Bug#781954: unblock: qtwebkit-opensource-src/5.3.2+dfsg-4
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package qtwebkit-opensource-src
Hi RT! qtwebkit-opensource-src had two security fixes, one of them being RC.
The other one was an important one, and Moritz and I decided to wait for the
first stable update, but then the RC bug appeared and we Qt/KDE team decided
to pack them together.
I'm attaching the debdiff.
Kinds regards, Lisandro.
unblock qtwebkit-opensource-src/5.3.2+dfsg-4
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'testing'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=es_AR.UTF-8, LC_CTYPE=es_AR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
diff -Nru qtwebkit-opensource-src-5.3.2+dfsg/debian/changelog qtwebkit-opensource-src-5.3.2+dfsg/debian/changelog
--- qtwebkit-opensource-src-5.3.2+dfsg/debian/changelog 2014-10-17 02:06:32.000000000 -0300
+++ qtwebkit-opensource-src-5.3.2+dfsg/debian/changelog 2015-04-01 14:44:31.000000000 -0300
@@ -1,3 +1,16 @@
+qtwebkit-opensource-src (5.3.2+dfsg-4) unstable; urgency=medium
+
+ [ Dmitry Shachnev ]
+ * Backport upstream fix that adds missing checks for HTMLUnknownElement.
+ Closes: #781194.
+
+ [ Felix Geyer ]
+ * Backport upstream fix that prevents recording visited URLs to its favicon
+ database while using private browsing mode.
+ Closes: #780748.
+
+ -- Felix Geyer <fgeyer@debian.org> Wed, 01 Apr 2015 19:44:29 +0200
+
qtwebkit-opensource-src (5.3.2+dfsg-3) unstable; urgency=medium
* Backport three patches to fix crashes:
diff -Nru qtwebkit-opensource-src-5.3.2+dfsg/debian/patches/check_html_unknown_elements.diff qtwebkit-opensource-src-5.3.2+dfsg/debian/patches/check_html_unknown_elements.diff
--- qtwebkit-opensource-src-5.3.2+dfsg/debian/patches/check_html_unknown_elements.diff 1969-12-31 21:00:00.000000000 -0300
+++ qtwebkit-opensource-src-5.3.2+dfsg/debian/patches/check_html_unknown_elements.diff 2015-04-01 14:20:30.000000000 -0300
@@ -0,0 +1,81 @@
+Description: need to check if some HTML child elements are HTMLUnknownElement
+ Based on upstream fix http://trac.webkit.org/changeset/156953
+ .
+ The check for whether an element is an HTMLAudioElement or not was
+ incomplete. An element can have the 'audio' tag-name but still be
+ another element if media elements have been disabled. In this
+ case it will be an HTMLUnknownElement.
+Origin: upstream, http://code.qt.io/cgit/qt/qtwebkit.git/commit/?id=d84668b5124b2dd9
+Bug-Debian: https://bugs.debian.org/781194
+Last-Update: 2015-04-01
+
+--- a/Source/WebCore/dom/make_names.pl
++++ b/Source/WebCore/dom/make_names.pl
+@@ -390,6 +390,10 @@
+ my ($F, $tagName, $interfaceName, $constructorTagName) = @_;
+
+ # Handle media elements.
++ # Note that wrapperOnlyIfMediaIsAvailable is a misnomer, because media availability
++ # does not just control the wrapper; it controls the element object that is created.
++ # FIXME: Could we instead do this entirely in the wrapper, and use custom wrappers
++ # instead of having all the support for this here in this script?
+ if ($enabledTags{$tagName}{wrapperOnlyIfMediaIsAvailable}) {
+ print F <<END
+ Settings* settings = document->settings();
+@@ -1042,14 +1046,11 @@
+ print F "#if ${conditionalString}\n\n";
+ }
+
+- # Hack for the media tags
+- # FIXME: This should have been done via a CustomWrapper attribute and a separate *Custom file.
+ if ($enabledTags{$tagName}{wrapperOnlyIfMediaIsAvailable}) {
+ print F <<END
+ static JSDOMWrapper* create${JSInterfaceName}Wrapper(ExecState* exec, JSDOMGlobalObject* globalObject, PassRefPtr<$parameters{namespace}Element> element)
+ {
+- Settings* settings = element->document()->settings();
+- if (!MediaPlayer::isAvailable() || (settings && !settings->mediaEnabled()))
++ if (element->isHTMLUnknownElement())
+ return CREATE_DOM_WRAPPER(exec, globalObject, $parameters{namespace}Element, element.get());
+ return CREATE_DOM_WRAPPER(exec, globalObject, ${JSInterfaceName}, element.get());
+ }
+--- a/Source/WebCore/html/HTMLAudioElement.h
++++ b/Source/WebCore/html/HTMLAudioElement.h
+@@ -43,14 +43,19 @@
+ HTMLAudioElement(const QualifiedName&, Document*, bool);
+ };
+
+-inline bool isHTMLAudioElement(Node* node)
++inline bool isHTMLAudioElement(HTMLElement* element)
+ {
+- return node->hasTagName(HTMLNames::audioTag);
++ return !element->isHTMLUnknownElement() && element->hasTagName(HTMLNames::audioTag);
+ }
+
+ inline bool isHTMLAudioElement(Element* element)
+ {
+- return element->hasTagName(HTMLNames::audioTag);
++ return element->isHTMLElement() && isHTMLAudioElement(toHTMLElement(element));
++}
++
++inline bool isHTMLAudioElement(Node* node)
++{
++ return node->isHTMLElement() && isHTMLAudioElement(toHTMLElement(node));
+ }
+
+ inline HTMLAudioElement* toHTMLAudioElement(Node* node)
+--- a/Source/WebCore/html/HTMLMediaElement.cpp
++++ b/Source/WebCore/html/HTMLMediaElement.cpp
+@@ -2379,6 +2379,13 @@
+
+ bool HTMLMediaElement::paused() const
+ {
++ // As of this writing, JavaScript garbage collection calls this function directly. In the past
++ // we had problems where this was called on an object after a bad cast. The assertion below
++ // made our regression test detect the problem, so we should keep it because of that. But note
++ // that the value of the assertion relies on the compiler not being smart enough to know that
++ // isHTMLUnknownElement is guaranteed to return false for an HTMLMediaElement.
++ ASSERT(!isHTMLUnknownElement());
++
+ return m_paused;
+ }
+
diff -Nru qtwebkit-opensource-src-5.3.2+dfsg/debian/patches/series qtwebkit-opensource-src-5.3.2+dfsg/debian/patches/series
--- qtwebkit-opensource-src-5.3.2+dfsg/debian/patches/series 2014-10-14 15:52:18.000000000 -0300
+++ qtwebkit-opensource-src-5.3.2+dfsg/debian/patches/series 2015-04-01 14:42:57.000000000 -0300
@@ -3,6 +3,7 @@
fix_cloop_on_big_endian_machines.patch
fix_crash_when_a_network_request_is_aborted_while_forwarding_data.patch
blacklist_libkpartsplugin.patch
+webpageicons_db_privacy.patch
# debian patches
reduce_memory_usage.patch
@@ -11,3 +12,4 @@
hurd.diff
webkit_qt_hide_symbols.diff
fix_nonlinux_glibc_linkage.diff
+check_html_unknown_elements.diff
diff -Nru qtwebkit-opensource-src-5.3.2+dfsg/debian/patches/webpageicons_db_privacy.patch qtwebkit-opensource-src-5.3.2+dfsg/debian/patches/webpageicons_db_privacy.patch
--- qtwebkit-opensource-src-5.3.2+dfsg/debian/patches/webpageicons_db_privacy.patch 1969-12-31 21:00:00.000000000 -0300
+++ qtwebkit-opensource-src-5.3.2+dfsg/debian/patches/webpageicons_db_privacy.patch 2015-04-01 14:41:23.000000000 -0300
@@ -0,0 +1,47 @@
+From 2810aea1f6c9cca48b93130a7c245f9a2f85637e Mon Sep 17 00:00:00 2001
+From: Florian Bruhin <git@the-compiler.org>
+Date: Wed, 18 Mar 2015 18:47:19 +0100
+Subject: Fix URLs visited during private browsing showing up in
+ WebpageIcons.db.
+
+Ported from http://trac.webkit.org/changeset/181565 by beidson@apple.com.
+
+Upstream patch by Sam Weinig, reviewed by Brady Eidson.
+
+* loader/icon/IconController.cpp:
+
+(WebCore::IconController::startLoader): Bail early here if the page is using an ephemeral session.
+(WebCore::IconController::continueLoadWithDecision): Instead of here.
+
+Change-Id: I263bb6122606caa3488d641b127dd377012ee424
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@theqtcompany.com>
+---
+ Source/WebCore/loader/icon/IconController.cpp | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Source/WebCore/loader/icon/IconController.cpp b/Source/WebCore/loader/icon/IconController.cpp
+index 8f23f6d..a808352 100644
+--- a/Source/WebCore/loader/icon/IconController.cpp
++++ b/Source/WebCore/loader/icon/IconController.cpp
+@@ -159,6 +159,10 @@ void IconController::startLoader()
+ }
+
+ if (iconDatabase().supportsAsynchronousMode()) {
++ // FIXME (<rdar://problem/9168605>) - We should support in-memory-only private browsing icons in asynchronous icon database mode.
++ if (iconDatabase().supportsAsynchronousMode() && m_frame->page()->settings()->privateBrowsingEnabled())
++ return;
++
+ m_frame->loader()->documentLoader()->getIconLoadDecisionForIconURL(urlString);
+ // Commit the icon url mapping to the database just in case we don't end up loading later.
+ commitToDatabase(iconURL);
+@@ -202,10 +206,6 @@ void IconController::continueLoadWithDecision(IconLoadDecision iconLoadDecision)
+ {
+ ASSERT(iconLoadDecision != IconLoadUnknown);
+
+- // FIXME (<rdar://problem/9168605>) - We should support in-memory-only private browsing icons in asynchronous icon database mode.
+- if (iconDatabase().supportsAsynchronousMode() && m_frame->page()->settings()->privateBrowsingEnabled())
+- return;
+-
+ if (iconLoadDecision == IconLoadNo) {
+ KURL iconURL(url());
+ String urlString(iconURL.string());
Reply to: