Your message dated Tue, 11 Nov 2014 18:28:23 +0100
with message-id <[email protected]>
and subject line Re: Bug#769136: unblock: webkitgtk/2.4.7-2
has caused the Debian Bug report #769136,
regarding unblock: webkitgtk/2.4.7-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
769136: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769136
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package webkitgtk
This package contains fixes for two bugs:
http://bugs.debian.org/768929
The Flash plugin (and possibly others) can cause a stack buffer
overflow. Although the GCC stack protector can detect it, it
renders the plugin completely unusable. The fix is trivial and has
already been applied upstream.
http://bugs.debian.org/761492
The WebKit event dispatcher code tries to access the elements of an
event list without checking first if it's null. This can be
reproduced with certain websites and crashes the web process. The
patch is very simple and is a backport from the 2.6 stable series.
unblock webkitgtk/2.4.7-2
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru webkitgtk-2.4.7/debian/changelog webkitgtk-2.4.7/debian/changelog
--- webkitgtk-2.4.7/debian/changelog 2014-10-23 09:10:22.000000000 +0000
+++ webkitgtk-2.4.7/debian/changelog 2014-11-11 10:44:21.000000000 +0000
@@ -1,3 +1,12 @@
+webkitgtk (2.4.7-2) unstable; urgency=medium
+
+ * debian/patches/touch-event.patch:
+ + Fix crash in EventPath::updateTouchLists() (Closes: #761492).
+ * debian/patches/flash-crash.patch:
+ + Fix crash in the Flash player (Closes: #768929).
+
+ -- Alberto Garcia <[email protected]> Tue, 11 Nov 2014 12:43:45 +0200
+
webkitgtk (2.4.7-1) unstable; urgency=medium
* New upstream release.
diff -Nru webkitgtk-2.4.7/debian/patches/flash-crash.patch webkitgtk-2.4.7/debian/patches/flash-crash.patch
--- webkitgtk-2.4.7/debian/patches/flash-crash.patch 1970-01-01 00:00:00.000000000 +0000
+++ webkitgtk-2.4.7/debian/patches/flash-crash.patch 2014-11-11 10:44:21.000000000 +0000
@@ -0,0 +1,19 @@
+From: Alberto Garcia <[email protected]>
+Subject: Fix crash in the Flash plugin
+Bug: https://bugs.webkit.org/show_bug.cgi?id=137849
+Bug-Debian: http://bugs.debian.org/768929
+Index: webkitgtk/Source/WebKit2/WebProcess/Plugins/Netscape/x11/NetscapePluginX11.cpp
+===================================================================
+--- webkitgtk.orig/Source/WebKit2/WebProcess/Plugins/Netscape/x11/NetscapePluginX11.cpp
++++ webkitgtk/Source/WebKit2/WebProcess/Plugins/Netscape/x11/NetscapePluginX11.cpp
+@@ -201,7 +201,9 @@ void NetscapePlugin::platformPreInitiali
+ bool NetscapePlugin::platformPostInitialize()
+ {
+ uint64_t windowID = 0;
+- bool needsXEmbed = false;
++ // NPPVpluginNeedsXEmbed is a boolean value, but at least the
++ // Flash player plugin is using an 'int' instead.
++ int needsXEmbed = 0;
+ if (m_isWindowed) {
+ NPP_GetValue(NPPVpluginNeedsXEmbed, &needsXEmbed);
+ if (needsXEmbed) {
diff -Nru webkitgtk-2.4.7/debian/patches/series webkitgtk-2.4.7/debian/patches/series
--- webkitgtk-2.4.7/debian/patches/series 2014-10-23 09:10:22.000000000 +0000
+++ webkitgtk-2.4.7/debian/patches/series 2014-11-11 10:44:21.000000000 +0000
@@ -11,3 +11,5 @@
x32_support.patch
fix-arm64-build.patch
fix-mips64-build.patch
+touch-event.patch
+flash-crash.patch
diff -Nru webkitgtk-2.4.7/debian/patches/touch-event.patch webkitgtk-2.4.7/debian/patches/touch-event.patch
--- webkitgtk-2.4.7/debian/patches/touch-event.patch 1970-01-01 00:00:00.000000000 +0000
+++ webkitgtk-2.4.7/debian/patches/touch-event.patch 2014-11-11 10:44:21.000000000 +0000
@@ -0,0 +1,51 @@
+From: Miyoung Shin <[email protected]>
+Subject: Fix crash during dispatching touchEvent created by JS
+Bug-Debian: https://bugs.debian.org/761492
+Bug: https://bugs.webkit.org/show_bug.cgi?id=138211
+Index: webkitgtk/Source/WebCore/dom/EventDispatcher.cpp
+===================================================================
+--- webkitgtk.orig/Source/WebCore/dom/EventDispatcher.cpp
++++ webkitgtk/Source/WebCore/dom/EventDispatcher.cpp
+@@ -91,7 +91,7 @@ public:
+ EventContext& contextAt(size_t i) { return *m_path[i]; }
+
+ #if ENABLE(TOUCH_EVENTS)
+- void updateTouchLists(const TouchEvent&);
++ bool updateTouchLists(const TouchEvent&);
+ #endif
+ void setRelatedTarget(EventTarget&);
+
+@@ -312,8 +312,10 @@ bool EventDispatcher::dispatchEvent(Node
+ if (EventTarget* relatedTarget = event->relatedTarget())
+ eventPath.setRelatedTarget(*relatedTarget);
+ #if ENABLE(TOUCH_EVENTS) && !PLATFORM(IOS)
+- if (event->isTouchEvent())
+- eventPath.updateTouchLists(*toTouchEvent(event.get()));
++ if (event->isTouchEvent()) {
++ if (!eventPath.updateTouchLists(*toTouchEvent(event.get())))
++ return true;
++ }
+ #endif
+
+ ChildNodesLazySnapshot::takeChildNodesLazySnapshot();
+@@ -432,8 +434,11 @@ static void addRelatedNodeResolversForTo
+ touchTargetResolvers.append(EventRelatedNodeResolver(*touchList->item(i), type));
+ }
+
+-void EventPath::updateTouchLists(const TouchEvent& touchEvent)
++bool EventPath::updateTouchLists(const TouchEvent& touchEvent)
+ {
++ if (!touchEvent.touches() || !touchEvent.targetTouches() || !touchEvent.changedTouches())
++ return false;
++
+ Vector<EventRelatedNodeResolver, 16> touchTargetResolvers;
+ const size_t touchNodeCount = touchEvent.touches()->length() + touchEvent.targetTouches()->length() + touchEvent.changedTouches()->length();
+ touchTargetResolvers.reserveInitialCapacity(touchNodeCount);
+@@ -454,6 +459,7 @@ void EventPath::updateTouchLists(const T
+ context.touchList(currentResolver.touchListType())->append(currentResolver.touch()->cloneWithNewTarget(nodeInCurrentTreeScope));
+ }
+ }
++ return true;
+ }
+ #endif
+
--- End Message ---
--- Begin Message ---
On 11/11/14 17:50, Alberto Garcia wrote:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
>
> Please unblock package webkitgtk
>
> This package contains fixes for two bugs:
>
> http://bugs.debian.org/768929
>
> The Flash plugin (and possibly others) can cause a stack buffer
> overflow. Although the GCC stack protector can detect it, it
> renders the plugin completely unusable. The fix is trivial and has
> already been applied upstream.
>
> http://bugs.debian.org/761492
>
> The WebKit event dispatcher code tries to access the elements of an
> event list without checking first if it's null. This can be
> reproduced with certain websites and crashes the web process. The
> patch is very simple and is a backport from the 2.6 stable series.
>
> unblock webkitgtk/2.4.7-2
Unblocked.
Emilio
--- End Message ---
