diff options
9 files changed, 565 insertions, 1 deletions
diff --git a/x11-libs/qt-webkit/ChangeLog b/x11-libs/qt-webkit/ChangeLog index b07c80ab22af..c821672f8ae4 100644 --- a/x11-libs/qt-webkit/ChangeLog +++ b/x11-libs/qt-webkit/ChangeLog @@ -1,6 +1,22 @@ # ChangeLog for x11-libs/qt-webkit # Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/x11-libs/qt-webkit/ChangeLog,v 1.84 2010/04/02 10:01:25 hwoarang Exp $ +# $Header: /var/cvsroot/gentoo-x86/x11-libs/qt-webkit/ChangeLog,v 1.85 2010/04/09 22:26:07 yngwin Exp $ + +*qt-webkit-4.6.2-r1 (09 Apr 2010) +*qt-webkit-4.5.3-r3 (09 Apr 2010) + + 09 Apr 2010; Ben de Groot <yngwin@gentoo.org> +qt-webkit-4.5.3-r3.ebuild, + +files/qt-webkit-4.5.3-cve-2010-0046-css-format-mem-corruption.patch, + +files/qt-webkit-4.5.3-cve-2010-0049-freed-line-boxes-ltr-rtl.patch, + +files/qt-webkit-4.5.3-cve-2010-0050-crash-misnested-style-tags.patch, + +files/qt-webkit-4.5.3-cve-2010-0052-destroyed-input-cached.patch, + +qt-webkit-4.6.2-r1.ebuild, + +files/qt-webkit-4.6.2-cve-2010-0051-lax-css-parsing-cross-domain-theft.pa + tch, + +files/qt-webkit-4.6.2-cve-2010-0054-image-element-pointer-name-getter.pat + ch: + Adding security patches for bug #314193. Make dbus optional, fixes bug + #292337. 02 Apr 2010; Markos Chandras <hwoarang@gentoo.org> qt-webkit-4.6.2.ebuild: Adjust phonon dependencies diff --git a/x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0046-css-format-mem-corruption.patch b/x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0046-css-format-mem-corruption.patch new file mode 100644 index 000000000000..c5755a49ce1a --- /dev/null +++ b/x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0046-css-format-mem-corruption.patch @@ -0,0 +1,25 @@ +diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp.cve-2010-0046-css-format-mem-corruption qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp +--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp.cve-2010-0046-css-format-mem-corruption 2009-09-29 13:01:35.000000000 +0200 ++++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp 2010-02-04 15:00:24.778776273 +0100 +@@ -3085,6 +3085,12 @@ bool CSSParser::parseFontWeight(bool imp + return false; + } + ++static bool isValidFormatFunction(CSSParserValue* val) ++{ ++ CSSParserValueList* args = val->function->args; ++ return equalIgnoringCase(val->function->name, "format(") && (args->current()->unit == CSSPrimitiveValue::CSS_STRING || args->current()->unit == CSSPrimitiveValue::CSS_IDENT); ++} ++ + bool CSSParser::parseFontFaceSrc() + { + RefPtr<CSSValueList> values(CSSValueList::createCommaSeparated()); +@@ -3111,7 +3117,7 @@ bool CSSParser::parseFontFaceSrc() + CSSParserValue* a = args->current(); + uriValue.clear(); + parsedValue = CSSFontFaceSrcValue::createLocal(a->string); +- } else if (equalIgnoringCase(val->function->name, "format(") && allowFormat && uriValue) { ++ } else if (allowFormat && uriValue && isValidFormatFunction(val)) { + expectComma = true; + allowFormat = false; + uriValue->setFormat(args->current()->string); diff --git a/x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0049-freed-line-boxes-ltr-rtl.patch b/x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0049-freed-line-boxes-ltr-rtl.patch new file mode 100644 index 000000000000..6739bc4e9276 --- /dev/null +++ b/x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0049-freed-line-boxes-ltr-rtl.patch @@ -0,0 +1,29 @@ +diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp.cve-2010-0049-freed-line-boxes-ltr-rtl qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp +--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp.cve-2010-0049-freed-line-boxes-ltr-rtl 2009-09-29 13:01:36.000000000 +0200 ++++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp 2010-02-04 15:43:15.707711730 +0100 +@@ -1025,8 +1025,15 @@ void RenderText::position(InlineBox* box + if (!s->m_len) { + // We want the box to be destroyed. + s->remove(); ++ if (m_firstTextBox == s) ++ m_firstTextBox = s->nextTextBox(); ++ else ++ s->prevTextBox()->setNextLineBox(s->nextTextBox()); ++ if (m_lastTextBox == s) ++ m_lastTextBox = s->prevTextBox(); ++ else ++ s->nextTextBox()->setPreviousLineBox(s->prevTextBox()); + s->destroy(renderArena()); +- m_firstTextBox = m_lastTextBox = 0; + return; + } + +@@ -1203,7 +1210,7 @@ void RenderText::checkConsistency() cons + #ifdef CHECK_CONSISTENCY + const InlineTextBox* prev = 0; + for (const InlineTextBox* child = m_firstTextBox; child != 0; child = child->nextTextBox()) { +- ASSERT(child->object() == this); ++ ASSERT(child->renderer() == this); + ASSERT(child->prevTextBox() == prev); + prev = child; + } diff --git a/x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0050-crash-misnested-style-tags.patch b/x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0050-crash-misnested-style-tags.patch new file mode 100644 index 000000000000..12251e289909 --- /dev/null +++ b/x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0050-crash-misnested-style-tags.patch @@ -0,0 +1,13 @@ +diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLParser.cpp.cve-2010-0050-crash-misnested-style-tags qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLParser.cpp +--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLParser.cpp.cve-2010-0050-crash-misnested-style-tags 2009-09-29 13:01:36.000000000 +0200 ++++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLParser.cpp 2010-02-04 15:54:25.399651321 +0100 +@@ -1208,7 +1208,8 @@ void HTMLParser::handleResidualStyleClos + prevMaxElem->next = elem; + ASSERT(newNodePtr); + prevMaxElem->node = newNodePtr; +- prevMaxElem->didRefNode = false; ++ newNodePtr->ref(); ++ prevMaxElem->didRefNode = true; + } else + delete elem; + } diff --git a/x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0052-destroyed-input-cached.patch b/x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0052-destroyed-input-cached.patch new file mode 100644 index 000000000000..0b20a8571d87 --- /dev/null +++ b/x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0052-destroyed-input-cached.patch @@ -0,0 +1,21 @@ +diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLInputElement.cpp.cve-2010-0052-destroyed-input-cached qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLInputElement.cpp +--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLInputElement.cpp.cve-2010-0052-destroyed-input-cached 2009-09-29 13:01:36.000000000 +0200 ++++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLInputElement.cpp 2010-02-04 17:50:07.931656712 +0100 +@@ -616,12 +616,15 @@ void HTMLInputElement::parseMappedAttrib + m_autocomplete = Off; + registerForActivationCallbackIfNeeded(); + } else { +- if (m_autocomplete == Off) +- unregisterForActivationCallbackIfNeeded(); ++ bool needsToUnregister = m_autocomplete == Off; ++ + if (attr->isEmpty()) + m_autocomplete = Uninitialized; + else + m_autocomplete = On; ++ ++ if (needsToUnregister) ++ unregisterForActivationCallbackIfNeeded(); + } + } else if (attr->name() == typeAttr) { + setInputType(attr->value()); diff --git a/x11-libs/qt-webkit/files/qt-webkit-4.6.2-cve-2010-0051-lax-css-parsing-cross-domain-theft.patch b/x11-libs/qt-webkit/files/qt-webkit-4.6.2-cve-2010-0051-lax-css-parsing-cross-domain-theft.patch new file mode 100644 index 000000000000..e4e32b33c743 --- /dev/null +++ b/x11-libs/qt-webkit/files/qt-webkit-4.6.2-cve-2010-0051-lax-css-parsing-cross-domain-theft.patch @@ -0,0 +1,267 @@ +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSGrammar.y.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSGrammar.y +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSGrammar.y.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:20.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSGrammar.y 2010-02-25 17:07:29.114742034 +0100 +@@ -416,7 +416,9 @@ valid_rule: + ; + + rule: +- valid_rule ++ valid_rule { ++ static_cast<CSSParser*>(parser)->m_hadSyntacticallyValidCSSRule = true; ++ } + | invalid_rule + | invalid_at + | invalid_import +@@ -1517,8 +1519,12 @@ invalid_rule: + ; + + invalid_block: +- '{' error invalid_block_list error closing_brace +- | '{' error closing_brace ++ '{' error invalid_block_list error closing_brace { ++ static_cast<CSSParser*>(parser)->invalidBlockHit(); ++ } ++ | '{' error closing_brace { ++ static_cast<CSSParser*>(parser)->invalidBlockHit(); ++ } + ; + + invalid_block_list: +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:20.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp 2010-02-25 17:13:34.292803953 +0100 +@@ -25,6 +25,7 @@ + #include "CachedCSSStyleSheet.h" + #include "DocLoader.h" + #include "Document.h" ++#include "SecurityOrigin.h" + #include "MediaList.h" + #include "Settings.h" + #include <wtf/StdLibExtras.h> +@@ -60,11 +61,21 @@ void CSSImportRule::setCSSStyleSheet(con + m_styleSheet->setParent(0); + m_styleSheet = CSSStyleSheet::create(this, url, charset); + ++ bool crossOriginCSS = false; ++ bool validMIMEType = false; + CSSStyleSheet* parent = parentStyleSheet(); + bool strict = !parent || parent->useStrictParsing(); +- String sheetText = sheet->sheetText(strict); ++ bool enforceMIMEType = strict; ++ ++ String sheetText = sheet->sheetText(enforceMIMEType, &validMIMEType); + m_styleSheet->parseString(sheetText, strict); + ++ if (!parent || !parent->doc() || !parent->doc()->securityOrigin()->canRequest(KURL(ParsedURLString, url))) ++ crossOriginCSS = true; ++ ++ if (crossOriginCSS && !validMIMEType && !m_styleSheet->hasSyntacticallyValidCSSHeader()) ++ m_styleSheet = CSSStyleSheet::create(this, url, charset); ++ + if (strict && parent && parent->doc() && parent->doc()->settings() && parent->doc()->settings()->needsSiteSpecificQuirks()) { + // Work around <https://bugs.webkit.org/show_bug.cgi?id=28350>. + DEFINE_STATIC_LOCAL(const String, slashKHTMLFixesDotCss, ("/KHTMLFixes.css")); +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-25 17:07:29.101741771 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.cpp 2010-02-25 17:07:29.117741744 +0100 +@@ -139,6 +139,7 @@ CSSParser::CSSParser(bool strictParsing) + , m_currentShorthand(0) + , m_implicitShorthand(false) + , m_hasFontFaceOnlyValues(false) ++ , m_hadSyntacticallyValidCSSRule(false) + , m_defaultNamespace(starAtom) + , m_data(0) + , yy_start(1) +@@ -5175,6 +5176,12 @@ WebKitCSSKeyframeRule* CSSParser::create + return keyframePtr; + } + ++void CSSParser::invalidBlockHit() ++{ ++ if (m_styleSheet && !m_hadSyntacticallyValidCSSRule) ++ m_styleSheet->setHasSyntacticallyValidCSSHeader(false); ++} ++ + static int cssPropertyID(const UChar* propertyName, unsigned length) + { + if (!length) +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.h.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.h +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.h.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:20.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.h 2010-02-25 17:07:29.117741744 +0100 +@@ -191,6 +191,7 @@ namespace WebCore { + bool addVariableDeclarationBlock(const CSSParserString&); + bool checkForVariables(CSSParserValueList*); + void addUnresolvedProperty(int propId, bool important); ++ void invalidBlockHit(); + + Vector<CSSSelector*>* reusableSelectorVector() { return &m_reusableSelectorVector; } + +@@ -212,6 +213,7 @@ namespace WebCore { + bool m_implicitShorthand; + + bool m_hasFontFaceOnlyValues; ++ bool m_hadSyntacticallyValidCSSRule; + + Vector<String> m_variableNames; + Vector<RefPtr<CSSValue> > m_variableValues; +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:19.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp 2010-02-25 17:07:29.118741824 +0100 +@@ -41,6 +41,7 @@ CSSStyleSheet::CSSStyleSheet(CSSStyleShe + , m_loadCompleted(false) + , m_strictParsing(!parentSheet || parentSheet->useStrictParsing()) + , m_isUserStyleSheet(parentSheet ? parentSheet->isUserStyleSheet() : false) ++ , m_hasSyntacticallyValidCSSHeader(true) + { + } + +@@ -52,6 +53,7 @@ CSSStyleSheet::CSSStyleSheet(Node* paren + , m_loadCompleted(false) + , m_strictParsing(false) + , m_isUserStyleSheet(false) ++ , m_hasSyntacticallyValidCSSHeader(true) + { + } + +@@ -61,6 +63,7 @@ CSSStyleSheet::CSSStyleSheet(CSSRule* ow + , m_charset(charset) + , m_loadCompleted(false) + , m_strictParsing(!ownerRule || ownerRule->useStrictParsing()) ++ , m_hasSyntacticallyValidCSSHeader(true) + { + CSSStyleSheet* parentSheet = ownerRule ? ownerRule->parentStyleSheet() : 0; + m_doc = parentSheet ? parentSheet->doc() : 0; +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:20.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h 2010-02-25 17:07:29.118741824 +0100 +@@ -95,6 +95,8 @@ public: + + void setIsUserStyleSheet(bool b) { m_isUserStyleSheet = b; } + bool isUserStyleSheet() const { return m_isUserStyleSheet; } ++ void setHasSyntacticallyValidCSSHeader(bool b) { m_hasSyntacticallyValidCSSHeader = b; } ++ bool hasSyntacticallyValidCSSHeader() const { return m_hasSyntacticallyValidCSSHeader; } + + private: + CSSStyleSheet(Node* ownerNode, const String& href, const String& charset); +@@ -110,6 +112,7 @@ private: + bool m_loadCompleted : 1; + bool m_strictParsing : 1; + bool m_isUserStyleSheet : 1; ++ bool m_hasSyntacticallyValidCSSHeader : 1; + }; + + } // namespace +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:19.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp 2010-02-25 17:07:29.118741824 +0100 +@@ -203,7 +203,10 @@ void ProcessingInstruction::setCSSStyleS + #endif + RefPtr<CSSStyleSheet> newSheet = CSSStyleSheet::create(this, url, charset); + m_sheet = newSheet; +- parseStyleSheet(sheet->sheetText()); ++ // We don't need the cross-origin security check here because we are ++ // getting the sheet text in "strict" mode. This enforces a valid CSS MIME ++ // type. ++ parseStyleSheet(sheet->sheetText(true)); + newSheet->setTitle(m_title); + newSheet->setMedia(MediaList::create(newSheet.get(), m_media)); + newSheet->setDisabled(m_alternate); +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:17.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp 2010-02-25 17:07:29.119741915 +0100 +@@ -260,14 +260,27 @@ void HTMLLinkElement::setCSSStyleSheet(c + bool strictParsing = !document()->inCompatMode(); + bool enforceMIMEType = strictParsing; + ++ bool crossOriginCSS = false; ++ bool validMIMEType = false; + // Check to see if we should enforce the MIME type of the CSS resource in strict mode. + // Running in iWeb 2 is one example of where we don't want to - <rdar://problem/6099748> + if (enforceMIMEType && document()->page() && !document()->page()->settings()->enforceCSSMIMETypeInStrictMode()) + enforceMIMEType = false; + +- String sheetText = sheet->sheetText(enforceMIMEType); ++ String sheetText = sheet->sheetText(enforceMIMEType, &validMIMEType); + m_sheet->parseString(sheetText, strictParsing); + ++ // If we're loading a stylesheet cross-origin, and the MIME type is not ++ // standard, require the CSS to at least start with a syntactically ++ // valid CSS rule. ++ // This prevents an attacker playing games by injecting CSS strings into ++ // HTML, XML, JSON, etc. etc. ++ if (!document()->securityOrigin()->canRequest(KURL(ParsedURLString, url))) ++ crossOriginCSS = true; ++ ++ if (crossOriginCSS && !validMIMEType && !m_sheet->hasSyntacticallyValidCSSHeader()) ++ m_sheet = CSSStyleSheet::create(this, url, charset); ++ + if (strictParsing && document()->settings() && document()->settings()->needsSiteSpecificQuirks()) { + // Work around <https://bugs.webkit.org/show_bug.cgi?id=28350>. + DEFINE_STATIC_LOCAL(const String, slashKHTMLFixesDotCss, ("/KHTMLFixes.css")); +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:19.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp 2010-02-25 17:07:29.119741915 +0100 +@@ -71,11 +71,11 @@ String CachedCSSStyleSheet::encoding() c + return m_decoder->encoding().name(); + } + +-const String CachedCSSStyleSheet::sheetText(bool enforceMIMEType) const ++const String CachedCSSStyleSheet::sheetText(bool enforceMIMEType, bool* hasValidMIMEType) const + { + ASSERT(!isPurgeable()); + +- if (!m_data || m_data->isEmpty() || !canUseSheet(enforceMIMEType)) ++ if (!m_data || m_data->isEmpty() || !canUseSheet(enforceMIMEType, hasValidMIMEType)) + return String(); + + if (!m_decodedSheetText.isNull()) +@@ -122,12 +122,12 @@ void CachedCSSStyleSheet::error() + checkNotify(); + } + +-bool CachedCSSStyleSheet::canUseSheet(bool enforceMIMEType) const ++bool CachedCSSStyleSheet::canUseSheet(bool enforceMIMEType, bool* hasValidMIMEType) const + { + if (errorOccurred()) + return false; + +- if (!enforceMIMEType) ++ if (!enforceMIMEType && !hasValidMIMEType) + return true; + + // This check exactly matches Firefox. Note that we grab the Content-Type +@@ -138,7 +138,12 @@ bool CachedCSSStyleSheet::canUseSheet(bo + // This code defaults to allowing the stylesheet for non-HTTP protocols so + // folks can use standards mode for local HTML documents. + String mimeType = extractMIMETypeFromMediaType(response().httpHeaderField("Content-Type")); +- return mimeType.isEmpty() || equalIgnoringCase(mimeType, "text/css") || equalIgnoringCase(mimeType, "application/x-unknown-content-type"); ++ bool typeOK = mimeType.isEmpty() || equalIgnoringCase(mimeType, "text/css") || equalIgnoringCase(mimeType, "application/x-unknown-content-type"); ++ if (hasValidMIMEType) ++ *hasValidMIMEType = typeOK; ++ if (!enforceMIMEType) ++ return true; ++ return typeOK; + } + + } +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.h.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.h +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.h.cve-2010-0051-lax-css-parsing-cross-domain-theft 2010-02-11 16:55:19.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.h 2010-02-25 17:07:29.120741848 +0100 +@@ -40,7 +40,7 @@ namespace WebCore { + CachedCSSStyleSheet(const String& URL, const String& charset); + virtual ~CachedCSSStyleSheet(); + +- const String sheetText(bool enforceMIMEType = true) const; ++ const String sheetText(bool enforceMIMEType = true, bool* hasValidMIMEType = 0) const; + + virtual void didAddClient(CachedResourceClient*); + +@@ -56,7 +56,7 @@ namespace WebCore { + void checkNotify(); + + private: +- bool canUseSheet(bool enforceMIMEType) const; ++ bool canUseSheet(bool enforceMIMEType, bool* hasValidMIMEType) const; + + protected: + RefPtr<TextResourceDecoder> m_decoder; diff --git a/x11-libs/qt-webkit/files/qt-webkit-4.6.2-cve-2010-0054-image-element-pointer-name-getter.patch b/x11-libs/qt-webkit/files/qt-webkit-4.6.2-cve-2010-0054-image-element-pointer-name-getter.patch new file mode 100644 index 000000000000..f9ce04119680 --- /dev/null +++ b/x11-libs/qt-webkit/files/qt-webkit-4.6.2-cve-2010-0054-image-element-pointer-name-getter.patch @@ -0,0 +1,85 @@ +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLFormElement.cpp.cve-2010-0054-image-element-pointer-name-getter qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLFormElement.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLFormElement.cpp.cve-2010-0054-image-element-pointer-name-getter 2010-02-11 16:55:17.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLFormElement.cpp 2010-02-25 15:50:05.987741463 +0100 +@@ -515,11 +515,13 @@ bool HTMLFormElement::isURLAttribute(Att + + void HTMLFormElement::registerImgElement(HTMLImageElement* e) + { ++ ASSERT(imgElements.find(e) == notFound); + imgElements.append(e); + } + + void HTMLFormElement::removeImgElement(HTMLImageElement* e) + { ++ ASSERT(imgElements.find(e) == notFound); + removeFromVector(imgElements, e); + } + +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.cpp.cve-2010-0054-image-element-pointer-name-getter qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.cpp.cve-2010-0054-image-element-pointer-name-getter 2010-02-11 16:55:17.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.cpp 2010-02-25 15:43:45.016742027 +0100 +@@ -209,6 +209,40 @@ void HTMLImageElement::removedFromDocume + HTMLElement::removedFromDocument(); + } + ++void HTMLImageElement::insertedIntoTree(bool deep) ++{ ++ if (m_form) { ++ // m_form was set by constructor. In debug builds, check that it's an ancestor indeed. ++#ifndef NDEBUG ++ for (Node* ancestor = parentNode(); /* no end condition - there must be a form ancestor */; ancestor = ancestor->parentNode()) { ++ ASSERT(ancestor); ++ if (ancestor->hasTagName(formTag)) { ++ ASSERT(m_form == static_cast<HTMLFormElement*>(ancestor)); ++ break; ++ } ++ } ++#endif ++ } else { ++ for (Node* ancestor = parentNode(); ancestor; ancestor = ancestor->parentNode()) { ++ if (ancestor->hasTagName(formTag)) { ++ m_form = static_cast<HTMLFormElement*>(ancestor); ++ m_form->registerImgElement(this); ++ break; ++ } ++ } ++ } ++ ++ HTMLElement::insertedIntoTree(deep); ++} ++ ++void HTMLImageElement::removedFromTree(bool deep) ++{ ++ if (m_form) ++ m_form->removeImgElement(this); ++ m_form = 0; ++ HTMLElement::removedFromTree(deep); ++} ++ + int HTMLImageElement::width(bool ignorePendingStylesheets) const + { + if (!renderer()) { +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.h.cve-2010-0054-image-element-pointer-name-getter qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.h +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.h.cve-2010-0054-image-element-pointer-name-getter 2010-02-11 16:55:17.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.h 2010-02-25 15:41:18.340929598 +0100 +@@ -45,8 +45,6 @@ public: + + virtual void attach(); + virtual RenderObject* createRenderer(RenderArena*, RenderStyle*); +- virtual void insertedIntoDocument(); +- virtual void removedFromDocument(); + + virtual bool canStartSelection() const { return false; } + +@@ -105,6 +103,11 @@ public: + virtual void addSubresourceAttributeURLs(ListHashSet<KURL>&) const; + + private: ++ virtual void insertedIntoDocument(); ++ virtual void removedFromDocument(); ++ virtual void insertedIntoTree(bool deep); ++ virtual void removedFromTree(bool deep); ++ + HTMLImageLoader m_imageLoader; + String usemap; + bool ismap; diff --git a/x11-libs/qt-webkit/qt-webkit-4.5.3-r3.ebuild b/x11-libs/qt-webkit/qt-webkit-4.5.3-r3.ebuild new file mode 100644 index 000000000000..b1c153b32e63 --- /dev/null +++ b/x11-libs/qt-webkit/qt-webkit-4.5.3-r3.ebuild @@ -0,0 +1,54 @@ +# Copyright 1999-2010 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/x11-libs/qt-webkit/qt-webkit-4.5.3-r3.ebuild,v 1.1 2010/04/09 22:26:07 yngwin Exp $ + +EAPI="2" +inherit eutils qt4-build flag-o-matic + +DESCRIPTION="The Webkit module for the Qt toolkit" +SLOT="4" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd" +IUSE="dbus kde" + +DEPEND="~x11-libs/qt-core-${PV}[debug=,ssl] + ~x11-libs/qt-gui-${PV}[dbus?,debug=] + dbus? ( ~x11-libs/qt-dbus-${PV}[debug=] ) + !kde? ( || ( ~x11-libs/qt-phonon-${PV}:${SLOT}[dbus=,debug=] + media-sound/phonon ) ) + kde? ( media-sound/phonon )" +RDEPEND="${DEPEND}" + +pkg_setup() { + QT4_TARGET_DIRECTORIES=" + src/3rdparty/webkit/WebCore + tools/designer/src/plugins/qwebview" + QT4_EXTRACT_DIRECTORIES=" + include/ + src/ + tools/" + QCONFIG_ADD="webkit" + QCONFIG_DEFINE="QT_WEBKIT" + + qt4-build_pkg_setup +} + +src_prepare() { + [[ $(tc-arch) == "ppc64" ]] && append-flags -mminimal-toc #241900 + epatch "${FILESDIR}"/30_webkit_unaligned_access.diff #235685 + epatch "${FILESDIR}"/${P}-no-javascript-crash.patch #295573 + + # patches graciously borrowed from Fedora for bug #314193 + epatch "${FILESDIR}"/${P}-cve-2010-0046-css-format-mem-corruption.patch + epatch "${FILESDIR}"/${P}-cve-2010-0049-freed-line-boxes-ltr-rtl.patch + epatch "${FILESDIR}"/${P}-cve-2010-0050-crash-misnested-style-tags.patch + epatch "${FILESDIR}"/${P}-cve-2010-0052-destroyed-input-cached.patch + + qt4-build_src_prepare +} + +src_configure() { + # This fixes relocation overflows on alpha + use alpha && append-ldflags "-Wl,--no-relax" + myconf="${myconf} -webkit $(qt_use dbus qdbus)" + qt4-build_src_configure +} diff --git a/x11-libs/qt-webkit/qt-webkit-4.6.2-r1.ebuild b/x11-libs/qt-webkit/qt-webkit-4.6.2-r1.ebuild new file mode 100644 index 000000000000..3859ca2a9f29 --- /dev/null +++ b/x11-libs/qt-webkit/qt-webkit-4.6.2-r1.ebuild @@ -0,0 +1,54 @@ +# Copyright 1999-2010 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/x11-libs/qt-webkit/qt-webkit-4.6.2-r1.ebuild,v 1.1 2010/04/09 22:26:07 yngwin Exp $ + +EAPI="2" +inherit qt4-build + +DESCRIPTION="The Webkit module for the Qt toolkit" +SLOT="4" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 -sparc ~x86 ~x86-fbsd ~x86-freebsd ~amd64-linux ~x86-linux ~ppc-macos ~x86-macos ~x64-solaris ~x86-solaris" +IUSE="dbus kde" + +DEPEND="~x11-libs/qt-core-${PV}[aqua=,debug=,ssl] + ~x11-libs/qt-gui-${PV}[aqua=,dbus?,debug=] + ~x11-libs/qt-xmlpatterns-${PV}[aqua=,debug=] + dbus? ( ~x11-libs/qt-dbus-${PV}[aqua=,debug=] ) + !kde? ( || ( ~x11-libs/qt-phonon-${PV}:${SLOT}[aqua=,dbus=,debug=] + media-sound/phonon[aqua=] ) ) + kde? ( || ( media-sound/phonon[aqua=] ~x11-libs/qt-phonon-${PV}:${SLOT}[aqua=,dbus=,debug] ) )" +RDEPEND="${DEPEND}" + +PATCHES=( + "${FILESDIR}"/${PN}-4.6.0-solaris-strnstr.patch + "${FILESDIR}"/${PN}-4.5.3-cve-2010-0046-css-format-mem-corruption.patch + "${FILESDIR}"/${PN}-4.5.3-cve-2010-0049-freed-line-boxes-ltr-rtl.patch + "${FILESDIR}"/${PN}-4.5.3-cve-2010-0050-crash-misnested-style-tags.patch + "${FILESDIR}"/${PN}-4.5.3-cve-2010-0052-destroyed-input-cached.patch + "${FILESDIR}"/${P}-cve-2010-0051-lax-css-parsing-cross-domain-theft.patch + "${FILESDIR}"/${P}-cve-2010-0054-image-element-pointer-name-getter.patch +) + +pkg_setup() { + QT4_TARGET_DIRECTORIES=" + src/3rdparty/webkit/WebCore + tools/designer/src/plugins/qwebview" + QT4_EXTRACT_DIRECTORIES=" + include/ + src/ + tools/" + QCONFIG_ADD="webkit" + QCONFIG_DEFINE="QT_WEBKIT" + + qt4-build_pkg_setup +} + +src_prepare() { + [[ $(tc-arch) == "ppc64" ]] && append-flags -mminimal-toc #241900 + qt4-build_src_prepare +} + +src_configure() { + myconf="${myconf} -webkit $(qt_use dbus qdbus)" + qt4-build_src_configure +} |