Improve qmake description.debian/4.4.2-1

Add 0249-webkit-stale-frame-pointer.diff (fix CVE-2008-3632).

5 files changed, 171 insertions, 5 deletions

diff --git a/debian/changelog b/debian/changelog
index 0a29fbe..fd93a06 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-qt4-x11 (4.4.2-1) UNRELEASED; urgency=low
+qt4-x11 (4.4.2-1) unstable; urgency=low
 
   * New upstream release.
 
@@ -14,6 +14,7 @@ qt4-x11 (4.4.2-1) UNRELEASED; urgency=low
     * Add:
       - 0245-fix-randr-changes-detecting.diff
       - 0248-fix-qwidget-scroll-slowness.diff
+      - 0249-webkit-stale-frame-pointer.diff (fix CVE-2008-3632)
     * Remove:
       - 0214-fix-qgraphicsproxywidget-tab-crash.diff
       - 0230-qtextcontrol-selectnextword.diff
@@ -26,7 +27,6 @@ qt4-x11 (4.4.2-1) UNRELEASED; urgency=low
   * Remove doxygen build dependency.
     It is useless to generate a tag file as Qt is shipped with qt.tags file.
   * Split qmake in its own qt4-qmake package. (Closes: #437354)
-    TODO: review description.
 
  -- Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>  Thu, 18 Sep 2008 18:22:04 +0200
 
diff --git a/debian/control b/debian/control
index 66cb169..08bb600 100644
--- a/debian/control
+++ b/debian/control
@@ -425,11 +425,15 @@ Package: qt4-qmake
 Architecture: any
 Section: devel
 Depends: ${shlibs:Depends}, ${misc:Depends}
-Description: Qt 4 qmake
+Description: Qt 4 qmake Makefile generator tool
  Qt is a cross-platform C++ application framework. Qt's primary feature
  is its rich set of widgets that provide standard GUI functionality.
  .
- This package contains Qt 4 qmake.
+ This package contains Qt 4 qmake (qmake-qt4), a tool that helps simplify
+ the build process for development project across different platforms.
+ qmake automates the generation of Makefiles so that only a few lines of
+ information are needed to create each Makefile. qmake can be used for any
+ software project, whether it is written in Qt or not.
 
 Package: qt4-qtconfig
 Architecture: any
diff --git a/debian/patches/0234-fix-mysql-threaded.diff b/debian/patches/0234-fix-mysql-threaded.diff
index cafadeb..3ccc006 100644
--- a/debian/patches/0234-fix-mysql-threaded.diff
+++ b/debian/patches/0234-fix-mysql-threaded.diff
@@ -1,7 +1,7 @@
 qt-bugs@ issue : N217716
 Trolltech task ID : 217788
 bugs.kde.org number : no report
-applied: yes
+applied: no
 author: Tobias Koenig <tokoe@kde.org>
 
 This patch will fix the handling of connections to
diff --git a/debian/patches/0249-webkit-stale-frame-pointer.diff b/debian/patches/0249-webkit-stale-frame-pointer.diff
new file mode 100644
index 0000000..06747f3
--- /dev/null
+++ b/debian/patches/0249-webkit-stale-frame-pointer.diff
@@ -0,0 +1,161 @@
+qt-bugs@ issue : none yet
+Trolltech task ID : none yet
+bugs.kde.org number : none
+applied: no
+author: Apple
+
+this fixes CVE-2008-3632:
+
+Use-after-free vulnerability in WebKit in Apple iPod touch 1.1 through 2.0.2,
+and iPhone 1.0 through 2.0.2, allows remote attackers to execute arbitrary code
+or cause a denial of service (application crash) via a web page with crafted
+Cascading Style Sheets (CSS) import statements.
+
+
+--- a/src/3rdparty/webkit/WebCore/dom/Document.cpp
++++ b/src/3rdparty/webkit/WebCore/dom/Document.cpp
+@@ -291,9 +291,8 @@
+     m_renderArena = 0;
+ 
+     m_axObjectCache = 0;
+-    
+-    // FIXME: DocLoader probably no longer needs the frame argument
+-    m_docLoader = new DocLoader(frame, this);
++
++    m_docLoader = new DocLoader(this);
+ 
+     visuallyOrdered = false;
+     m_bParsing = false;
+@@ -1169,15 +1168,23 @@
+     if (render)
+         render->destroy();
+ 
+-    // FIXME: is this needed or desirable?
+-    m_frame = 0;
+-    
++    // This is required, as our Frame might delete itself as soon as it detaches
++    // us.  However, this violates Node::detach() symantics, as it's never
++    // possible to re-attach.  Eventually Document::detach() should be renamed
++    // or this call made explicit in each of the callers of Document::detach().
++    clearFramePointer();
++
+     if (m_renderArena) {
+         delete m_renderArena;
+         m_renderArena = 0;
+     }
+ }
+ 
++void Document::clearFramePointer()
++{
++    m_frame = 0;
++}
++
+ void Document::removeAllEventListenersFromAllNodes()
+ {
+     m_windowEventListeners.clear();
+--- a/src/3rdparty/webkit/WebCore/dom/Document.h
++++ b/src/3rdparty/webkit/WebCore/dom/Document.h
+@@ -344,6 +344,8 @@
+     virtual void attach();
+     virtual void detach();
+ 
++    void clearFramePointer();
++
+     RenderArena* renderArena() { return m_renderArena; }
+ 
+     AXObjectCache* axObjectCache() const;
+--- a/src/3rdparty/webkit/WebCore/loader/DocLoader.cpp
++++ b/src/3rdparty/webkit/WebCore/loader/DocLoader.cpp
+@@ -40,10 +40,9 @@
+ 
+ namespace WebCore {
+ 
+-DocLoader::DocLoader(Frame *frame, Document* doc)
++DocLoader::DocLoader(Document* doc)
+     : m_cache(cache())
+     , m_cachePolicy(CachePolicyVerify)
+-    , m_frame(frame)
+     , m_doc(doc)
+     , m_requestCount(0)
+     , m_autoLoadImages(true)
+@@ -53,6 +52,11 @@
+     m_cache->addDocLoader(this);
+ }
+ 
++Frame* DocLoader::frame() const
++{
++    return m_doc->frame();
++}
++
+ DocLoader::~DocLoader()
+ {
+     HashMap<String, CachedResource*>::iterator end = m_docResources.end();
+@@ -146,7 +150,7 @@
+         }
+     }
+                                                           
+-    if (m_frame && m_frame->loader()->isReloading())
++    if (frame() && frame()->loader()->isReloading())
+         setCachePolicy(CachePolicyReload);
+ 
+     checkForReload(fullURL);
+@@ -197,8 +201,8 @@
+ void DocLoader::setLoadInProgress(bool load)
+ {
+     m_loadInProgress = load;
+-    if (!load && m_frame)
+-        m_frame->loader()->loadDone();
++    if (!load && frame())
++        frame()->loader()->loadDone();
+ }
+ 
+ void DocLoader::checkCacheObjectStatus(CachedResource* resource)
+@@ -217,7 +221,7 @@
+     }
+     
+     // Notify the caller that we "loaded".
+-    if (!m_frame || m_frame->loader()->haveToldBridgeAboutLoad(resource->url()))
++    if (!frame() || frame()->loader()->haveToldBridgeAboutLoad(resource->url()))
+         return;
+     
+     ResourceRequest request(resource->url());
+@@ -226,9 +230,9 @@
+     
+     if (resource->sendResourceLoadCallbacks()) {
+         // FIXME: If the WebKit client changes or cancels the request, WebCore does not respect this and continues the load.
+-        m_frame->loader()->loadedResourceFromMemoryCache(request, response, data ? data->size() : 0);
++        frame()->loader()->loadedResourceFromMemoryCache(request, response, data ? data->size() : 0);
+     }
+-    m_frame->loader()->didTellBridgeAboutLoad(resource->url());
++    frame()->loader()->didTellBridgeAboutLoad(resource->url());
+ }
+ 
+ void DocLoader::incrementRequestCount()
+--- a/src/3rdparty/webkit/WebCore/loader/DocLoader.h
++++ b/src/3rdparty/webkit/WebCore/loader/DocLoader.h
+@@ -49,7 +49,7 @@
+ friend class HTMLImageLoader;
+ 
+ public:
+-    DocLoader(Frame*, Document*);
++    DocLoader(Document*);
+     ~DocLoader();
+ 
+     CachedImage* requestImage(const String& url);
+@@ -73,7 +73,7 @@
+     CachePolicy cachePolicy() const { return m_cachePolicy; }
+     void setCachePolicy(CachePolicy);
+     
+-    Frame* frame() const { return m_frame; }
++    Frame* frame() const; // Can be NULL
+     Document* doc() const { return m_doc; }
+ 
+     void removeCachedResource(CachedResource*) const;
+@@ -100,7 +100,6 @@
+     HashSet<String> m_reloadedURLs;
+     mutable HashMap<String, CachedResource*> m_docResources;
+     CachePolicy m_cachePolicy;
+-    Frame* m_frame;
+     Document *m_doc;
+     
+     int m_requestCount;
diff --git a/debian/patches/series b/debian/patches/series
index 1d91a6c..cf0f5b5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -12,6 +12,7 @@
 0238-fix-qt-qttabbar-size.diff
 0245-fix-randr-changes-detecting.diff
 0248-fix-qwidget-scroll-slowness.diff
+0249-webkit-stale-frame-pointer.diff
 
 # debian patches
 01_qmake_for_debian.diff