Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package webkitgtk This package contains fixes for two bugs: http://bugs.debian.org/768929 The Flash plugin (and possibly others) can cause a stack buffer overflow. Although the GCC stack protector can detect it, it renders the plugin completely unusable. The fix is trivial and has already been applied upstream. http://bugs.debian.org/761492 The WebKit event dispatcher code tries to access the elements of an event list without checking first if it's null. This can be reproduced with certain websites and crashes the web process. The patch is very simple and is a backport from the 2.6 stable series. unblock webkitgtk/2.4.7-2 -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru webkitgtk-2.4.7/debian/changelog webkitgtk-2.4.7/debian/changelog --- webkitgtk-2.4.7/debian/changelog 2014-10-23 09:10:22.000000000 +0000 +++ webkitgtk-2.4.7/debian/changelog 2014-11-11 10:44:21.000000000 +0000 @@ -1,3 +1,12 @@ +webkitgtk (2.4.7-2) unstable; urgency=medium + + * debian/patches/touch-event.patch: + + Fix crash in EventPath::updateTouchLists() (Closes: #761492). + * debian/patches/flash-crash.patch: + + Fix crash in the Flash player (Closes: #768929). + + -- Alberto Garcia <be...@igalia.com> Tue, 11 Nov 2014 12:43:45 +0200 + webkitgtk (2.4.7-1) unstable; urgency=medium * New upstream release. diff -Nru webkitgtk-2.4.7/debian/patches/flash-crash.patch webkitgtk-2.4.7/debian/patches/flash-crash.patch --- webkitgtk-2.4.7/debian/patches/flash-crash.patch 1970-01-01 00:00:00.000000000 +0000 +++ webkitgtk-2.4.7/debian/patches/flash-crash.patch 2014-11-11 10:44:21.000000000 +0000 @@ -0,0 +1,19 @@ +From: Alberto Garcia <be...@igalia.com> +Subject: Fix crash in the Flash plugin +Bug: https://bugs.webkit.org/show_bug.cgi?id=137849 +Bug-Debian: http://bugs.debian.org/768929 +Index: webkitgtk/Source/WebKit2/WebProcess/Plugins/Netscape/x11/NetscapePluginX11.cpp +=================================================================== +--- webkitgtk.orig/Source/WebKit2/WebProcess/Plugins/Netscape/x11/NetscapePluginX11.cpp ++++ webkitgtk/Source/WebKit2/WebProcess/Plugins/Netscape/x11/NetscapePluginX11.cpp +@@ -201,7 +201,9 @@ void NetscapePlugin::platformPreInitiali + bool NetscapePlugin::platformPostInitialize() + { + uint64_t windowID = 0; +- bool needsXEmbed = false; ++ // NPPVpluginNeedsXEmbed is a boolean value, but at least the ++ // Flash player plugin is using an 'int' instead. ++ int needsXEmbed = 0; + if (m_isWindowed) { + NPP_GetValue(NPPVpluginNeedsXEmbed, &needsXEmbed); + if (needsXEmbed) { diff -Nru webkitgtk-2.4.7/debian/patches/series webkitgtk-2.4.7/debian/patches/series --- webkitgtk-2.4.7/debian/patches/series 2014-10-23 09:10:22.000000000 +0000 +++ webkitgtk-2.4.7/debian/patches/series 2014-11-11 10:44:21.000000000 +0000 @@ -11,3 +11,5 @@ x32_support.patch fix-arm64-build.patch fix-mips64-build.patch +touch-event.patch +flash-crash.patch diff -Nru webkitgtk-2.4.7/debian/patches/touch-event.patch webkitgtk-2.4.7/debian/patches/touch-event.patch --- webkitgtk-2.4.7/debian/patches/touch-event.patch 1970-01-01 00:00:00.000000000 +0000 +++ webkitgtk-2.4.7/debian/patches/touch-event.patch 2014-11-11 10:44:21.000000000 +0000 @@ -0,0 +1,51 @@ +From: Miyoung Shin <myid.s...@samsung.com> +Subject: Fix crash during dispatching touchEvent created by JS +Bug-Debian: https://bugs.debian.org/761492 +Bug: https://bugs.webkit.org/show_bug.cgi?id=138211 +Index: webkitgtk/Source/WebCore/dom/EventDispatcher.cpp +=================================================================== +--- webkitgtk.orig/Source/WebCore/dom/EventDispatcher.cpp ++++ webkitgtk/Source/WebCore/dom/EventDispatcher.cpp +@@ -91,7 +91,7 @@ public: + EventContext& contextAt(size_t i) { return *m_path[i]; } + + #if ENABLE(TOUCH_EVENTS) +- void updateTouchLists(const TouchEvent&); ++ bool updateTouchLists(const TouchEvent&); + #endif + void setRelatedTarget(EventTarget&); + +@@ -312,8 +312,10 @@ bool EventDispatcher::dispatchEvent(Node + if (EventTarget* relatedTarget = event->relatedTarget()) + eventPath.setRelatedTarget(*relatedTarget); + #if ENABLE(TOUCH_EVENTS) && !PLATFORM(IOS) +- if (event->isTouchEvent()) +- eventPath.updateTouchLists(*toTouchEvent(event.get())); ++ if (event->isTouchEvent()) { ++ if (!eventPath.updateTouchLists(*toTouchEvent(event.get()))) ++ return true; ++ } + #endif + + ChildNodesLazySnapshot::takeChildNodesLazySnapshot(); +@@ -432,8 +434,11 @@ static void addRelatedNodeResolversForTo + touchTargetResolvers.append(EventRelatedNodeResolver(*touchList->item(i), type)); + } + +-void EventPath::updateTouchLists(const TouchEvent& touchEvent) ++bool EventPath::updateTouchLists(const TouchEvent& touchEvent) + { ++ if (!touchEvent.touches() || !touchEvent.targetTouches() || !touchEvent.changedTouches()) ++ return false; ++ + Vector<EventRelatedNodeResolver, 16> touchTargetResolvers; + const size_t touchNodeCount = touchEvent.touches()->length() + touchEvent.targetTouches()->length() + touchEvent.changedTouches()->length(); + touchTargetResolvers.reserveInitialCapacity(touchNodeCount); +@@ -454,6 +459,7 @@ void EventPath::updateTouchLists(const T + context.touchList(currentResolver.touchListType())->append(currentResolver.touch()->cloneWithNewTarget(nodeInCurrentTreeScope)); + } + } ++ return true; + } + #endif +