[Secure-testing-team] CVE-2010-2304 - #586547 - squeeze related - patch attached

[Jose Antonio Quevedo Muñoz]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi there!

squeeze was frozen the last week as you know.
This vulnerability [1] was already solved by Gustavo Noronha in unstable,
but it's not solved in squeeze and lenny yet.

The bug was reported by Nico Golde [1] (thanks for a very good bugreport).
The patched was distributed by upstream. [2]
More information about this CVE can be found in [3] and [4].

Attached is the debdiff that includes the patch that can be used to
solve this issue.
I'm not an official DM or DD, so please review my work expecting newbie
mistakes.

Best regards,

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=586547
[2]
http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/rendering/RenderListMarker.cpp?r1=48100&r2=48099
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2304
[4] http://security-tracker.debian.org/tracker/CVE-2010-2304

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJMYjqdAAoJEBwLEnROdHjaNjUP/37i75Fx8u2gPPBC4cue29Lp
V9EioOStg7GJXgIVTlUhGl/8RyKlahCDMk3cJZTxAAvLP274Jg729DRt/ZPCOd7e
m8bS5uc6u2oUVeaPdduTbsIO2bFSMEVrzx0X7Q8phCCJEFRJEBuDaPLf+dOKukGe
G5jf3MHKgkkDZGyl5Mr4ym3PkzzqOosSomXzZF5MmPtCc9MFMhhcuoTRjC0ZkQR+
XbrAEopIAEoSPGyGbg/iz2Q/Bw+xYWpHNwzoOpHRN+/llnssP7tl/w0i+X5C0JsB
tJ0PdYr/Vy+C/1/nMaquKO7AbRp4gByq6YqOXs8pgKFfLQ85WfXuBPRtLjqzkpIV
kelEC61R1k0+Hd82X1Xq7Ej1xnceZxBa79QVN1S/34wh1aOw88rDE3utA9IOGD/q
Df4OvwGYZAyvNJuoyHtSvKNiTX+XO5aoIgCtdPRWTBWcqC2XXSOBqJUo1UvzQzxE
Xd4OsG7fdica6Bs4T8iIcPl+tV5U2VvWUl8FK5OVQZsSyzIcR4KQX8D48HxQHDsw
Au77BjOktMHkuBz5k9Z5Bfr3Vy4F8AHH0H4Hpjq7k3Y0yH9SoGfQ80BqNKYLx8p4
CgG8BJ7C6sgBK/JGn+KEi6/ACnbXpEfntH9uaB7Gt7y0ueC6Ea8MTD2tl5tipMfP
i+76i4LnqHcsiP3FQPHj
=Xv/k
-----END PGP SIGNATURE-----

diff -Nru webkit-1.2.1/debian/changelog webkit-1.2.1/debian/changelog
--- webkit-1.2.1/debian/changelog	2010-05-17 16:40:43.000000000 +0200
+++ webkit-1.2.1/debian/changelog	2010-08-09 03:56:20.000000000 +0200
@@ -1,3 +1,10 @@
+webkit (1.2.1-2~squeeze1) testing-security; urgency=high
+
+  * Non-maintainer upload.
+  * Memory corruption in rendering of list markers. CVE-2010-2304. (Closes: #586547)
+
+ -- Jose Antonio Quevedo Muñoz <joseantonio.quev...@gmail.com>  Fri, 11 Aug 2010 05:14:25 +0200
+
 webkit (1.2.1-2) unstable; urgency=high
 
   * debian/patches/01-fix-bashism-in-build.diff:
diff -Nru webkit-1.2.1/debian/patches/02-fix_586547.patch webkit-1.2.1/debian/patches/02-fix_586547.patch
--- webkit-1.2.1/debian/patches/02-fix_586547.patch	1970-01-01 01:00:00.000000000 +0100
+++ webkit-1.2.1/debian/patches/02-fix_586547.patch	2010-08-10 22:35:31.000000000 +0200
@@ -0,0 +1,43 @@
+Description: Upstream changes introduced in version 1.2.1-2~squeeze1
+ This patch has been created by dpkg-source during the package build.
+ Here's the last changelog entry, hopefully it gives details on why
+ those changes were made:
+ .
+ webkit (1.2.1-2~squeeze1) testing-security; urgency=high
+ .
+   * Non-maintainer upload.
+   * Memory corruption in rendering of list markers. CVE-2010-2304. (Closes: #586547)
+ .
+ The person named in the Author field signed this changelog entry.
+Author: Jose Antonio Quevedo Muñoz <joseantonio.quev...@gmail.com>
+Bug-Debian: http://bugs.debian.org/586547
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: chromium.org, http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/rendering/RenderListMarker.cpp?r1=48100&r2=48099
+Bug: <url in upstream bugtracker>
+Bug-Debian: http://bugs.debian.org/586547
+Forwarded: not-needed
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: <2010-08-11>
+
+--- webkit-1.2.1.orig/WebCore/rendering/RenderListMarker.cpp
++++ webkit-1.2.1/WebCore/rendering/RenderListMarker.cpp
+@@ -101,8 +101,11 @@ static inline String toAlphabeticOrNumer
+     int length = 1;
+ 
+     if (type == AlphabeticSequence) {
+-        while ((numberShadow /= sequenceSize) > 0)
+-            letters[lettersSize - ++length] = sequence[numberShadow % sequenceSize - 1];
++        while ((numberShadow /= sequenceSize) > 0){
++	    --numberShadow;
++	    
++            letters[lettersSize - ++length] = sequence[numberShadow % sequenceSize];
++        }
+     } else {
+         while ((numberShadow /= sequenceSize) > 0)
+             letters[lettersSize - ++length] = sequence[numberShadow % sequenceSize];
diff -Nru webkit-1.2.1/debian/patches/series webkit-1.2.1/debian/patches/series
--- webkit-1.2.1/debian/patches/series	2010-05-17 16:41:03.000000000 +0200
+++ webkit-1.2.1/debian/patches/series	2010-08-10 22:35:15.000000000 +0200
@@ -1,2 +1,3 @@
 01-fix-bashism-in-build.diff
 debian-changes-1.2.1-2
+02-fix_586547.patch


_______________________________________________
Secure-testing-team mailing list
Secure-testing-team@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team