Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package webkitgtk This release contains several fixes cherry picked from the upstream stable branches. All of them solve either crashes or other important bugs: * debian/patches/ppc64-align.patch: This fixes a crash on ppc64 that happens because the address passed to mprotect() is not aligned to the page size. http://bugs.debian.org/762670 https://bugs.webkit.org/show_bug.cgi?id=130237 https://bugzilla.redhat.com/show_bug.cgi?id=1074093 * debian/patches/no-ssl-record-version.patch: This fixes a problem where, following the POODLE vulnerability, many web sites incorrectly ban SSL 3.0 record packet versions used to advertise TLS 1.2. This fix makes WebKitGTK+ use the latest TLS version record instead of using the default SSL 3.0. https://bugs.webkit.org/show_bug.cgi?id=138794 * debian/patches/nullptr-accessibilitymenulistoption.patch: * debian/patches/nullptr-applystylecommand.patch: * debian/patches/nullptr-frameprogresstracker.patch: * debian/patches/render-text-control.patch: These other four patches fix several NULL pointers crashes in differents parts of the code. Here are the upstream bug reports: https://bugs.webkit.org/show_bug.cgi?id=138727 https://bugs.webkit.org/show_bug.cgi?id=137961 https://bugs.webkit.org/show_bug.cgi?id=138061 https://bugs.webkit.org/show_bug.cgi?id=138035 * debian/patches/protect-document.patch: This fixes a crash that happens while applying XSLTransform. This is marked upstream as a security fix so the details are private. * debian/patches/ax-focus-events.patch: Two related accessibility fixes, preventing crashes for both users and non users of assistive technology. https://bugs.webkit.org/show_bug.cgi?id=137866 https://bugs.webkit.org/show_bug.cgi?id=137867 unblock webkitgtk/2.4.7-3 -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru webkitgtk-2.4.7/debian/changelog webkitgtk-2.4.7/debian/changelog --- webkitgtk-2.4.7/debian/changelog 2014-11-11 10:44:21.000000000 +0000 +++ webkitgtk-2.4.7/debian/changelog 2014-12-08 12:26:31.000000000 +0000 @@ -1,3 +1,25 @@ +webkitgtk (2.4.7-3) unstable; urgency=medium + + * debian/patches/ppc64-align.patch: + + Fix crash in ppc64el (Closes: #762670). + * debian/patches/no-ssl-record-version.patch: + + Don't use a SSL3.0 record version in client hello. + * debian/patches/protect-document.patch: + + Protect Document in ProcessingInstruction::setXSLStyleSheet(). This + is a security fix, see https://codereview.chromium.org/579133004. + * debian/patches/nullptr-accessibilitymenulistoption.patch: + + Check for NULL pointers in AccessibilityMenuListOption. + * debian/patches/nullptr-applystylecommand.patch: + + Check for NULL pointer in ApplyStyleCommand. + * debian/patches/nullptr-frameprogresstracker.patch: + + Check for NULL pointer in FrameProgressTracker. + * debian/patches/render-text-control.patch: + + Check for NULL pointer in SearchInputType. + * debian/patches/ax-focus-events.patch: + + Fix accessible focus events in non-focused combo boxes. + + -- Alberto Garcia <be...@igalia.com> Mon, 08 Dec 2014 13:26:23 +0100 + webkitgtk (2.4.7-2) unstable; urgency=medium * debian/patches/touch-event.patch: diff -Nru webkitgtk-2.4.7/debian/patches/ax-focus-events.patch webkitgtk-2.4.7/debian/patches/ax-focus-events.patch --- webkitgtk-2.4.7/debian/patches/ax-focus-events.patch 1970-01-01 00:00:00.000000000 +0000 +++ webkitgtk-2.4.7/debian/patches/ax-focus-events.patch 2014-12-08 12:26:31.000000000 +0000 @@ -0,0 +1,78 @@ +From: Joanmarie Diggs <jdi...@igalia.com> +Subject: Fix accessible focus events in non-focused combo boxes +Origin: http://trac.webkit.org/changeset/176177, http://trac.webkit.org/changeset/176178 +Index: webkitgtk/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp +=================================================================== +--- webkitgtk.orig/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp ++++ webkitgtk/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp +@@ -170,8 +170,12 @@ static void notifyChildrenSelectionChang + if (axItem) { + bool isSelected = item->isSelected(); + atk_object_notify_state_change(axItem, ATK_STATE_SELECTED, isSelected); +- g_signal_emit_by_name(axItem, "focus-event", isSelected); +- atk_object_notify_state_change(axItem, ATK_STATE_FOCUSED, isSelected); ++ // When the selection changes in a collapsed widget such as a combo box ++ // whose child menu is not showing, that collapsed widget retains focus. ++ if (!object->isCollapsed()) { ++ g_signal_emit_by_name(axItem, "focus-event", isSelected); ++ atk_object_notify_state_change(axItem, ATK_STATE_FOCUSED, isSelected); ++ } + } + + // Update pointers to the previously involved objects. +@@ -194,7 +198,8 @@ void AXObjectCache::postPlatformNotifica + + case AXSelectedChildrenChanged: + case AXMenuListValueChanged: +- if (notification == AXMenuListValueChanged && coreObject->isMenuList()) { ++ // Accessible focus claims should not be made if the associated widget is not focused. ++ if (notification == AXMenuListValueChanged && coreObject->isMenuList() && coreObject->isFocused()) { + g_signal_emit_by_name(axObject, "focus-event", true); + atk_object_notify_state_change(axObject, ATK_STATE_FOCUSED, true); + } +Index: webkitgtk/Source/WebCore/accessibility/atk/WebKitAccessibleWrapperAtk.cpp +=================================================================== +--- webkitgtk.orig/Source/WebCore/accessibility/atk/WebKitAccessibleWrapperAtk.cpp ++++ webkitgtk/Source/WebCore/accessibility/atk/WebKitAccessibleWrapperAtk.cpp +@@ -747,13 +747,15 @@ static AtkRole atkRole(AccessibilityObje + + static AtkRole webkitAccessibleGetRole(AtkObject* object) + { +- g_return_val_if_fail(WEBKIT_IS_ACCESSIBLE(object), ATK_ROLE_UNKNOWN); +- returnValIfWebKitAccessibleIsInvalid(WEBKIT_ACCESSIBLE(object), ATK_ROLE_UNKNOWN); ++ // ATK_ROLE_UNKNOWN should only be applied in cases where there is a valid ++ // WebCore accessible object for which the platform role mapping is unknown. ++ g_return_val_if_fail(WEBKIT_IS_ACCESSIBLE(object), ATK_ROLE_INVALID); ++ returnValIfWebKitAccessibleIsInvalid(WEBKIT_ACCESSIBLE(object), ATK_ROLE_INVALID); + + AccessibilityObject* coreObject = core(object); + + if (!coreObject) +- return ATK_ROLE_UNKNOWN; ++ return ATK_ROLE_INVALID; + + // Note: Why doesn't WebCore have a password field for this + if (coreObject->isPasswordField()) +Index: webkitgtk/Tools/WebKitTestRunner/InjectedBundle/atk/AccessibilityUIElementAtk.cpp +=================================================================== +--- webkitgtk.orig/Tools/WebKitTestRunner/InjectedBundle/atk/AccessibilityUIElementAtk.cpp ++++ webkitgtk/Tools/WebKitTestRunner/InjectedBundle/atk/AccessibilityUIElementAtk.cpp +@@ -335,6 +335,8 @@ const gchar* roleToString(AtkObject* obj + return "AXImage"; + case ATK_ROLE_IMAGE_MAP: + return "AXImageMap"; ++ case ATK_ROLE_INVALID: ++ return "AXInvalid"; + case ATK_ROLE_LABEL: + return "AXLabel"; + case ATK_ROLE_LINK: +@@ -884,9 +886,6 @@ JSRetainPtr<JSStringRef> AccessibilityUI + if (!ATK_IS_OBJECT(m_element.get())) + return JSStringCreateWithCharacters(0, 0); + +- if (!atk_object_get_role(ATK_OBJECT(m_element.get()))) +- return JSStringCreateWithCharacters(0, 0); +- + GUniquePtr<char> roleStringWithPrefix(g_strdup_printf("AXRole: %s", roleToString(ATK_OBJECT(m_element.get())))); + return JSStringCreateWithUTF8CString(roleStringWithPrefix.get()); + } diff -Nru webkitgtk-2.4.7/debian/patches/no-ssl-record-version.patch webkitgtk-2.4.7/debian/patches/no-ssl-record-version.patch --- webkitgtk-2.4.7/debian/patches/no-ssl-record-version.patch 1970-01-01 00:00:00.000000000 +0000 +++ webkitgtk-2.4.7/debian/patches/no-ssl-record-version.patch 2014-12-08 12:26:31.000000000 +0000 @@ -0,0 +1,29 @@ +From: Carlos Alberto Lopez Perez <clo...@igalia.com> +Subject: Don't use a SSL3.0 record version in client hello +Origin: http://trac.webkit.org/changeset/176253 +Index: webkitgtk/Source/WebKit2/gtk/MainGtk.cpp +=================================================================== +--- webkitgtk.orig/Source/WebKit2/gtk/MainGtk.cpp ++++ webkitgtk/Source/WebKit2/gtk/MainGtk.cpp +@@ -38,7 +38,7 @@ int main(int argc, char** argv) + // overwrite this priority string if it's already set by the user. + // Keep this in sync with WebProcessMain.cpp. + // https://bugzilla.gnome.org/show_bug.cgi?id=738633 +- setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:!VERS-SSL3.0", 0); ++ setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:%LATEST_RECORD_VERSION:!VERS-SSL3.0", 0); + + return WebKit::WebProcessMainGtk(argc, argv); + } +Index: webkitgtk/Source/WebKit2/unix/NetworkMainUnix.cpp +=================================================================== +--- webkitgtk.orig/Source/WebKit2/unix/NetworkMainUnix.cpp ++++ webkitgtk/Source/WebKit2/unix/NetworkMainUnix.cpp +@@ -42,7 +42,7 @@ int main(int argc, char** argv) + // overwrite this priority string if it's already set by the user. + // Keep this in sync with WebProcessMain.cpp. + // https://bugzilla.gnome.org/show_bug.cgi?id=738633 +- setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:!VERS-SSL3.0", 0); ++ setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:%LATEST_RECORD_VERSION:!VERS-SSL3.0", 0); + + return WebKit::NetworkProcessMain(argc, argv); + } diff -Nru webkitgtk-2.4.7/debian/patches/nullptr-accessibilitymenulistoption.patch webkitgtk-2.4.7/debian/patches/nullptr-accessibilitymenulistoption.patch --- webkitgtk-2.4.7/debian/patches/nullptr-accessibilitymenulistoption.patch 1970-01-01 00:00:00.000000000 +0000 +++ webkitgtk-2.4.7/debian/patches/nullptr-accessibilitymenulistoption.patch 2014-12-08 12:26:31.000000000 +0000 @@ -0,0 +1,21 @@ +From: Joanmarie Diggs <jdi...@igalia.com> +Subject: Check for NULL pointers in AccessibilityMenuListOption +Origin: http://trac.webkit.org/changeset/176389 +Index: webkitgtk/Source/WebCore/accessibility/AccessibilityMenuListOption.cpp +=================================================================== +--- webkitgtk.orig/Source/WebCore/accessibility/AccessibilityMenuListOption.cpp ++++ webkitgtk/Source/WebCore/accessibility/AccessibilityMenuListOption.cpp +@@ -104,9 +104,13 @@ bool AccessibilityMenuListOption::comput + LayoutRect AccessibilityMenuListOption::elementRect() const + { + AccessibilityObject* parent = parentObject(); ++ if (!parent) ++ return boundingBoxRect(); + ASSERT(parent->isMenuListPopup()); + + AccessibilityObject* grandparent = parent->parentObject(); ++ if (!grandparent) ++ return boundingBoxRect(); + ASSERT(grandparent->isMenuList()); + + return grandparent->elementRect(); diff -Nru webkitgtk-2.4.7/debian/patches/nullptr-applystylecommand.patch webkitgtk-2.4.7/debian/patches/nullptr-applystylecommand.patch --- webkitgtk-2.4.7/debian/patches/nullptr-applystylecommand.patch 1970-01-01 00:00:00.000000000 +0000 +++ webkitgtk-2.4.7/debian/patches/nullptr-applystylecommand.patch 2014-12-08 12:26:31.000000000 +0000 @@ -0,0 +1,17 @@ +From: Csaba Osztrogonác <o...@webkit.org> +Subject: Check for NULL pointer in ApplyStyleCommand +Origin: http://trac.webkit.org/changeset/176182 +Index: webkitgtk/Source/WebCore/editing/ApplyStyleCommand.cpp +=================================================================== +--- webkitgtk.orig/Source/WebCore/editing/ApplyStyleCommand.cpp ++++ webkitgtk/Source/WebCore/editing/ApplyStyleCommand.cpp +@@ -267,6 +267,9 @@ void ApplyStyleCommand::applyBlockStyle( + #else + Node* scope = highestEditableRoot(visibleStart.deepEquivalent()); + #endif ++ if (!scope) ++ return; ++ + RefPtr<Range> startRange = Range::create(document(), firstPositionInNode(scope), visibleStart.deepEquivalent().parentAnchoredEquivalent()); + RefPtr<Range> endRange = Range::create(document(), firstPositionInNode(scope), visibleEnd.deepEquivalent().parentAnchoredEquivalent()); + int startIndex = TextIterator::rangeLength(startRange.get(), true); diff -Nru webkitgtk-2.4.7/debian/patches/nullptr-frameprogresstracker.patch webkitgtk-2.4.7/debian/patches/nullptr-frameprogresstracker.patch --- webkitgtk-2.4.7/debian/patches/nullptr-frameprogresstracker.patch 1970-01-01 00:00:00.000000000 +0000 +++ webkitgtk-2.4.7/debian/patches/nullptr-frameprogresstracker.patch 2014-12-08 12:26:31.000000000 +0000 @@ -0,0 +1,17 @@ +From: Jeffrey Pfau <jp...@apple.com> +Subject: Check for NULL pointer in FrameProgressTracker +Origin: http://trac.webkit.org/changeset/175919 +Index: webkitgtk/Source/WebCore/loader/FrameLoader.cpp +=================================================================== +--- webkitgtk.orig/Source/WebCore/loader/FrameLoader.cpp ++++ webkitgtk/Source/WebCore/loader/FrameLoader.cpp +@@ -195,8 +195,7 @@ public: + + ~FrameProgressTracker() + { +- ASSERT(!m_inProgress || m_frame.page()); +- if (m_inProgress) ++ if (m_inProgress && m_frame.page()) + m_frame.page()->progress().progressCompleted(m_frame); + } + diff -Nru webkitgtk-2.4.7/debian/patches/ppc64-align.patch webkitgtk-2.4.7/debian/patches/ppc64-align.patch --- webkitgtk-2.4.7/debian/patches/ppc64-align.patch 1970-01-01 00:00:00.000000000 +0000 +++ webkitgtk-2.4.7/debian/patches/ppc64-align.patch 2014-12-08 12:26:31.000000000 +0000 @@ -0,0 +1,61 @@ +From: Michel Normand <norm...@linux.vnet.ibm.com> +Subject: Fix crash in ppc64el +Bug: https://bugs.webkit.org/show_bug.cgi?id=130237 +Bug-Debian: https://bugs.debian.org/762670 +Origin: http://pkgs.fedoraproject.org/cgit/webkitgtk3.git/tree/webkitgtk-2.4.1-ppc64_align.patch +Index: webkitgtk/Source/JavaScriptCore/heap/CopiedBlock.h +=================================================================== +--- webkitgtk.orig/Source/JavaScriptCore/heap/CopiedBlock.h ++++ webkitgtk/Source/JavaScriptCore/heap/CopiedBlock.h +@@ -81,7 +81,11 @@ public: + size_t size(); + size_t capacity(); + ++#if CPU(PPC64) ++ static const size_t blockSize = 64 * KB; ++#else + static const size_t blockSize = 32 * KB; ++#endif + + bool hasWorkList(); + CopyWorkList& workList(); +Index: webkitgtk/Source/JavaScriptCore/interpreter/JSStack.cpp +=================================================================== +--- webkitgtk.orig/Source/JavaScriptCore/interpreter/JSStack.cpp ++++ webkitgtk/Source/JavaScriptCore/interpreter/JSStack.cpp +@@ -49,7 +49,11 @@ JSStack::JSStack(VM& vm, size_t capacity + { + ASSERT(capacity && isPageAligned(capacity)); + ++#if CPU(PPC64) ++ m_reservation = PageReservation::reserve(roundUpAllocationSize(capacity * sizeof(Register), pageSize()), OSAllocator::JSVMStackPages); ++#else + m_reservation = PageReservation::reserve(roundUpAllocationSize(capacity * sizeof(Register), commitSize), OSAllocator::JSVMStackPages); ++#endif + updateStackLimit(highAddress()); + m_commitEnd = highAddress(); + +@@ -78,7 +82,11 @@ bool JSStack::growSlowCase(Register* new + // Compute the chunk size of additional memory to commit, and see if we + // have it is still within our budget. If not, we'll fail to grow and + // return false. ++#if CPU(PPC64) ++ long delta = roundUpAllocationSize(reinterpret_cast<char*>(m_commitEnd) - reinterpret_cast<char*>(newEnd), pageSize()); ++#else + long delta = roundUpAllocationSize(reinterpret_cast<char*>(m_commitEnd) - reinterpret_cast<char*>(newEnd), commitSize); ++#endif + if (reinterpret_cast<char*>(m_commitEnd) - delta <= reinterpret_cast<char*>(m_useableEnd)) + return false; + +@@ -134,7 +142,11 @@ void JSStack::enableErrorStackReserve() + + void JSStack::disableErrorStackReserve() + { ++#if CPU(PPC64) ++ char* useableEnd = reinterpret_cast<char*>(reservationEnd()) + pageSize(); ++#else + char* useableEnd = reinterpret_cast<char*>(reservationEnd()) + commitSize; ++#endif + m_useableEnd = reinterpret_cast_ptr<Register*>(useableEnd); + + // By the time we get here, we are guaranteed to be destructing the last diff -Nru webkitgtk-2.4.7/debian/patches/protect-document.patch webkitgtk-2.4.7/debian/patches/protect-document.patch --- webkitgtk-2.4.7/debian/patches/protect-document.patch 1970-01-01 00:00:00.000000000 +0000 +++ webkitgtk-2.4.7/debian/patches/protect-document.patch 2014-12-08 12:26:31.000000000 +0000 @@ -0,0 +1,15 @@ +From: David Kilzer <ddkil...@apple.com> +Subject: Protect Document in ProcessingInstruction::setXSLStyleSheet() +Origin: http://trac.webkit.org/changeset/176014 +Index: webkitgtk/Source/WebCore/dom/ProcessingInstruction.cpp +=================================================================== +--- webkitgtk.orig/Source/WebCore/dom/ProcessingInstruction.cpp ++++ webkitgtk/Source/WebCore/dom/ProcessingInstruction.cpp +@@ -215,6 +215,7 @@ void ProcessingInstruction::setXSLStyleS + { + ASSERT(m_isXSL); + m_sheet = XSLStyleSheet::create(this, href, baseURL); ++ Ref<Document> protect(document()); + parseStyleSheet(sheet); + } + #endif diff -Nru webkitgtk-2.4.7/debian/patches/render-text-control.patch webkitgtk-2.4.7/debian/patches/render-text-control.patch --- webkitgtk-2.4.7/debian/patches/render-text-control.patch 1970-01-01 00:00:00.000000000 +0000 +++ webkitgtk-2.4.7/debian/patches/render-text-control.patch 2014-12-08 12:26:31.000000000 +0000 @@ -0,0 +1,16 @@ +From: Zalan Bujtas <za...@apple.com> +Subject: Check for NULL pointer in SearchInputType. +Origin: http://trac.webkit.org/changeset/175912 +Index: webkitgtk/Source/WebCore/html/SearchInputType.cpp +=================================================================== +--- webkitgtk.orig/Source/WebCore/html/SearchInputType.cpp ++++ webkitgtk/Source/WebCore/html/SearchInputType.cpp +@@ -178,7 +178,7 @@ bool SearchInputType::searchEventsShould + + void SearchInputType::didSetValueByUserEdit(ValueChangeState state) + { +- if (m_cancelButton) ++ if (m_cancelButton && element().renderer()) + toRenderSearchField(element().renderer())->updateCancelButtonVisibility(); + + // If the incremental attribute is set, then dispatch the search event diff -Nru webkitgtk-2.4.7/debian/patches/series webkitgtk-2.4.7/debian/patches/series --- webkitgtk-2.4.7/debian/patches/series 2014-11-11 10:44:21.000000000 +0000 +++ webkitgtk-2.4.7/debian/patches/series 2014-12-08 12:26:31.000000000 +0000 @@ -13,3 +13,11 @@ fix-mips64-build.patch touch-event.patch flash-crash.patch +ppc64-align.patch +no-ssl-record-version.patch +protect-document.patch +render-text-control.patch +nullptr-frameprogresstracker.patch +nullptr-applystylecommand.patch +nullptr-accessibilitymenulistoption.patch +ax-focus-events.patch
