Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Please unblock package webkit2gtk This release contains several fixes cherry picked from the upstream stable branches. All of them solve either crashes or other important bugs: * debian/patches/no-ssl-record-version.patch: This fixes a problem where, following the POODLE vulnerability, many web sites incorrectly ban SSL 3.0 record packet versions used to advertise TLS 1.2. This fix makes WebKitGTK+ use the latest TLS version record instead of using the default SSL 3.0. https://bugs.webkit.org/show_bug.cgi?id=138794 * debian/patches/nullptr-accessibilitymenulistoption.patch: * debian/patches/nullptr-applystylecommand.patch: * debian/patches/nullptr-frameprogresstracker.patch: * debian/patches/render-text-control.patch: These other four patches fix several NULL pointers crashes in differents parts of the code. Here are the upstream bug reports: https://bugs.webkit.org/show_bug.cgi?id=138727 https://bugs.webkit.org/show_bug.cgi?id=137961 https://bugs.webkit.org/show_bug.cgi?id=138061 https://bugs.webkit.org/show_bug.cgi?id=138035 * debian/patches/twitter-inserted-text.patch: A bug in a string cache makes WebKitGTK+ sometimes write spurious text in some input fields, notably in Etherpad and the Twitter message box. https://bugs.webkit.org/show_bug.cgi?id=139076 * debian/patches/protect-document.patch: This fixes a crash that happens while applying XSLTransform. This is marked upstream as a security fix so the details are private. * debian/patches/at-spi2.patch: This fixes a regression. It disables the new AtkObject API that is still not supported by AT-SPI2. https://bugs.webkit.org/show_bug.cgi?id=138776 * debian/patches/ax-focus-events.patch: Two related accessibility fixes, preventing crashes for both users and non users of assistive technology. https://bugs.webkit.org/show_bug.cgi?id=137866 https://bugs.webkit.org/show_bug.cgi?id=137867 unblock webkit2gtk/2.6.2+dfsg1-3 -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru webkit2gtk-2.6.2+dfsg1/debian/changelog webkit2gtk-2.6.2+dfsg1/debian/changelog --- webkit2gtk-2.6.2+dfsg1/debian/changelog 2014-11-10 09:45:07.000000000 +0000 +++ webkit2gtk-2.6.2+dfsg1/debian/changelog 2014-12-07 16:53:35.000000000 +0000 @@ -1,3 +1,27 @@ +webkit2gtk (2.6.2+dfsg1-3) unstable; urgency=medium + + * debian/patches/no-ssl-record-version.patch: + + Don't use a SSL3.0 record version in client hello. + * debian/patches/nullptr-accessibilitymenulistoption.patch: + + Check for NULL pointers in AccessibilityMenuListOption. + * debian/patches/nullptr-applystylecommand.patch: + + Check for NULL pointer in ApplyStyleCommand. + * debian/patches/nullptr-frameprogresstracker.patch: + + Check for NULL pointer in FrameProgressTracker. + * debian/patches/render-text-control.patch: + + Check for NULL pointer in SearchInputType. + * debian/patches/twitter-inserted-text.patch: + + Fix inserted text when typing in the Twitter message box. + * debian/patches/protect-document.patch: + + Protect Document in ProcessingInstruction::setXSLStyleSheet(). This + is a security fix, see https://codereview.chromium.org/579133004. + * debian/patches/at-spi2.patch: + + Accessible values are no longer accessible via AT-SPI2. + * debian/patches/ax-focus-events.patch: + + Fix accessible focus events in non-focused combo boxes. + + -- Alberto Garcia <[email protected]> Sun, 07 Dec 2014 17:53:25 +0100 + webkit2gtk (2.6.2+dfsg1-2) unstable; urgency=medium * debian/patches/fix-mips64-build.patch: diff -Nru webkit2gtk-2.6.2+dfsg1/debian/patches/at-spi2.patch webkit2gtk-2.6.2+dfsg1/debian/patches/at-spi2.patch --- webkit2gtk-2.6.2+dfsg1/debian/patches/at-spi2.patch 1970-01-01 00:00:00.000000000 +0000 +++ webkit2gtk-2.6.2+dfsg1/debian/patches/at-spi2.patch 2014-12-07 16:53:35.000000000 +0000 @@ -0,0 +1,39 @@ +From: Joanmarie Diggs <[email protected]> +Subject: Accessible values are no longer accessible via AT-SPI2 +Origin: http://trac.webkit.org/changeset/176193 +Index: webkitgtk/Source/WebCore/accessibility/atk/WebKitAccessibleInterfaceValue.cpp +=================================================================== +--- webkitgtk.orig/Source/WebCore/accessibility/atk/WebKitAccessibleInterfaceValue.cpp ++++ webkitgtk/Source/WebCore/accessibility/atk/WebKitAccessibleInterfaceValue.cpp +@@ -114,7 +114,7 @@ static AtkRange* webkitAccessibleGetRang + gchar* valueDescription = g_strdup_printf("%s", coreObject->valueDescription().utf8().data()); + return atk_range_new(minValue, maxValue, valueDescription); + } +-#else ++#endif + static void webkitAccessibleValueGetCurrentValue(AtkValue* value, GValue* gValue) + { + g_return_if_fail(ATK_VALUE(value)); +@@ -184,7 +184,6 @@ static void webkitAccessibleValueGetMini + AccessibilityObject* coreObject = core(value); + g_value_set_float(gValue, webkitAccessibleGetIncrementValue(coreObject)); + } +-#endif + + void webkitAccessibleValueInterfaceInit(AtkValueIface* iface) + { +@@ -193,13 +192,12 @@ void webkitAccessibleValueInterfaceInit( + iface->get_increment = webkitAccessibleGetIncrement; + iface->set_value = webkitAccessibleSetValue; + iface->get_range = webkitAccessibleGetRange; +-#else ++#endif + iface->get_current_value = webkitAccessibleValueGetCurrentValue; + iface->get_maximum_value = webkitAccessibleValueGetMaximumValue; + iface->get_minimum_value = webkitAccessibleValueGetMinimumValue; + iface->set_current_value = webkitAccessibleValueSetCurrentValue; + iface->get_minimum_increment = webkitAccessibleValueGetMinimumIncrement; +-#endif + } + + #endif diff -Nru webkit2gtk-2.6.2+dfsg1/debian/patches/ax-focus-events.patch webkit2gtk-2.6.2+dfsg1/debian/patches/ax-focus-events.patch --- webkit2gtk-2.6.2+dfsg1/debian/patches/ax-focus-events.patch 1970-01-01 00:00:00.000000000 +0000 +++ webkit2gtk-2.6.2+dfsg1/debian/patches/ax-focus-events.patch 2014-12-07 16:53:35.000000000 +0000 @@ -0,0 +1,78 @@ +From: Joanmarie Diggs <[email protected]> +Subject: Fix accessible focus events in non-focused combo boxes +Origin: http://trac.webkit.org/changeset/176177, http://trac.webkit.org/changeset/176178 +Index: webkitgtk/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp +=================================================================== +--- webkitgtk.orig/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp ++++ webkitgtk/Source/WebCore/accessibility/atk/AXObjectCacheAtk.cpp +@@ -175,8 +175,12 @@ static void notifyChildrenSelectionChang + if (axItem) { + bool isSelected = item->isSelected(); + atk_object_notify_state_change(axItem, ATK_STATE_SELECTED, isSelected); +- g_signal_emit_by_name(axItem, "focus-event", isSelected); +- atk_object_notify_state_change(axItem, ATK_STATE_FOCUSED, isSelected); ++ // When the selection changes in a collapsed widget such as a combo box ++ // whose child menu is not showing, that collapsed widget retains focus. ++ if (!object->isCollapsed()) { ++ g_signal_emit_by_name(axItem, "focus-event", isSelected); ++ atk_object_notify_state_change(axItem, ATK_STATE_FOCUSED, isSelected); ++ } + } + + // Update pointers to the previously involved objects. +@@ -199,7 +203,8 @@ void AXObjectCache::postPlatformNotifica + + case AXSelectedChildrenChanged: + case AXMenuListValueChanged: +- if (notification == AXMenuListValueChanged && coreObject->isMenuList()) { ++ // Accessible focus claims should not be made if the associated widget is not focused. ++ if (notification == AXMenuListValueChanged && coreObject->isMenuList() && coreObject->isFocused()) { + g_signal_emit_by_name(axObject, "focus-event", true); + atk_object_notify_state_change(axObject, ATK_STATE_FOCUSED, true); + } +Index: webkitgtk/Source/WebCore/accessibility/atk/WebKitAccessibleWrapperAtk.cpp +=================================================================== +--- webkitgtk.orig/Source/WebCore/accessibility/atk/WebKitAccessibleWrapperAtk.cpp ++++ webkitgtk/Source/WebCore/accessibility/atk/WebKitAccessibleWrapperAtk.cpp +@@ -748,13 +748,15 @@ static AtkRole atkRole(AccessibilityObje + + static AtkRole webkitAccessibleGetRole(AtkObject* object) + { +- g_return_val_if_fail(WEBKIT_IS_ACCESSIBLE(object), ATK_ROLE_UNKNOWN); +- returnValIfWebKitAccessibleIsInvalid(WEBKIT_ACCESSIBLE(object), ATK_ROLE_UNKNOWN); ++ // ATK_ROLE_UNKNOWN should only be applied in cases where there is a valid ++ // WebCore accessible object for which the platform role mapping is unknown. ++ g_return_val_if_fail(WEBKIT_IS_ACCESSIBLE(object), ATK_ROLE_INVALID); ++ returnValIfWebKitAccessibleIsInvalid(WEBKIT_ACCESSIBLE(object), ATK_ROLE_INVALID); + + AccessibilityObject* coreObject = core(object); + + if (!coreObject) +- return ATK_ROLE_UNKNOWN; ++ return ATK_ROLE_INVALID; + + // Note: Why doesn't WebCore have a password field for this + if (coreObject->isPasswordField()) +Index: webkitgtk/Tools/WebKitTestRunner/InjectedBundle/atk/AccessibilityUIElementAtk.cpp +=================================================================== +--- webkitgtk.orig/Tools/WebKitTestRunner/InjectedBundle/atk/AccessibilityUIElementAtk.cpp ++++ webkitgtk/Tools/WebKitTestRunner/InjectedBundle/atk/AccessibilityUIElementAtk.cpp +@@ -369,6 +369,8 @@ const gchar* roleToString(AtkObject* obj + return "AXImage"; + case ATK_ROLE_IMAGE_MAP: + return "AXImageMap"; ++ case ATK_ROLE_INVALID: ++ return "AXInvalid"; + case ATK_ROLE_LABEL: + return "AXLabel"; + case ATK_ROLE_LINK: +@@ -1013,9 +1015,6 @@ JSRetainPtr<JSStringRef> AccessibilityUI + if (!ATK_IS_OBJECT(m_element.get())) + return JSStringCreateWithCharacters(0, 0); + +- if (!atk_object_get_role(ATK_OBJECT(m_element.get()))) +- return JSStringCreateWithCharacters(0, 0); +- + GUniquePtr<char> roleStringWithPrefix(g_strdup_printf("AXRole: %s", roleToString(ATK_OBJECT(m_element.get())))); + return JSStringCreateWithUTF8CString(roleStringWithPrefix.get()); + } diff -Nru webkit2gtk-2.6.2+dfsg1/debian/patches/no-ssl-record-version.patch webkit2gtk-2.6.2+dfsg1/debian/patches/no-ssl-record-version.patch --- webkit2gtk-2.6.2+dfsg1/debian/patches/no-ssl-record-version.patch 1970-01-01 00:00:00.000000000 +0000 +++ webkit2gtk-2.6.2+dfsg1/debian/patches/no-ssl-record-version.patch 2014-12-07 16:53:35.000000000 +0000 @@ -0,0 +1,29 @@ +From: Carlos Alberto Lopez Perez <[email protected]> +Subject: Don't use a SSL3.0 record version in client hello +Origin: http://trac.webkit.org/changeset/176253 +Index: webkitgtk/Source/WebKit2/NetworkProcess/EntryPoint/unix/NetworkProcessMain.cpp +=================================================================== +--- webkitgtk.orig/Source/WebKit2/NetworkProcess/EntryPoint/unix/NetworkProcessMain.cpp ++++ webkitgtk/Source/WebKit2/NetworkProcess/EntryPoint/unix/NetworkProcessMain.cpp +@@ -39,7 +39,7 @@ int main(int argc, char** argv) + // overwrite this priority string if it's already set by the user. + // Keep this in sync with WebProcessMain.cpp. + // https://bugzilla.gnome.org/show_bug.cgi?id=738633 +- setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:!VERS-SSL3.0", 0); ++ setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:%LATEST_RECORD_VERSION:!VERS-SSL3.0", 0); + + return NetworkProcessMainUnix(argc, argv); + } +Index: webkitgtk/Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp +=================================================================== +--- webkitgtk.orig/Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp ++++ webkitgtk/Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp +@@ -39,7 +39,7 @@ int main(int argc, char** argv) + // overwrite this priority string if it's already set by the user. + // Keep this in sync with NetworkProcessMain.cpp. + // https://bugzilla.gnome.org/show_bug.cgi?id=738633 +- setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:!VERS-SSL3.0", 0); ++ setenv("G_TLS_GNUTLS_PRIORITY", "NORMAL:%COMPAT:%LATEST_RECORD_VERSION:!VERS-SSL3.0", 0); + + return WebProcessMainUnix(argc, argv); + } diff -Nru webkit2gtk-2.6.2+dfsg1/debian/patches/nullptr-accessibilitymenulistoption.patch webkit2gtk-2.6.2+dfsg1/debian/patches/nullptr-accessibilitymenulistoption.patch --- webkit2gtk-2.6.2+dfsg1/debian/patches/nullptr-accessibilitymenulistoption.patch 1970-01-01 00:00:00.000000000 +0000 +++ webkit2gtk-2.6.2+dfsg1/debian/patches/nullptr-accessibilitymenulistoption.patch 2014-12-07 16:53:35.000000000 +0000 @@ -0,0 +1,21 @@ +From: Joanmarie Diggs <[email protected]> +Subject: Check for NULL pointers in AccessibilityMenuListOption +Origin: http://trac.webkit.org/changeset/176389 +Index: webkitgtk/Source/WebCore/accessibility/AccessibilityMenuListOption.cpp +=================================================================== +--- webkitgtk.orig/Source/WebCore/accessibility/AccessibilityMenuListOption.cpp ++++ webkitgtk/Source/WebCore/accessibility/AccessibilityMenuListOption.cpp +@@ -104,9 +104,13 @@ bool AccessibilityMenuListOption::comput + LayoutRect AccessibilityMenuListOption::elementRect() const + { + AccessibilityObject* parent = parentObject(); ++ if (!parent) ++ return boundingBoxRect(); + ASSERT(parent->isMenuListPopup()); + + AccessibilityObject* grandparent = parent->parentObject(); ++ if (!grandparent) ++ return boundingBoxRect(); + ASSERT(grandparent->isMenuList()); + + return grandparent->elementRect(); diff -Nru webkit2gtk-2.6.2+dfsg1/debian/patches/nullptr-applystylecommand.patch webkit2gtk-2.6.2+dfsg1/debian/patches/nullptr-applystylecommand.patch --- webkit2gtk-2.6.2+dfsg1/debian/patches/nullptr-applystylecommand.patch 1970-01-01 00:00:00.000000000 +0000 +++ webkit2gtk-2.6.2+dfsg1/debian/patches/nullptr-applystylecommand.patch 2014-12-07 16:53:35.000000000 +0000 @@ -0,0 +1,17 @@ +From: Csaba Osztrogonác <[email protected]> +Subject: Check for NULL pointer in ApplyStyleCommand +Origin: http://trac.webkit.org/changeset/176182 +Index: webkitgtk/Source/WebCore/editing/ApplyStyleCommand.cpp +=================================================================== +--- webkitgtk.orig/Source/WebCore/editing/ApplyStyleCommand.cpp ++++ webkitgtk/Source/WebCore/editing/ApplyStyleCommand.cpp +@@ -257,6 +257,9 @@ void ApplyStyleCommand::applyBlockStyle( + // addBlockStyleIfNeeded may moveParagraphs, which can remove these endpoints. + // Calculate start and end indices from the start of the tree that they're in. + Node* scope = highestEditableRoot(visibleStart.deepEquivalent()); ++ if (!scope) ++ return; ++ + RefPtr<Range> startRange = Range::create(document(), firstPositionInNode(scope), visibleStart.deepEquivalent().parentAnchoredEquivalent()); + RefPtr<Range> endRange = Range::create(document(), firstPositionInNode(scope), visibleEnd.deepEquivalent().parentAnchoredEquivalent()); + int startIndex = TextIterator::rangeLength(startRange.get(), true); diff -Nru webkit2gtk-2.6.2+dfsg1/debian/patches/nullptr-frameprogresstracker.patch webkit2gtk-2.6.2+dfsg1/debian/patches/nullptr-frameprogresstracker.patch --- webkit2gtk-2.6.2+dfsg1/debian/patches/nullptr-frameprogresstracker.patch 1970-01-01 00:00:00.000000000 +0000 +++ webkit2gtk-2.6.2+dfsg1/debian/patches/nullptr-frameprogresstracker.patch 2014-12-07 16:53:35.000000000 +0000 @@ -0,0 +1,17 @@ +From: Jeffrey Pfau <[email protected]> +Subject: Check for NULL pointer in FrameProgressTracker +Origin: http://trac.webkit.org/changeset/175919 +Index: webkitgtk/Source/WebCore/loader/FrameLoader.cpp +=================================================================== +--- webkitgtk.orig/Source/WebCore/loader/FrameLoader.cpp ++++ webkitgtk/Source/WebCore/loader/FrameLoader.cpp +@@ -189,8 +189,7 @@ public: + + ~FrameProgressTracker() + { +- ASSERT(!m_inProgress || m_frame.page()); +- if (m_inProgress) ++ if (m_inProgress && m_frame.page()) + m_frame.page()->progress().progressCompleted(m_frame); + } + diff -Nru webkit2gtk-2.6.2+dfsg1/debian/patches/protect-document.patch webkit2gtk-2.6.2+dfsg1/debian/patches/protect-document.patch --- webkit2gtk-2.6.2+dfsg1/debian/patches/protect-document.patch 1970-01-01 00:00:00.000000000 +0000 +++ webkit2gtk-2.6.2+dfsg1/debian/patches/protect-document.patch 2014-12-07 16:53:35.000000000 +0000 @@ -0,0 +1,15 @@ +From: David Kilzer <[email protected]> +Subject: Protect Document in ProcessingInstruction::setXSLStyleSheet() +Origin: http://trac.webkit.org/changeset/176014 +Index: webkitgtk/Source/WebCore/dom/ProcessingInstruction.cpp +=================================================================== +--- webkitgtk.orig/Source/WebCore/dom/ProcessingInstruction.cpp ++++ webkitgtk/Source/WebCore/dom/ProcessingInstruction.cpp +@@ -215,6 +215,7 @@ void ProcessingInstruction::setXSLStyleS + { + ASSERT(m_isXSL); + m_sheet = XSLStyleSheet::create(this, href, baseURL); ++ Ref<Document> protect(document()); + parseStyleSheet(sheet); + } + #endif diff -Nru webkit2gtk-2.6.2+dfsg1/debian/patches/render-text-control.patch webkit2gtk-2.6.2+dfsg1/debian/patches/render-text-control.patch --- webkit2gtk-2.6.2+dfsg1/debian/patches/render-text-control.patch 1970-01-01 00:00:00.000000000 +0000 +++ webkit2gtk-2.6.2+dfsg1/debian/patches/render-text-control.patch 2014-12-07 16:53:35.000000000 +0000 @@ -0,0 +1,16 @@ +From: Zalan Bujtas <[email protected]> +Subject: Check for NULL pointer in SearchInputType. +Origin: http://trac.webkit.org/changeset/175912 +Index: webkitgtk/Source/WebCore/html/SearchInputType.cpp +=================================================================== +--- webkitgtk.orig/Source/WebCore/html/SearchInputType.cpp ++++ webkitgtk/Source/WebCore/html/SearchInputType.cpp +@@ -185,7 +185,7 @@ bool SearchInputType::searchEventsShould + + void SearchInputType::didSetValueByUserEdit(ValueChangeState state) + { +- if (m_cancelButton) ++ if (m_cancelButton && element().renderer()) + toRenderSearchField(element().renderer())->updateCancelButtonVisibility(); + + // If the incremental attribute is set, then dispatch the search event diff -Nru webkit2gtk-2.6.2+dfsg1/debian/patches/series webkit2gtk-2.6.2+dfsg1/debian/patches/series --- webkit2gtk-2.6.2+dfsg1/debian/patches/series 2014-11-10 09:45:07.000000000 +0000 +++ webkit2gtk-2.6.2+dfsg1/debian/patches/series 2014-12-07 16:53:35.000000000 +0000 @@ -6,3 +6,12 @@ css-image-set.patch fix-mips64-build.patch flash-crash.patch +no-ssl-record-version.patch +render-text-control.patch +nullptr-frameprogresstracker.patch +nullptr-applystylecommand.patch +nullptr-accessibilitymenulistoption.patch +twitter-inserted-text.patch +protect-document.patch +at-spi2.patch +ax-focus-events.patch diff -Nru webkit2gtk-2.6.2+dfsg1/debian/patches/twitter-inserted-text.patch webkit2gtk-2.6.2+dfsg1/debian/patches/twitter-inserted-text.patch --- webkit2gtk-2.6.2+dfsg1/debian/patches/twitter-inserted-text.patch 1970-01-01 00:00:00.000000000 +0000 +++ webkit2gtk-2.6.2+dfsg1/debian/patches/twitter-inserted-text.patch 2014-12-07 16:53:35.000000000 +0000 @@ -0,0 +1,21 @@ +From: Andreas Kling <[email protected]> +Subject: Fix inserted text when typing in the Twitter message box. +Origin: http://trac.webkit.org/changeset/176824 +Index: webkitgtk/Source/JavaScriptCore/runtime/JSString.h +=================================================================== +--- webkitgtk.orig/Source/JavaScriptCore/runtime/JSString.h ++++ webkitgtk/Source/JavaScriptCore/runtime/JSString.h +@@ -482,12 +482,7 @@ ALWAYS_INLINE AtomicStringImpl* JSString + return static_cast<const JSRopeString*>(this)->resolveRopeToExistingAtomicString(exec); + if (m_value.impl()->isAtomic()) + return static_cast<AtomicStringImpl*>(m_value.impl()); +- if (AtomicStringImpl* existingAtomicString = AtomicString::find(m_value.impl())) { +- m_value = *existingAtomicString; +- setIs8Bit(m_value.impl()->is8Bit()); +- return existingAtomicString; +- } +- return nullptr; ++ return AtomicString::find(m_value.impl()); + } + + inline const String& JSString::value(ExecState* exec) const
