From a194b996ba85ec287ee4f741dab0f83a50a1c8c1 Mon Sep 17 00:00:00 2001 From: Fathi Boudra Date: Fri, 19 Sep 2008 19:18:24 +0000 Subject: Improve qmake description. Add 0249-webkit-stale-frame-pointer.diff (fix CVE-2008-3632). --- debian/changelog | 4 +- debian/control | 8 +- debian/patches/0234-fix-mysql-threaded.diff | 2 +- .../patches/0249-webkit-stale-frame-pointer.diff | 161 +++++++++++++++++++++ debian/patches/series | 1 + 5 files changed, 171 insertions(+), 5 deletions(-) create mode 100644 debian/patches/0249-webkit-stale-frame-pointer.diff diff --git a/debian/changelog b/debian/changelog index 0a29fbe..fd93a06 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -qt4-x11 (4.4.2-1) UNRELEASED; urgency=low +qt4-x11 (4.4.2-1) unstable; urgency=low * New upstream release. @@ -14,6 +14,7 @@ qt4-x11 (4.4.2-1) UNRELEASED; urgency=low * Add: - 0245-fix-randr-changes-detecting.diff - 0248-fix-qwidget-scroll-slowness.diff + - 0249-webkit-stale-frame-pointer.diff (fix CVE-2008-3632) * Remove: - 0214-fix-qgraphicsproxywidget-tab-crash.diff - 0230-qtextcontrol-selectnextword.diff @@ -26,7 +27,6 @@ qt4-x11 (4.4.2-1) UNRELEASED; urgency=low * Remove doxygen build dependency. It is useless to generate a tag file as Qt is shipped with qt.tags file. * Split qmake in its own qt4-qmake package. (Closes: #437354) - TODO: review description. -- Debian Qt/KDE Maintainers Thu, 18 Sep 2008 18:22:04 +0200 diff --git a/debian/control b/debian/control index 66cb169..08bb600 100644 --- a/debian/control +++ b/debian/control @@ -425,11 +425,15 @@ Package: qt4-qmake Architecture: any Section: devel Depends: ${shlibs:Depends}, ${misc:Depends} -Description: Qt 4 qmake +Description: Qt 4 qmake Makefile generator tool Qt is a cross-platform C++ application framework. Qt's primary feature is its rich set of widgets that provide standard GUI functionality. . - This package contains Qt 4 qmake. + This package contains Qt 4 qmake (qmake-qt4), a tool that helps simplify + the build process for development project across different platforms. + qmake automates the generation of Makefiles so that only a few lines of + information are needed to create each Makefile. qmake can be used for any + software project, whether it is written in Qt or not. Package: qt4-qtconfig Architecture: any diff --git a/debian/patches/0234-fix-mysql-threaded.diff b/debian/patches/0234-fix-mysql-threaded.diff index cafadeb..3ccc006 100644 --- a/debian/patches/0234-fix-mysql-threaded.diff +++ b/debian/patches/0234-fix-mysql-threaded.diff @@ -1,7 +1,7 @@ qt-bugs@ issue : N217716 Trolltech task ID : 217788 bugs.kde.org number : no report -applied: yes +applied: no author: Tobias Koenig This patch will fix the handling of connections to diff --git a/debian/patches/0249-webkit-stale-frame-pointer.diff b/debian/patches/0249-webkit-stale-frame-pointer.diff new file mode 100644 index 0000000..06747f3 --- /dev/null +++ b/debian/patches/0249-webkit-stale-frame-pointer.diff @@ -0,0 +1,161 @@ +qt-bugs@ issue : none yet +Trolltech task ID : none yet +bugs.kde.org number : none +applied: no +author: Apple + +this fixes CVE-2008-3632: + +Use-after-free vulnerability in WebKit in Apple iPod touch 1.1 through 2.0.2, +and iPhone 1.0 through 2.0.2, allows remote attackers to execute arbitrary code +or cause a denial of service (application crash) via a web page with crafted +Cascading Style Sheets (CSS) import statements. + + +--- a/src/3rdparty/webkit/WebCore/dom/Document.cpp ++++ b/src/3rdparty/webkit/WebCore/dom/Document.cpp +@@ -291,9 +291,8 @@ + m_renderArena = 0; + + m_axObjectCache = 0; +- +- // FIXME: DocLoader probably no longer needs the frame argument +- m_docLoader = new DocLoader(frame, this); ++ ++ m_docLoader = new DocLoader(this); + + visuallyOrdered = false; + m_bParsing = false; +@@ -1169,15 +1168,23 @@ + if (render) + render->destroy(); + +- // FIXME: is this needed or desirable? +- m_frame = 0; +- ++ // This is required, as our Frame might delete itself as soon as it detaches ++ // us. However, this violates Node::detach() symantics, as it's never ++ // possible to re-attach. Eventually Document::detach() should be renamed ++ // or this call made explicit in each of the callers of Document::detach(). ++ clearFramePointer(); ++ + if (m_renderArena) { + delete m_renderArena; + m_renderArena = 0; + } + } + ++void Document::clearFramePointer() ++{ ++ m_frame = 0; ++} ++ + void Document::removeAllEventListenersFromAllNodes() + { + m_windowEventListeners.clear(); +--- a/src/3rdparty/webkit/WebCore/dom/Document.h ++++ b/src/3rdparty/webkit/WebCore/dom/Document.h +@@ -344,6 +344,8 @@ + virtual void attach(); + virtual void detach(); + ++ void clearFramePointer(); ++ + RenderArena* renderArena() { return m_renderArena; } + + AXObjectCache* axObjectCache() const; +--- a/src/3rdparty/webkit/WebCore/loader/DocLoader.cpp ++++ b/src/3rdparty/webkit/WebCore/loader/DocLoader.cpp +@@ -40,10 +40,9 @@ + + namespace WebCore { + +-DocLoader::DocLoader(Frame *frame, Document* doc) ++DocLoader::DocLoader(Document* doc) + : m_cache(cache()) + , m_cachePolicy(CachePolicyVerify) +- , m_frame(frame) + , m_doc(doc) + , m_requestCount(0) + , m_autoLoadImages(true) +@@ -53,6 +52,11 @@ + m_cache->addDocLoader(this); + } + ++Frame* DocLoader::frame() const ++{ ++ return m_doc->frame(); ++} ++ + DocLoader::~DocLoader() + { + HashMap::iterator end = m_docResources.end(); +@@ -146,7 +150,7 @@ + } + } + +- if (m_frame && m_frame->loader()->isReloading()) ++ if (frame() && frame()->loader()->isReloading()) + setCachePolicy(CachePolicyReload); + + checkForReload(fullURL); +@@ -197,8 +201,8 @@ + void DocLoader::setLoadInProgress(bool load) + { + m_loadInProgress = load; +- if (!load && m_frame) +- m_frame->loader()->loadDone(); ++ if (!load && frame()) ++ frame()->loader()->loadDone(); + } + + void DocLoader::checkCacheObjectStatus(CachedResource* resource) +@@ -217,7 +221,7 @@ + } + + // Notify the caller that we "loaded". +- if (!m_frame || m_frame->loader()->haveToldBridgeAboutLoad(resource->url())) ++ if (!frame() || frame()->loader()->haveToldBridgeAboutLoad(resource->url())) + return; + + ResourceRequest request(resource->url()); +@@ -226,9 +230,9 @@ + + if (resource->sendResourceLoadCallbacks()) { + // FIXME: If the WebKit client changes or cancels the request, WebCore does not respect this and continues the load. +- m_frame->loader()->loadedResourceFromMemoryCache(request, response, data ? data->size() : 0); ++ frame()->loader()->loadedResourceFromMemoryCache(request, response, data ? data->size() : 0); + } +- m_frame->loader()->didTellBridgeAboutLoad(resource->url()); ++ frame()->loader()->didTellBridgeAboutLoad(resource->url()); + } + + void DocLoader::incrementRequestCount() +--- a/src/3rdparty/webkit/WebCore/loader/DocLoader.h ++++ b/src/3rdparty/webkit/WebCore/loader/DocLoader.h +@@ -49,7 +49,7 @@ + friend class HTMLImageLoader; + + public: +- DocLoader(Frame*, Document*); ++ DocLoader(Document*); + ~DocLoader(); + + CachedImage* requestImage(const String& url); +@@ -73,7 +73,7 @@ + CachePolicy cachePolicy() const { return m_cachePolicy; } + void setCachePolicy(CachePolicy); + +- Frame* frame() const { return m_frame; } ++ Frame* frame() const; // Can be NULL + Document* doc() const { return m_doc; } + + void removeCachedResource(CachedResource*) const; +@@ -100,7 +100,6 @@ + HashSet m_reloadedURLs; + mutable HashMap m_docResources; + CachePolicy m_cachePolicy; +- Frame* m_frame; + Document *m_doc; + + int m_requestCount; diff --git a/debian/patches/series b/debian/patches/series index 1d91a6c..cf0f5b5 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -12,6 +12,7 @@ 0238-fix-qt-qttabbar-size.diff 0245-fix-randr-changes-detecting.diff 0248-fix-qwidget-scroll-slowness.diff +0249-webkit-stale-frame-pointer.diff # debian patches 01_qmake_for_debian.diff -- cgit v1.2.3