2010-0046-css-format-mem-corruption.patch
+	"${FILESDIR}"/${PN}-4.5.3-cve-2010-0049-freed-line-boxes-ltr-rtl.patch
+	"${FILESDIR}"/${PN}-4.5.3-cve-2010-0050-crash-misnested-style-tags.patch
+	"${FILESDIR}"/${PN}-4.5.3-cve-2010-0052-destroyed-input-cached.patch
+	"${FILESDIR}"/${P}-cve-2010-0051-lax-css-parsing-cross-domain-theft.patch
+	"${FILESDIR}"/${P}-cve-2010-0054-image-element-pointer-name-getter.patch
+)
+
+pkg_setup() {
+	QT4_TARGET_DIRECTORIES="
+		src/3rdparty/webkit/WebCore
+		tools/designer/src/plugins/qwebview"
+	QT4_EXTRACT_DIRECTORIES="
+		include/
+		src/
+		tools/"
+	QCONFIG_ADD="webkit"
+	QCONFIG_DEFINE="QT_WEBKIT"
+
+	qt4-build_pkg_setup
+}
+
+src_prepare() {
+	[[ $(tc-arch) == "ppc64" ]] && append-flags -mminimal-toc #241900
+	qt4-build_src_prepare
+}
+
+src_configure() {
+	myconf="${myconf} -webkit $(qt_use dbus qdbus)"
+	qt4-build_src_configure
+}
author	Ben de Groot <yngwin@gentoo.org>	2010-04-09 22:26:07 +0000
committer	Ben de Groot <yngwin@gentoo.org>	2010-04-09 22:26:07 +0000
commit	d29ce6bb3cd8f6ff59a844c3434b896858c25bc9 (patch)
tree	c3bf4bdc8ef179371fdb456e48fd5341dfd4cf80 /x11-libs/qt-webkit
parent	Mask python3 for stable portage until python-3.x is marked stable. (diff)
download	gentoo-2-d29ce6bb3cd8f6ff59a844c3434b896858c25bc9.tar.gz gentoo-2-d29ce6bb3cd8f6ff59a844c3434b896858c25bc9.tar.bz2 gentoo-2-d29ce6bb3cd8f6ff59a844c3434b896858c25bc9.zip