[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#772559: marked as done (unblock: webkitgtk/2.4.7-3)

Your message dated Tue, 9 Dec 2014 20:25:36 +0100
with message-id <20141209192536.GF5900@ugent.be>
and subject line Re: Bug#772559: unblock: webkitgtk/2.4.7-3
has caused the Debian Bug report #772559,
regarding unblock: webkitgtk/2.4.7-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
772559: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772559
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package webkitgtk

This release contains several fixes cherry picked from the upstream
stable branches. All of them solve either crashes or other important
bugs:

* debian/patches/ppc64-align.patch:

  This fixes a crash on ppc64 that happens because the address passed
  to mprotect() is not aligned to the page size.

  http://bugs.debian.org/762670
  https://bugs.webkit.org/show_bug.cgi?id=130237
  https://bugzilla.redhat.com/show_bug.cgi?id=1074093

* debian/patches/no-ssl-record-version.patch:

  This fixes a problem where, following the POODLE vulnerability, many
  web sites incorrectly ban SSL 3.0 record packet versions used to
  advertise TLS 1.2. This fix makes WebKitGTK+ use the latest TLS
  version record instead of using the default SSL 3.0.

  https://bugs.webkit.org/show_bug.cgi?id=138794

* debian/patches/nullptr-accessibilitymenulistoption.patch:
* debian/patches/nullptr-applystylecommand.patch:
* debian/patches/nullptr-frameprogresstracker.patch:
* debian/patches/render-text-control.patch:

  These other four patches fix several NULL pointers crashes in
  differents parts of the code. Here are the upstream bug reports:

  https://bugs.webkit.org/show_bug.cgi?id=138727
  https://bugs.webkit.org/show_bug.cgi?id=137961
  https://bugs.webkit.org/show_bug.cgi?id=138061
  https://bugs.webkit.org/show_bug.cgi?id=138035

* debian/patches/protect-document.patch:

  This fixes a crash that happens while applying XSLTransform. This is
  marked upstream as a security fix so the details are private.

* debian/patches/ax-focus-events.patch:

  Two related accessibility fixes, preventing crashes for both users
  and non users of assistive technology.

  https://bugs.webkit.org/show_bug.cgi?id=137866
  https://bugs.webkit.org/show_bug.cgi?id=137867

unblock webkitgtk/2.4.7-3

-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru webkitgtk-2.4.7/debian/changelog webkitgtk-2.4.7/debian/changelog
--- webkitgtk-2.4.7/debian/changelog	2014-11-11 10:44:21.000000000 +0000
+++ webkitgtk-2.4.7/debian/changelog	2014-12-08 12:26:31.000000000 +0000
@@ -1,3 +1,25 @@
+webkitgtk (2.4.7-3) unstable; urgency=medium
+
+  * debian/patches/ppc64-align.patch:
+    + Fix crash in ppc64el (Closes: #762670).
+  * debian/patches/no-ssl-record-version.patch:
+    + Don't use a SSL3.0 record version in client hello.
+  * debian/patches/protect-document.patch:
+    + Protect Document in ProcessingInstruction::setXSLStyleSheet(). This
+      is a security fix, see https://codereview.chromium.org/579133004.
+  * debian/patches/nullptr-accessibilitymenulistoption.patch:
+    + Check for NULL pointers in AccessibilityMenuListOption.
+  * debian/patches/nullptr-applystylecommand.patch:
+    + Check for NULL pointer in ApplyStyleCommand.
+  * debian/patches/nullptr-frameprogresstracker.patch:
+    + Check for NULL pointer in FrameProgressTracker.
+  * debian/patches/render-text-control.patch:
+    + Check for NULL pointer in SearchInputType.
+  * debian/patches/ax-focus-events.patch:
+    + Fix accessible focus events in non-focused combo boxes.
+
+ -- Alberto Garcia <berto@igalia.com>  Mon, 08 Dec 2014 13:26:23 +0100
+
 webkitgtk (2.4.7-2) unstable; urgency=medium
 
   * debian/patches/touch-event.patch:
diff -Nru webkitgtk-2.4.7/debian/patches/ax-focus-events.patch webkitgtk-2.4.7/debian/patches/ax-focus-events.patch
--- webkitgtk-2.4.7/debian/patches/ax-focus-events.patch	1970-01-01 00:00:00.000000000 +0000
+++ webkitgtk-2.4.7/debian/patches/ax-focus-events.patch	2014-12-08 12:26:31.000000000 +0000
@@ -0,0 +1,78 @@
+From: Joanmarie Diggs <jdiggs@igalia.com>
+Subject: Fix accessible focus events in non-focused combo boxes
+Origin: http://trac.webkit.org/changeset/176177, http://trac.webkit.org/changeset/176178
+Index: webkitgtk/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp
+===================================================================
+--- webkitgtk.orig/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp
++++ webkitgtk/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp
+@@ -170,8 +170,12 @@ static void notifyChildrenSelectionChang
+     if (axItem) {
+         bool isSelected = item->isSelected();
+         atk_object_notify_state_change(axItem, ATK_STATE_SELECTED, isSelected);
+-        g_signal_emit_by_name(axItem, "focus-event", isSelected);
+-        atk_object_notify_state_change(axItem, ATK_STATE_FOCUSED, isSelected);
++        // When the selection changes in a collapsed widget such as a combo box
++        // whose child menu is not showing, that collapsed widget retains focus.
++        if (!object->isCollapsed()) {
++            g_signal_emit_by_name(axItem, "focus-event", isSelected);
++            atk_object_notify_state_change(axItem, ATK_STATE_FOCUSED, isSelected);
++        }
+     }
+ 
+     // Update pointers to the previously involved objects.
+@@ -194,7 +198,8 @@ void AXObjectCache::postPlatformNotifica
+ 
+     case AXSelectedChildrenChanged:
+     case AXMenuListValueChanged:
+-        if (notification == AXMenuListValueChanged && coreObject->isMenuList()) {
++        // Accessible focus claims should not be made if the associated widget is not focused.
++        if (notification == AXMenuListValueChanged && coreObject->isMenuList() && coreObject->isFocused()) {
+             g_signal_emit_by_name(axObject, "focus-event", true);
+             atk_object_notify_state_change(axObject, ATK_STATE_FOCUSED, true);
+         }
+Index: webkitgtk/Source/WebCore/accessibility/atk/WebKitAccessibleWrapperAtk.cpp
+===================================================================
+--- webkitgtk.orig/Source/WebCore/accessibility/atk/WebKitAccessibleWrapperAtk.cpp
++++ webkitgtk/Source/WebCore/accessibility/atk/WebKitAccessibleWrapperAtk.cpp
+@@ -747,13 +747,15 @@ static AtkRole atkRole(AccessibilityObje
+ 
+ static AtkRole webkitAccessibleGetRole(AtkObject* object)
+ {
+-    g_return_val_if_fail(WEBKIT_IS_ACCESSIBLE(object), ATK_ROLE_UNKNOWN);
+-    returnValIfWebKitAccessibleIsInvalid(WEBKIT_ACCESSIBLE(object), ATK_ROLE_UNKNOWN);
++    // ATK_ROLE_UNKNOWN should only be applied in cases where there is a valid
++    // WebCore accessible object for which the platform role mapping is unknown.
++    g_return_val_if_fail(WEBKIT_IS_ACCESSIBLE(object), ATK_ROLE_INVALID);
++    returnValIfWebKitAccessibleIsInvalid(WEBKIT_ACCESSIBLE(object), ATK_ROLE_INVALID);
+ 
+     AccessibilityObject* coreObject = core(object);
+ 
+     if (!coreObject)
+-        return ATK_ROLE_UNKNOWN;
++        return ATK_ROLE_INVALID;
+ 
+     // Note: Why doesn't WebCore have a password field for this
+     if (coreObject->isPasswordField())
+Index: webkitgtk/Tools/WebKitTestRunner/InjectedBundle/atk/AccessibilityUIElementAtk.cpp
+===================================================================
+--- webkitgtk.orig/Tools/WebKitTestRunner/InjectedBundle/atk/AccessibilityUIElementAtk.cpp
++++ webkitgtk/Tools/WebKitTestRunner/InjectedBundle/atk/AccessibilityUIElementAtk.cpp
+@@ -335,6 +335,8 @@ const gchar* roleToString(AtkObject* obj
+         return "AXImage";
+     case ATK_ROLE_IMAGE_MAP:
+         return "AXImageMap";
++    case ATK_ROLE_INVALID:
++        return "AXInvalid";
+     case ATK_ROLE_LABEL:
+         return "AXLabel";
+     case ATK_ROLE_LINK:
+@@ -884,9 +886,6 @@ JSRetainPtr<JSStringRef> AccessibilityUI
+     if (!ATK_IS_OBJECT(m_element.get()))
+         return JSStringCreateWithCharacters(0, 0);
+ 
+-    if (!atk_object_get_role(ATK_OBJECT(m_element.get())))
+-        return JSStringCreateWithCharacters(0, 0);
+-
+     GUniquePtr<char> roleStringWithPrefix(g_strdup_printf("AXRole: %s", roleToString(ATK_OBJECT(m_element.get()))));
+     return JSStringCreateWithUTF8CString(roleStringWithPrefix.get());
+ }
diff -Nru webkitgtk-2.4.7/debian/patches/no-ssl-record-version.patch webkitgtk-2.4.7/debian/patches/no-ssl-record-version.patch
--- webkitgtk-2.4.7/debian/patches/no-ssl-record-version.patch	1970-01-01 00:00:00.000000000 +0000
+++ webkitgtk-2.4.7/debian/patches/no-ssl-record-version.patch	2014-12-08 12:26:31.000000000 +0000
@@ -0,0 +1,29 @@
+From: Carlos Alberto Lopez Perez <clopez@igalia.com>
+Subject: Don't use a SSL3.0 record version in client hello
+Origin: http://trac.webkit.org/changeset/176253
+Index: webkitgtk/Source/WebKit2/gtk/MainGtk.cpp
+===================================================================
+--- webkitgtk.orig/Source/WebKit2/gtk/MainGtk.cpp
++++ webkitgtk/Source/WebKit2/gtk/MainGtk.cpp
+@@ -38,7 +38,7 @@ int main(int argc, char** argv)
+     // overwrite this priority string if it's already set by the user.
+     // Keep this in sync with WebProcessMain.cpp.
+     // https://bugzilla.gnome.org/show_bug.cgi?id=738633
+-    setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:!VERS-SSL3.0", 0);
++    setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:%LATEST_RECORD_VERSION:!VERS-SSL3.0", 0);
+ 
+     return WebKit::WebProcessMainGtk(argc, argv);
+ }
+Index: webkitgtk/Source/WebKit2/unix/NetworkMainUnix.cpp
+===================================================================
+--- webkitgtk.orig/Source/WebKit2/unix/NetworkMainUnix.cpp
++++ webkitgtk/Source/WebKit2/unix/NetworkMainUnix.cpp
+@@ -42,7 +42,7 @@ int main(int argc, char** argv)
+     // overwrite this priority string if it's already set by the user.
+     // Keep this in sync with WebProcessMain.cpp.
+     // https://bugzilla.gnome.org/show_bug.cgi?id=738633
+-    setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:!VERS-SSL3.0", 0);
++    setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:%LATEST_RECORD_VERSION:!VERS-SSL3.0", 0);
+ 
+     return WebKit::NetworkProcessMain(argc, argv);
+ }
diff -Nru webkitgtk-2.4.7/debian/patches/nullptr-accessibilitymenulistoption.patch webkitgtk-2.4.7/debian/patches/nullptr-accessibilitymenulistoption.patch
--- webkitgtk-2.4.7/debian/patches/nullptr-accessibilitymenulistoption.patch	1970-01-01 00:00:00.000000000 +0000
+++ webkitgtk-2.4.7/debian/patches/nullptr-accessibilitymenulistoption.patch	2014-12-08 12:26:31.000000000 +0000
@@ -0,0 +1,21 @@
+From: Joanmarie Diggs <jdiggs@igalia.com>
+Subject: Check for NULL pointers in AccessibilityMenuListOption
+Origin: http://trac.webkit.org/changeset/176389
+Index: webkitgtk/Source/WebCore/accessibility/AccessibilityMenuListOption.cpp
+===================================================================
+--- webkitgtk.orig/Source/WebCore/accessibility/AccessibilityMenuListOption.cpp
++++ webkitgtk/Source/WebCore/accessibility/AccessibilityMenuListOption.cpp
+@@ -104,9 +104,13 @@ bool AccessibilityMenuListOption::comput
+ LayoutRect AccessibilityMenuListOption::elementRect() const
+ {
+     AccessibilityObject* parent = parentObject();
++    if (!parent)
++        return boundingBoxRect();
+     ASSERT(parent->isMenuListPopup());
+ 
+     AccessibilityObject* grandparent = parent->parentObject();
++    if (!grandparent)
++        return boundingBoxRect();
+     ASSERT(grandparent->isMenuList());
+ 
+     return grandparent->elementRect();
diff -Nru webkitgtk-2.4.7/debian/patches/nullptr-applystylecommand.patch webkitgtk-2.4.7/debian/patches/nullptr-applystylecommand.patch
--- webkitgtk-2.4.7/debian/patches/nullptr-applystylecommand.patch	1970-01-01 00:00:00.000000000 +0000
+++ webkitgtk-2.4.7/debian/patches/nullptr-applystylecommand.patch	2014-12-08 12:26:31.000000000 +0000
@@ -0,0 +1,17 @@
+From: Csaba Osztrogonác <ossy@webkit.org>
+Subject: Check for NULL pointer in ApplyStyleCommand
+Origin: http://trac.webkit.org/changeset/176182
+Index: webkitgtk/Source/WebCore/editing/ApplyStyleCommand.cpp
+===================================================================
+--- webkitgtk.orig/Source/WebCore/editing/ApplyStyleCommand.cpp
++++ webkitgtk/Source/WebCore/editing/ApplyStyleCommand.cpp
+@@ -267,6 +267,9 @@ void ApplyStyleCommand::applyBlockStyle(
+ #else
+     Node* scope = highestEditableRoot(visibleStart.deepEquivalent());
+ #endif
++    if (!scope)
++        return;
++
+     RefPtr<Range> startRange = Range::create(document(), firstPositionInNode(scope), visibleStart.deepEquivalent().parentAnchoredEquivalent());
+     RefPtr<Range> endRange = Range::create(document(), firstPositionInNode(scope), visibleEnd.deepEquivalent().parentAnchoredEquivalent());
+     int startIndex = TextIterator::rangeLength(startRange.get(), true);
diff -Nru webkitgtk-2.4.7/debian/patches/nullptr-frameprogresstracker.patch webkitgtk-2.4.7/debian/patches/nullptr-frameprogresstracker.patch
--- webkitgtk-2.4.7/debian/patches/nullptr-frameprogresstracker.patch	1970-01-01 00:00:00.000000000 +0000
+++ webkitgtk-2.4.7/debian/patches/nullptr-frameprogresstracker.patch	2014-12-08 12:26:31.000000000 +0000
@@ -0,0 +1,17 @@
+From: Jeffrey Pfau <jpfau@apple.com>
+Subject: Check for NULL pointer in FrameProgressTracker
+Origin: http://trac.webkit.org/changeset/175919
+Index: webkitgtk/Source/WebCore/loader/FrameLoader.cpp
+===================================================================
+--- webkitgtk.orig/Source/WebCore/loader/FrameLoader.cpp
++++ webkitgtk/Source/WebCore/loader/FrameLoader.cpp
+@@ -195,8 +195,7 @@ public:
+ 
+     ~FrameProgressTracker()
+     {
+-        ASSERT(!m_inProgress || m_frame.page());
+-        if (m_inProgress)
++        if (m_inProgress && m_frame.page())
+             m_frame.page()->progress().progressCompleted(m_frame);
+     }
+ 
diff -Nru webkitgtk-2.4.7/debian/patches/ppc64-align.patch webkitgtk-2.4.7/debian/patches/ppc64-align.patch
--- webkitgtk-2.4.7/debian/patches/ppc64-align.patch	1970-01-01 00:00:00.000000000 +0000
+++ webkitgtk-2.4.7/debian/patches/ppc64-align.patch	2014-12-08 12:26:31.000000000 +0000
@@ -0,0 +1,61 @@
+From: Michel Normand <normand@linux.vnet.ibm.com>
+Subject: Fix crash in ppc64el
+Bug: https://bugs.webkit.org/show_bug.cgi?id=130237
+Bug-Debian: https://bugs.debian.org/762670
+Origin: http://pkgs.fedoraproject.org/cgit/webkitgtk3.git/tree/webkitgtk-2.4.1-ppc64_align.patch
+Index: webkitgtk/Source/JavaScriptCore/heap/CopiedBlock.h
+===================================================================
+--- webkitgtk.orig/Source/JavaScriptCore/heap/CopiedBlock.h
++++ webkitgtk/Source/JavaScriptCore/heap/CopiedBlock.h
+@@ -81,7 +81,11 @@ public:
+     size_t size();
+     size_t capacity();
+ 
++#if CPU(PPC64)
++    static const size_t blockSize = 64 * KB;
++#else
+     static const size_t blockSize = 32 * KB;
++#endif
+ 
+     bool hasWorkList();
+     CopyWorkList& workList();
+Index: webkitgtk/Source/JavaScriptCore/interpreter/JSStack.cpp
+===================================================================
+--- webkitgtk.orig/Source/JavaScriptCore/interpreter/JSStack.cpp
++++ webkitgtk/Source/JavaScriptCore/interpreter/JSStack.cpp
+@@ -49,7 +49,11 @@ JSStack::JSStack(VM& vm, size_t capacity
+ {
+     ASSERT(capacity && isPageAligned(capacity));
+ 
++#if CPU(PPC64)
++    m_reservation = PageReservation::reserve(roundUpAllocationSize(capacity * sizeof(Register), pageSize()), OSAllocator::JSVMStackPages);
++#else
+     m_reservation = PageReservation::reserve(roundUpAllocationSize(capacity * sizeof(Register), commitSize), OSAllocator::JSVMStackPages);
++#endif
+     updateStackLimit(highAddress());
+     m_commitEnd = highAddress();
+ 
+@@ -78,7 +82,11 @@ bool JSStack::growSlowCase(Register* new
+     // Compute the chunk size of additional memory to commit, and see if we
+     // have it is still within our budget. If not, we'll fail to grow and
+     // return false.
++#if CPU(PPC64)
++    long delta = roundUpAllocationSize(reinterpret_cast<char*>(m_commitEnd) - reinterpret_cast<char*>(newEnd), pageSize());
++#else
+     long delta = roundUpAllocationSize(reinterpret_cast<char*>(m_commitEnd) - reinterpret_cast<char*>(newEnd), commitSize);
++#endif
+     if (reinterpret_cast<char*>(m_commitEnd) - delta <= reinterpret_cast<char*>(m_useableEnd))
+         return false;
+ 
+@@ -134,7 +142,11 @@ void JSStack::enableErrorStackReserve()
+ 
+ void JSStack::disableErrorStackReserve()
+ {
++#if CPU(PPC64)
++    char* useableEnd = reinterpret_cast<char*>(reservationEnd()) + pageSize();
++#else
+     char* useableEnd = reinterpret_cast<char*>(reservationEnd()) + commitSize;
++#endif
+     m_useableEnd = reinterpret_cast_ptr<Register*>(useableEnd);
+ 
+     // By the time we get here, we are guaranteed to be destructing the last
diff -Nru webkitgtk-2.4.7/debian/patches/protect-document.patch webkitgtk-2.4.7/debian/patches/protect-document.patch
--- webkitgtk-2.4.7/debian/patches/protect-document.patch	1970-01-01 00:00:00.000000000 +0000
+++ webkitgtk-2.4.7/debian/patches/protect-document.patch	2014-12-08 12:26:31.000000000 +0000
@@ -0,0 +1,15 @@
+From: David Kilzer <ddkilzer@apple.com>
+Subject: Protect Document in ProcessingInstruction::setXSLStyleSheet()
+Origin: http://trac.webkit.org/changeset/176014
+Index: webkitgtk/Source/WebCore/dom/ProcessingInstruction.cpp
+===================================================================
+--- webkitgtk.orig/Source/WebCore/dom/ProcessingInstruction.cpp
++++ webkitgtk/Source/WebCore/dom/ProcessingInstruction.cpp
+@@ -215,6 +215,7 @@ void ProcessingInstruction::setXSLStyleS
+ {
+     ASSERT(m_isXSL);
+     m_sheet = XSLStyleSheet::create(this, href, baseURL);
++    Ref<Document> protect(document());
+     parseStyleSheet(sheet);
+ }
+ #endif
diff -Nru webkitgtk-2.4.7/debian/patches/render-text-control.patch webkitgtk-2.4.7/debian/patches/render-text-control.patch
--- webkitgtk-2.4.7/debian/patches/render-text-control.patch	1970-01-01 00:00:00.000000000 +0000
+++ webkitgtk-2.4.7/debian/patches/render-text-control.patch	2014-12-08 12:26:31.000000000 +0000
@@ -0,0 +1,16 @@
+From: Zalan Bujtas <zalan@apple.com>
+Subject: Check for NULL pointer in SearchInputType.
+Origin: http://trac.webkit.org/changeset/175912
+Index: webkitgtk/Source/WebCore/html/SearchInputType.cpp
+===================================================================
+--- webkitgtk.orig/Source/WebCore/html/SearchInputType.cpp
++++ webkitgtk/Source/WebCore/html/SearchInputType.cpp
+@@ -178,7 +178,7 @@ bool SearchInputType::searchEventsShould
+ 
+ void SearchInputType::didSetValueByUserEdit(ValueChangeState state)
+ {
+-    if (m_cancelButton)
++    if (m_cancelButton && element().renderer())
+         toRenderSearchField(element().renderer())->updateCancelButtonVisibility();
+ 
+     // If the incremental attribute is set, then dispatch the search event
diff -Nru webkitgtk-2.4.7/debian/patches/series webkitgtk-2.4.7/debian/patches/series
--- webkitgtk-2.4.7/debian/patches/series	2014-11-11 10:44:21.000000000 +0000
+++ webkitgtk-2.4.7/debian/patches/series	2014-12-08 12:26:31.000000000 +0000
@@ -13,3 +13,11 @@
 fix-mips64-build.patch
 touch-event.patch
 flash-crash.patch
+ppc64-align.patch
+no-ssl-record-version.patch
+protect-document.patch
+render-text-control.patch
+nullptr-frameprogresstracker.patch
+nullptr-applystylecommand.patch
+nullptr-accessibilitymenulistoption.patch
+ax-focus-events.patch

--- End Message ---
--- Begin Message --- 
Hi,

On Mon, Dec 08, 2014 at 04:39:02PM +0100, Alberto Garcia wrote:
> Please unblock package webkitgtk

Unblocked.

Cheers,

Ivo

--- End Message ---
Reply to: