Bug#772559: unblock: webkitgtk/2.4.7-3
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package webkitgtk
This release contains several fixes cherry picked from the upstream
stable branches. All of them solve either crashes or other important
bugs:
* debian/patches/ppc64-align.patch:
This fixes a crash on ppc64 that happens because the address passed
to mprotect() is not aligned to the page size.
http://bugs.debian.org/762670
https://bugs.webkit.org/show_bug.cgi?id=130237
https://bugzilla.redhat.com/show_bug.cgi?id=1074093
* debian/patches/no-ssl-record-version.patch:
This fixes a problem where, following the POODLE vulnerability, many
web sites incorrectly ban SSL 3.0 record packet versions used to
advertise TLS 1.2. This fix makes WebKitGTK+ use the latest TLS
version record instead of using the default SSL 3.0.
https://bugs.webkit.org/show_bug.cgi?id=138794
* debian/patches/nullptr-accessibilitymenulistoption.patch:
* debian/patches/nullptr-applystylecommand.patch:
* debian/patches/nullptr-frameprogresstracker.patch:
* debian/patches/render-text-control.patch:
These other four patches fix several NULL pointers crashes in
differents parts of the code. Here are the upstream bug reports:
https://bugs.webkit.org/show_bug.cgi?id=138727
https://bugs.webkit.org/show_bug.cgi?id=137961
https://bugs.webkit.org/show_bug.cgi?id=138061
https://bugs.webkit.org/show_bug.cgi?id=138035
* debian/patches/protect-document.patch:
This fixes a crash that happens while applying XSLTransform. This is
marked upstream as a security fix so the details are private.
* debian/patches/ax-focus-events.patch:
Two related accessibility fixes, preventing crashes for both users
and non users of assistive technology.
https://bugs.webkit.org/show_bug.cgi?id=137866
https://bugs.webkit.org/show_bug.cgi?id=137867
unblock webkitgtk/2.4.7-3
-- System Information:
Debian Release: 8.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru webkitgtk-2.4.7/debian/changelog webkitgtk-2.4.7/debian/changelog
--- webkitgtk-2.4.7/debian/changelog 2014-11-11 10:44:21.000000000 +0000
+++ webkitgtk-2.4.7/debian/changelog 2014-12-08 12:26:31.000000000 +0000
@@ -1,3 +1,25 @@
+webkitgtk (2.4.7-3) unstable; urgency=medium
+
+ * debian/patches/ppc64-align.patch:
+ + Fix crash in ppc64el (Closes: #762670).
+ * debian/patches/no-ssl-record-version.patch:
+ + Don't use a SSL3.0 record version in client hello.
+ * debian/patches/protect-document.patch:
+ + Protect Document in ProcessingInstruction::setXSLStyleSheet(). This
+ is a security fix, see https://codereview.chromium.org/579133004.
+ * debian/patches/nullptr-accessibilitymenulistoption.patch:
+ + Check for NULL pointers in AccessibilityMenuListOption.
+ * debian/patches/nullptr-applystylecommand.patch:
+ + Check for NULL pointer in ApplyStyleCommand.
+ * debian/patches/nullptr-frameprogresstracker.patch:
+ + Check for NULL pointer in FrameProgressTracker.
+ * debian/patches/render-text-control.patch:
+ + Check for NULL pointer in SearchInputType.
+ * debian/patches/ax-focus-events.patch:
+ + Fix accessible focus events in non-focused combo boxes.
+
+ -- Alberto Garcia <berto@igalia.com> Mon, 08 Dec 2014 13:26:23 +0100
+
webkitgtk (2.4.7-2) unstable; urgency=medium
* debian/patches/touch-event.patch:
diff -Nru webkitgtk-2.4.7/debian/patches/ax-focus-events.patch webkitgtk-2.4.7/debian/patches/ax-focus-events.patch
--- webkitgtk-2.4.7/debian/patches/ax-focus-events.patch 1970-01-01 00:00:00.000000000 +0000
+++ webkitgtk-2.4.7/debian/patches/ax-focus-events.patch 2014-12-08 12:26:31.000000000 +0000
@@ -0,0 +1,78 @@
+From: Joanmarie Diggs <jdiggs@igalia.com>
+Subject: Fix accessible focus events in non-focused combo boxes
+Origin: http://trac.webkit.org/changeset/176177, http://trac.webkit.org/changeset/176178
+Index: webkitgtk/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp
+===================================================================
+--- webkitgtk.orig/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp
++++ webkitgtk/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp
+@@ -170,8 +170,12 @@ static void notifyChildrenSelectionChang
+ if (axItem) {
+ bool isSelected = item->isSelected();
+ atk_object_notify_state_change(axItem, ATK_STATE_SELECTED, isSelected);
+- g_signal_emit_by_name(axItem, "focus-event", isSelected);
+- atk_object_notify_state_change(axItem, ATK_STATE_FOCUSED, isSelected);
++ // When the selection changes in a collapsed widget such as a combo box
++ // whose child menu is not showing, that collapsed widget retains focus.
++ if (!object->isCollapsed()) {
++ g_signal_emit_by_name(axItem, "focus-event", isSelected);
++ atk_object_notify_state_change(axItem, ATK_STATE_FOCUSED, isSelected);
++ }
+ }
+
+ // Update pointers to the previously involved objects.
+@@ -194,7 +198,8 @@ void AXObjectCache::postPlatformNotifica
+
+ case AXSelectedChildrenChanged:
+ case AXMenuListValueChanged:
+- if (notification == AXMenuListValueChanged && coreObject->isMenuList()) {
++ // Accessible focus claims should not be made if the associated widget is not focused.
++ if (notification == AXMenuListValueChanged && coreObject->isMenuList() && coreObject->isFocused()) {
+ g_signal_emit_by_name(axObject, "focus-event", true);
+ atk_object_notify_state_change(axObject, ATK_STATE_FOCUSED, true);
+ }
+Index: webkitgtk/Source/WebCore/accessibility/atk/WebKitAccessibleWrapperAtk.cpp
+===================================================================
+--- webkitgtk.orig/Source/WebCore/accessibility/atk/WebKitAccessibleWrapperAtk.cpp
++++ webkitgtk/Source/WebCore/accessibility/atk/WebKitAccessibleWrapperAtk.cpp
+@@ -747,13 +747,15 @@ static AtkRole atkRole(AccessibilityObje
+
+ static AtkRole webkitAccessibleGetRole(AtkObject* object)
+ {
+- g_return_val_if_fail(WEBKIT_IS_ACCESSIBLE(object), ATK_ROLE_UNKNOWN);
+- returnValIfWebKitAccessibleIsInvalid(WEBKIT_ACCESSIBLE(object), ATK_ROLE_UNKNOWN);
++ // ATK_ROLE_UNKNOWN should only be applied in cases where there is a valid
++ // WebCore accessible object for which the platform role mapping is unknown.
++ g_return_val_if_fail(WEBKIT_IS_ACCESSIBLE(object), ATK_ROLE_INVALID);
++ returnValIfWebKitAccessibleIsInvalid(WEBKIT_ACCESSIBLE(object), ATK_ROLE_INVALID);
+
+ AccessibilityObject* coreObject = core(object);
+
+ if (!coreObject)
+- return ATK_ROLE_UNKNOWN;
++ return ATK_ROLE_INVALID;
+
+ // Note: Why doesn't WebCore have a password field for this
+ if (coreObject->isPasswordField())
+Index: webkitgtk/Tools/WebKitTestRunner/InjectedBundle/atk/AccessibilityUIElementAtk.cpp
+===================================================================
+--- webkitgtk.orig/Tools/WebKitTestRunner/InjectedBundle/atk/AccessibilityUIElementAtk.cpp
++++ webkitgtk/Tools/WebKitTestRunner/InjectedBundle/atk/AccessibilityUIElementAtk.cpp
+@@ -335,6 +335,8 @@ const gchar* roleToString(AtkObject* obj
+ return "AXImage";
+ case ATK_ROLE_IMAGE_MAP:
+ return "AXImageMap";
++ case ATK_ROLE_INVALID:
++ return "AXInvalid";
+ case ATK_ROLE_LABEL:
+ return "AXLabel";
+ case ATK_ROLE_LINK:
+@@ -884,9 +886,6 @@ JSRetainPtr<JSStringRef> AccessibilityUI
+ if (!ATK_IS_OBJECT(m_element.get()))
+ return JSStringCreateWithCharacters(0, 0);
+
+- if (!atk_object_get_role(ATK_OBJECT(m_element.get())))
+- return JSStringCreateWithCharacters(0, 0);
+-
+ GUniquePtr<char> roleStringWithPrefix(g_strdup_printf("AXRole: %s", roleToString(ATK_OBJECT(m_element.get()))));
+ return JSStringCreateWithUTF8CString(roleStringWithPrefix.get());
+ }
diff -Nru webkitgtk-2.4.7/debian/patches/no-ssl-record-version.patch webkitgtk-2.4.7/debian/patches/no-ssl-record-version.patch
--- webkitgtk-2.4.7/debian/patches/no-ssl-record-version.patch 1970-01-01 00:00:00.000000000 +0000
+++ webkitgtk-2.4.7/debian/patches/no-ssl-record-version.patch 2014-12-08 12:26:31.000000000 +0000
@@ -0,0 +1,29 @@
+From: Carlos Alberto Lopez Perez <clopez@igalia.com>
+Subject: Don't use a SSL3.0 record version in client hello
+Origin: http://trac.webkit.org/changeset/176253
+Index: webkitgtk/Source/WebKit2/gtk/MainGtk.cpp
+===================================================================
+--- webkitgtk.orig/Source/WebKit2/gtk/MainGtk.cpp
++++ webkitgtk/Source/WebKit2/gtk/MainGtk.cpp
+@@ -38,7 +38,7 @@ int main(int argc, char** argv)
+ // overwrite this priority string if it's already set by the user.
+ // Keep this in sync with WebProcessMain.cpp.
+ // https://bugzilla.gnome.org/show_bug.cgi?id=738633
+- setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:!VERS-SSL3.0", 0);
++ setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:%LATEST_RECORD_VERSION:!VERS-SSL3.0", 0);
+
+ return WebKit::WebProcessMainGtk(argc, argv);
+ }
+Index: webkitgtk/Source/WebKit2/unix/NetworkMainUnix.cpp
+===================================================================
+--- webkitgtk.orig/Source/WebKit2/unix/NetworkMainUnix.cpp
++++ webkitgtk/Source/WebKit2/unix/NetworkMainUnix.cpp
+@@ -42,7 +42,7 @@ int main(int argc, char** argv)
+ // overwrite this priority string if it's already set by the user.
+ // Keep this in sync with WebProcessMain.cpp.
+ // https://bugzilla.gnome.org/show_bug.cgi?id=738633
+- setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:!VERS-SSL3.0", 0);
++ setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:%LATEST_RECORD_VERSION:!VERS-SSL3.0", 0);
+
+ return WebKit::NetworkProcessMain(argc, argv);
+ }
diff -Nru webkitgtk-2.4.7/debian/patches/nullptr-accessibilitymenulistoption.patch webkitgtk-2.4.7/debian/patches/nullptr-accessibilitymenulistoption.patch
--- webkitgtk-2.4.7/debian/patches/nullptr-accessibilitymenulistoption.patch 1970-01-01 00:00:00.000000000 +0000
+++ webkitgtk-2.4.7/debian/patches/nullptr-accessibilitymenulistoption.patch 2014-12-08 12:26:31.000000000 +0000
@@ -0,0 +1,21 @@
+From: Joanmarie Diggs <jdiggs@igalia.com>
+Subject: Check for NULL pointers in AccessibilityMenuListOption
+Origin: http://trac.webkit.org/changeset/176389
+Index: webkitgtk/Source/WebCore/accessibility/AccessibilityMenuListOption.cpp
+===================================================================
+--- webkitgtk.orig/Source/WebCore/accessibility/AccessibilityMenuListOption.cpp
++++ webkitgtk/Source/WebCore/accessibility/AccessibilityMenuListOption.cpp
+@@ -104,9 +104,13 @@ bool AccessibilityMenuListOption::comput
+ LayoutRect AccessibilityMenuListOption::elementRect() const
+ {
+ AccessibilityObject* parent = parentObject();
++ if (!parent)
++ return boundingBoxRect();
+ ASSERT(parent->isMenuListPopup());
+
+ AccessibilityObject* grandparent = parent->parentObject();
++ if (!grandparent)
++ return boundingBoxRect();
+ ASSERT(grandparent->isMenuList());
+
+ return grandparent->elementRect();
diff -Nru webkitgtk-2.4.7/debian/patches/nullptr-applystylecommand.patch webkitgtk-2.4.7/debian/patches/nullptr-applystylecommand.patch
--- webkitgtk-2.4.7/debian/patches/nullptr-applystylecommand.patch 1970-01-01 00:00:00.000000000 +0000
+++ webkitgtk-2.4.7/debian/patches/nullptr-applystylecommand.patch 2014-12-08 12:26:31.000000000 +0000
@@ -0,0 +1,17 @@
+From: Csaba Osztrogonác <ossy@webkit.org>
+Subject: Check for NULL pointer in ApplyStyleCommand
+Origin: http://trac.webkit.org/changeset/176182
+Index: webkitgtk/Source/WebCore/editing/ApplyStyleCommand.cpp
+===================================================================
+--- webkitgtk.orig/Source/WebCore/editing/ApplyStyleCommand.cpp
++++ webkitgtk/Source/WebCore/editing/ApplyStyleCommand.cpp
+@@ -267,6 +267,9 @@ void ApplyStyleCommand::applyBlockStyle(
+ #else
+ Node* scope = highestEditableRoot(visibleStart.deepEquivalent());
+ #endif
++ if (!scope)
++ return;
++
+ RefPtr<Range> startRange = Range::create(document(), firstPositionInNode(scope), visibleStart.deepEquivalent().parentAnchoredEquivalent());
+ RefPtr<Range> endRange = Range::create(document(), firstPositionInNode(scope), visibleEnd.deepEquivalent().parentAnchoredEquivalent());
+ int startIndex = TextIterator::rangeLength(startRange.get(), true);
diff -Nru webkitgtk-2.4.7/debian/patches/nullptr-frameprogresstracker.patch webkitgtk-2.4.7/debian/patches/nullptr-frameprogresstracker.patch
--- webkitgtk-2.4.7/debian/patches/nullptr-frameprogresstracker.patch 1970-01-01 00:00:00.000000000 +0000
+++ webkitgtk-2.4.7/debian/patches/nullptr-frameprogresstracker.patch 2014-12-08 12:26:31.000000000 +0000
@@ -0,0 +1,17 @@
+From: Jeffrey Pfau <jpfau@apple.com>
+Subject: Check for NULL pointer in FrameProgressTracker
+Origin: http://trac.webkit.org/changeset/175919
+Index: webkitgtk/Source/WebCore/loader/FrameLoader.cpp
+===================================================================
+--- webkitgtk.orig/Source/WebCore/loader/FrameLoader.cpp
++++ webkitgtk/Source/WebCore/loader/FrameLoader.cpp
+@@ -195,8 +195,7 @@ public:
+
+ ~FrameProgressTracker()
+ {
+- ASSERT(!m_inProgress || m_frame.page());
+- if (m_inProgress)
++ if (m_inProgress && m_frame.page())
+ m_frame.page()->progress().progressCompleted(m_frame);
+ }
+
diff -Nru webkitgtk-2.4.7/debian/patches/ppc64-align.patch webkitgtk-2.4.7/debian/patches/ppc64-align.patch
--- webkitgtk-2.4.7/debian/patches/ppc64-align.patch 1970-01-01 00:00:00.000000000 +0000
+++ webkitgtk-2.4.7/debian/patches/ppc64-align.patch 2014-12-08 12:26:31.000000000 +0000
@@ -0,0 +1,61 @@
+From: Michel Normand <normand@linux.vnet.ibm.com>
+Subject: Fix crash in ppc64el
+Bug: https://bugs.webkit.org/show_bug.cgi?id=130237
+Bug-Debian: https://bugs.debian.org/762670
+Origin: http://pkgs.fedoraproject.org/cgit/webkitgtk3.git/tree/webkitgtk-2.4.1-ppc64_align.patch
+Index: webkitgtk/Source/JavaScriptCore/heap/CopiedBlock.h
+===================================================================
+--- webkitgtk.orig/Source/JavaScriptCore/heap/CopiedBlock.h
++++ webkitgtk/Source/JavaScriptCore/heap/CopiedBlock.h
+@@ -81,7 +81,11 @@ public:
+ size_t size();
+ size_t capacity();
+
++#if CPU(PPC64)
++ static const size_t blockSize = 64 * KB;
++#else
+ static const size_t blockSize = 32 * KB;
++#endif
+
+ bool hasWorkList();
+ CopyWorkList& workList();
+Index: webkitgtk/Source/JavaScriptCore/interpreter/JSStack.cpp
+===================================================================
+--- webkitgtk.orig/Source/JavaScriptCore/interpreter/JSStack.cpp
++++ webkitgtk/Source/JavaScriptCore/interpreter/JSStack.cpp
+@@ -49,7 +49,11 @@ JSStack::JSStack(VM& vm, size_t capacity
+ {
+ ASSERT(capacity && isPageAligned(capacity));
+
++#if CPU(PPC64)
++ m_reservation = PageReservation::reserve(roundUpAllocationSize(capacity * sizeof(Register), pageSize()), OSAllocator::JSVMStackPages);
++#else
+ m_reservation = PageReservation::reserve(roundUpAllocationSize(capacity * sizeof(Register), commitSize), OSAllocator::JSVMStackPages);
++#endif
+ updateStackLimit(highAddress());
+ m_commitEnd = highAddress();
+
+@@ -78,7 +82,11 @@ bool JSStack::growSlowCase(Register* new
+ // Compute the chunk size of additional memory to commit, and see if we
+ // have it is still within our budget. If not, we'll fail to grow and
+ // return false.
++#if CPU(PPC64)
++ long delta = roundUpAllocationSize(reinterpret_cast<char*>(m_commitEnd) - reinterpret_cast<char*>(newEnd), pageSize());
++#else
+ long delta = roundUpAllocationSize(reinterpret_cast<char*>(m_commitEnd) - reinterpret_cast<char*>(newEnd), commitSize);
++#endif
+ if (reinterpret_cast<char*>(m_commitEnd) - delta <= reinterpret_cast<char*>(m_useableEnd))
+ return false;
+
+@@ -134,7 +142,11 @@ void JSStack::enableErrorStackReserve()
+
+ void JSStack::disableErrorStackReserve()
+ {
++#if CPU(PPC64)
++ char* useableEnd = reinterpret_cast<char*>(reservationEnd()) + pageSize();
++#else
+ char* useableEnd = reinterpret_cast<char*>(reservationEnd()) + commitSize;
++#endif
+ m_useableEnd = reinterpret_cast_ptr<Register*>(useableEnd);
+
+ // By the time we get here, we are guaranteed to be destructing the last
diff -Nru webkitgtk-2.4.7/debian/patches/protect-document.patch webkitgtk-2.4.7/debian/patches/protect-document.patch
--- webkitgtk-2.4.7/debian/patches/protect-document.patch 1970-01-01 00:00:00.000000000 +0000
+++ webkitgtk-2.4.7/debian/patches/protect-document.patch 2014-12-08 12:26:31.000000000 +0000
@@ -0,0 +1,15 @@
+From: David Kilzer <ddkilzer@apple.com>
+Subject: Protect Document in ProcessingInstruction::setXSLStyleSheet()
+Origin: http://trac.webkit.org/changeset/176014
+Index: webkitgtk/Source/WebCore/dom/ProcessingInstruction.cpp
+===================================================================
+--- webkitgtk.orig/Source/WebCore/dom/ProcessingInstruction.cpp
++++ webkitgtk/Source/WebCore/dom/ProcessingInstruction.cpp
+@@ -215,6 +215,7 @@ void ProcessingInstruction::setXSLStyleS
+ {
+ ASSERT(m_isXSL);
+ m_sheet = XSLStyleSheet::create(this, href, baseURL);
++ Ref<Document> protect(document());
+ parseStyleSheet(sheet);
+ }
+ #endif
diff -Nru webkitgtk-2.4.7/debian/patches/render-text-control.patch webkitgtk-2.4.7/debian/patches/render-text-control.patch
--- webkitgtk-2.4.7/debian/patches/render-text-control.patch 1970-01-01 00:00:00.000000000 +0000
+++ webkitgtk-2.4.7/debian/patches/render-text-control.patch 2014-12-08 12:26:31.000000000 +0000
@@ -0,0 +1,16 @@
+From: Zalan Bujtas <zalan@apple.com>
+Subject: Check for NULL pointer in SearchInputType.
+Origin: http://trac.webkit.org/changeset/175912
+Index: webkitgtk/Source/WebCore/html/SearchInputType.cpp
+===================================================================
+--- webkitgtk.orig/Source/WebCore/html/SearchInputType.cpp
++++ webkitgtk/Source/WebCore/html/SearchInputType.cpp
+@@ -178,7 +178,7 @@ bool SearchInputType::searchEventsShould
+
+ void SearchInputType::didSetValueByUserEdit(ValueChangeState state)
+ {
+- if (m_cancelButton)
++ if (m_cancelButton && element().renderer())
+ toRenderSearchField(element().renderer())->updateCancelButtonVisibility();
+
+ // If the incremental attribute is set, then dispatch the search event
diff -Nru webkitgtk-2.4.7/debian/patches/series webkitgtk-2.4.7/debian/patches/series
--- webkitgtk-2.4.7/debian/patches/series 2014-11-11 10:44:21.000000000 +0000
+++ webkitgtk-2.4.7/debian/patches/series 2014-12-08 12:26:31.000000000 +0000
@@ -13,3 +13,11 @@
fix-mips64-build.patch
touch-event.patch
flash-crash.patch
+ppc64-align.patch
+no-ssl-record-version.patch
+protect-document.patch
+render-text-control.patch
+nullptr-frameprogresstracker.patch
+nullptr-applystylecommand.patch
+nullptr-accessibilitymenulistoption.patch
+ax-focus-events.patch
Reply to: