Hello community, here is the log from the commit of package webkit2gtk3 for openSUSE:Factory checked in at 2018-07-23 17:57:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/webkit2gtk3 (Old) and /work/SRC/openSUSE:Factory/.webkit2gtk3.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "webkit2gtk3" Mon Jul 23 17:57:48 2018 rev:60 rq:624328 version:2.20.3 Changes: -------- --- /work/SRC/openSUSE:Factory/webkit2gtk3/webkit2gtk3.changes 2018-06-13 15:14:37.831100293 +0200 +++ /work/SRC/openSUSE:Factory/.webkit2gtk3.new/webkit2gtk3.changes 2018-07-23 17:57:51.753165470 +0200 @@ -1,0 +2,6 @@ +Fri Jul 20 15:15:12 UTC 2018 - [email protected] + +- Add webkit2gtk3-boo1101999-off-by-one.patch: fix off-by-one in + xdg_mime_get_simple_globs (boo#1101999 CVE-2018-12911). + +------------------------------------------------------------------- New: ---- webkit2gtk3-boo1101999-off-by-one.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ webkit2gtk3.spec ++++++ --- /var/tmp/diff_new_pack.uwwqLi/_old 2018-07-23 17:57:52.473164572 +0200 +++ /var/tmp/diff_new_pack.uwwqLi/_new 2018-07-23 17:57:52.473164572 +0200 @@ -54,6 +54,8 @@ Patch1: webkit2gtk3-python3.patch # PATCh-FIX-UPSTREAM webkit2gtk3-boo1088932-a11y-state-set.patch boo#1088932 webkit#184366 [email protected] -- fix crash when atk_object_ref_state_set is called on an AtkObject that's being destroyed. Patch2: webkit2gtk3-boo1088932-a11y-state-set.patch +# PATCH-FIX-UPSTREAM webkit2gtk3-boo1101999-off-by-one.patch boo#1101999 [email protected] -- fix off-by-one error in xdg_mime_get_simple_globs (CVE-2018-12911). +Patch3: webkit2gtk3-boo1101999-off-by-one.patch BuildRequires: Mesa-libEGL-devel BuildRequires: Mesa-libGL-devel @@ -264,6 +266,7 @@ %patch1 -p1 %endif %patch2 -p1 +%patch3 %build # Here we must muzzle our dog so it doesn't eat all the memory ++++++ webkit2gtk3-boo1101999-off-by-one.patch ++++++ Index: Source/ThirdParty/xdgmime/src/xdgmimecache.c =================================================================== --- Source/ThirdParty/xdgmime/src/xdgmimecache.c (revision 233403) +++ Source/ThirdParty/xdgmime/src/xdgmimecache.c (revision 233404) @@ -1047,6 +1047,9 @@ xdg_uint32_t child_offset; int i; + assert (*n >= 0); + assert (depth >= 0); + if (*n >= n_globs) return FALSE; @@ -1055,7 +1058,7 @@ xdg_uint32_t mime_offset = GET_UINT32 (cache->buffer, offset + 4); if (strcasecmp (cache->buffer + mime_offset, mime) == 0) { - globs[*n] = malloc (depth * sizeof (char)); + globs[*n] = malloc ((depth + 1) * sizeof (char)); for (i = 0; i < depth; i++) globs[*n][depth - i - 1] = prefix[i]; globs[*n][depth] = '\0'; Index: Source/ThirdParty/xdgmime/src/xdgmimeglob.c =================================================================== --- Source/ThirdParty/xdgmime/src/xdgmimeglob.c (revision 233403) +++ Source/ThirdParty/xdgmime/src/xdgmimeglob.c (revision 233404) @@ -484,6 +484,9 @@ xdg_unichar_t *prefix, int depth) { + assert (*n >= 0); + assert (depth >= 0); + if (*n >= n_globs) return FALSE; @@ -495,7 +498,7 @@ { int i; - globs[*n] = malloc (depth * sizeof (char)); + globs[*n] = malloc ((depth + 1) * sizeof (char)); for (i = 0; i < depth; i++) globs[*n][depth - i - 1] = prefix[i]; globs[*n][depth] = '\0';
