- WebKit security update: CVE-2010-0046, CVE-2010-0049, CVE-2010-0050,

CVE-2010-0051, CVE-2010-0052, CVE-2010-0054

qt-everywhere-opensource-src-4.6.2-cve-2010-0051-lax-css-parsing-cross-domain-theft.patch

@@ -0,0 +1,267 @@
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSGrammar.y.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSGrammar.y
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSGrammar.y.cve-2010-0051-lax-css-parsing-cross-domain-theft	2010-02-11 16:55:20.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSGrammar.y	2010-02-25 17:07:29.114742034 +0100
+@@ -416,7 +416,9 @@ valid_rule:
+   ;
+ 
+ rule:
+-    valid_rule
++    valid_rule {
++        static_cast<CSSParser*>(parser)->m_hadSyntacticallyValidCSSRule = true;
++    }
+   | invalid_rule
+   | invalid_at
+   | invalid_import
+@@ -1517,8 +1519,12 @@ invalid_rule:
+     ;
+ 
+ invalid_block:
+-    '{' error invalid_block_list error closing_brace
+-  | '{' error closing_brace
++    '{' error invalid_block_list error closing_brace {
++        static_cast<CSSParser*>(parser)->invalidBlockHit();
++    }
++  | '{' error closing_brace {
++        static_cast<CSSParser*>(parser)->invalidBlockHit();
++    }
+     ;
+ 
+ invalid_block_list:
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft	2010-02-11 16:55:20.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp	2010-02-25 17:13:34.292803953 +0100
+@@ -25,6 +25,7 @@
+ #include "CachedCSSStyleSheet.h"
+ #include "DocLoader.h"
+ #include "Document.h"
++#include "SecurityOrigin.h"
+ #include "MediaList.h"
+ #include "Settings.h"
+ #include <wtf/StdLibExtras.h>
+@@ -60,11 +61,21 @@ void CSSImportRule::setCSSStyleSheet(con
+         m_styleSheet->setParent(0);
+     m_styleSheet = CSSStyleSheet::create(this, url, charset);
+ 
++    bool crossOriginCSS = false;
++    bool validMIMEType = false;
+     CSSStyleSheet* parent = parentStyleSheet();
+     bool strict = !parent || parent->useStrictParsing();
+-    String sheetText = sheet->sheetText(strict);
++    bool enforceMIMEType = strict;
++
++    String sheetText = sheet->sheetText(enforceMIMEType, &validMIMEType);
+     m_styleSheet->parseString(sheetText, strict);
+ 
++    if (!parent || !parent->doc() || !parent->doc()->securityOrigin()->canRequest(KURL(ParsedURLString, url)))
++        crossOriginCSS = true;
++
++    if (crossOriginCSS && !validMIMEType && !m_styleSheet->hasSyntacticallyValidCSSHeader())
++        m_styleSheet = CSSStyleSheet::create(this, url, charset);
++
+     if (strict && parent && parent->doc() && parent->doc()->settings() && parent->doc()->settings()->needsSiteSpecificQuirks()) {
+         // Work around <https://bugs.webkit.org/show_bug.cgi?id=28350>.
+         DEFINE_STATIC_LOCAL(const String, slashKHTMLFixesDotCss, ("/KHTMLFixes.css"));
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft	2010-02-25 17:07:29.101741771 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.cpp	2010-02-25 17:07:29.117741744 +0100
+@@ -139,6 +139,7 @@ CSSParser::CSSParser(bool strictParsing)
+     , m_currentShorthand(0)
+     , m_implicitShorthand(false)
+     , m_hasFontFaceOnlyValues(false)
++    , m_hadSyntacticallyValidCSSRule(false)
+     , m_defaultNamespace(starAtom)
+     , m_data(0)
+     , yy_start(1)
+@@ -5175,6 +5176,12 @@ WebKitCSSKeyframeRule* CSSParser::create
+     return keyframePtr;
+ }
+ 
++void CSSParser::invalidBlockHit()
++{
++    if (m_styleSheet && !m_hadSyntacticallyValidCSSRule)
++        m_styleSheet->setHasSyntacticallyValidCSSHeader(false);
++}
++
+ static int cssPropertyID(const UChar* propertyName, unsigned length)
+ {
+     if (!length)
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.h.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.h
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.h.cve-2010-0051-lax-css-parsing-cross-domain-theft	2010-02-11 16:55:20.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSParser.h	2010-02-25 17:07:29.117741744 +0100
+@@ -191,6 +191,7 @@ namespace WebCore {
+         bool addVariableDeclarationBlock(const CSSParserString&);
+         bool checkForVariables(CSSParserValueList*);
+         void addUnresolvedProperty(int propId, bool important);
++        void invalidBlockHit();
+         
+         Vector<CSSSelector*>* reusableSelectorVector() { return &m_reusableSelectorVector; }
+         
+@@ -212,6 +213,7 @@ namespace WebCore {
+         bool m_implicitShorthand;
+ 
+         bool m_hasFontFaceOnlyValues;
++        bool m_hadSyntacticallyValidCSSRule;
+ 
+         Vector<String> m_variableNames;
+         Vector<RefPtr<CSSValue> > m_variableValues;
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft	2010-02-11 16:55:19.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp	2010-02-25 17:07:29.118741824 +0100
+@@ -41,6 +41,7 @@ CSSStyleSheet::CSSStyleSheet(CSSStyleShe
+     , m_loadCompleted(false)
+     , m_strictParsing(!parentSheet || parentSheet->useStrictParsing())
+     , m_isUserStyleSheet(parentSheet ? parentSheet->isUserStyleSheet() : false)
++    , m_hasSyntacticallyValidCSSHeader(true)
+ {
+ }
+ 
+@@ -52,6 +53,7 @@ CSSStyleSheet::CSSStyleSheet(Node* paren
+     , m_loadCompleted(false)
+     , m_strictParsing(false)
+     , m_isUserStyleSheet(false)
++    , m_hasSyntacticallyValidCSSHeader(true)
+ {
+ }
+ 
+@@ -61,6 +63,7 @@ CSSStyleSheet::CSSStyleSheet(CSSRule* ow
+     , m_charset(charset)
+     , m_loadCompleted(false)
+     , m_strictParsing(!ownerRule || ownerRule->useStrictParsing())
++    , m_hasSyntacticallyValidCSSHeader(true)
+ {
+     CSSStyleSheet* parentSheet = ownerRule ? ownerRule->parentStyleSheet() : 0;
+     m_doc = parentSheet ? parentSheet->doc() : 0;
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h.cve-2010-0051-lax-css-parsing-cross-domain-theft	2010-02-11 16:55:20.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h	2010-02-25 17:07:29.118741824 +0100
+@@ -95,6 +95,8 @@ public:
+ 
+     void setIsUserStyleSheet(bool b) { m_isUserStyleSheet = b; }
+     bool isUserStyleSheet() const { return m_isUserStyleSheet; }
++    void setHasSyntacticallyValidCSSHeader(bool b) { m_hasSyntacticallyValidCSSHeader = b; }
++    bool hasSyntacticallyValidCSSHeader() const { return m_hasSyntacticallyValidCSSHeader; }
+ 
+ private:
+     CSSStyleSheet(Node* ownerNode, const String& href, const String& charset);
+@@ -110,6 +112,7 @@ private:
+     bool m_loadCompleted : 1;
+     bool m_strictParsing : 1;
+     bool m_isUserStyleSheet : 1;
++    bool m_hasSyntacticallyValidCSSHeader : 1;
+ };
+ 
+ } // namespace
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft	2010-02-11 16:55:19.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp	2010-02-25 17:07:29.118741824 +0100
+@@ -203,7 +203,10 @@ void ProcessingInstruction::setCSSStyleS
+ #endif
+     RefPtr<CSSStyleSheet> newSheet = CSSStyleSheet::create(this, url, charset);
+     m_sheet = newSheet;
+-    parseStyleSheet(sheet->sheetText());
++    // We don't need the cross-origin security check here because we are
++    // getting the sheet text in "strict" mode. This enforces a valid CSS MIME
++    // type.
++    parseStyleSheet(sheet->sheetText(true));
+     newSheet->setTitle(m_title);
+     newSheet->setMedia(MediaList::create(newSheet.get(), m_media));
+     newSheet->setDisabled(m_alternate);
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft	2010-02-11 16:55:17.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp	2010-02-25 17:07:29.119741915 +0100
+@@ -260,14 +260,27 @@ void HTMLLinkElement::setCSSStyleSheet(c
+     bool strictParsing = !document()->inCompatMode();
+     bool enforceMIMEType = strictParsing;
+ 
++    bool crossOriginCSS = false;
++    bool validMIMEType = false;
+     // Check to see if we should enforce the MIME type of the CSS resource in strict mode.
+     // Running in iWeb 2 is one example of where we don't want to - <rdar://problem/6099748>
+     if (enforceMIMEType && document()->page() && !document()->page()->settings()->enforceCSSMIMETypeInStrictMode())
+         enforceMIMEType = false;
+ 
+-    String sheetText = sheet->sheetText(enforceMIMEType);
++    String sheetText = sheet->sheetText(enforceMIMEType, &validMIMEType);
+     m_sheet->parseString(sheetText, strictParsing);
+ 
++    // If we're loading a stylesheet cross-origin, and the MIME type is not
++    // standard, require the CSS to at least start with a syntactically
++    // valid CSS rule.
++    // This prevents an attacker playing games by injecting CSS strings into
++    // HTML, XML, JSON, etc. etc.
++    if (!document()->securityOrigin()->canRequest(KURL(ParsedURLString, url)))
++        crossOriginCSS = true;
++
++    if (crossOriginCSS && !validMIMEType && !m_sheet->hasSyntacticallyValidCSSHeader())
++        m_sheet = CSSStyleSheet::create(this, url, charset);
++
+     if (strictParsing && document()->settings() && document()->settings()->needsSiteSpecificQuirks()) {
+         // Work around <https://bugs.webkit.org/show_bug.cgi?id=28350>.
+         DEFINE_STATIC_LOCAL(const String, slashKHTMLFixesDotCss, ("/KHTMLFixes.css"));
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp.cve-2010-0051-lax-css-parsing-cross-domain-theft	2010-02-11 16:55:19.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp	2010-02-25 17:07:29.119741915 +0100
+@@ -71,11 +71,11 @@ String CachedCSSStyleSheet::encoding() c
+     return m_decoder->encoding().name();
+ }
+     
+-const String CachedCSSStyleSheet::sheetText(bool enforceMIMEType) const 
++const String CachedCSSStyleSheet::sheetText(bool enforceMIMEType, bool* hasValidMIMEType) const 
+ { 
+     ASSERT(!isPurgeable());
+ 
+-    if (!m_data || m_data->isEmpty() || !canUseSheet(enforceMIMEType))
++    if (!m_data || m_data->isEmpty() || !canUseSheet(enforceMIMEType, hasValidMIMEType))
+         return String();
+     
+     if (!m_decodedSheetText.isNull())
+@@ -122,12 +122,12 @@ void CachedCSSStyleSheet::error()
+     checkNotify();
+ }
+ 
+-bool CachedCSSStyleSheet::canUseSheet(bool enforceMIMEType) const
++bool CachedCSSStyleSheet::canUseSheet(bool enforceMIMEType, bool* hasValidMIMEType) const
+ {
+     if (errorOccurred())
+         return false;
+         
+-    if (!enforceMIMEType)
++    if (!enforceMIMEType && !hasValidMIMEType)
+         return true;
+ 
+     // This check exactly matches Firefox.  Note that we grab the Content-Type
+@@ -138,7 +138,12 @@ bool CachedCSSStyleSheet::canUseSheet(bo
+     // This code defaults to allowing the stylesheet for non-HTTP protocols so
+     // folks can use standards mode for local HTML documents.
+     String mimeType = extractMIMETypeFromMediaType(response().httpHeaderField("Content-Type"));
+-    return mimeType.isEmpty() || equalIgnoringCase(mimeType, "text/css") || equalIgnoringCase(mimeType, "application/x-unknown-content-type");
++    bool typeOK = mimeType.isEmpty() || equalIgnoringCase(mimeType, "text/css") || equalIgnoringCase(mimeType, "application/x-unknown-content-type");
++    if (hasValidMIMEType)
++        *hasValidMIMEType = typeOK;
++    if (!enforceMIMEType)
++        return true;
++    return typeOK;
+ }
+  
+ }
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.h.cve-2010-0051-lax-css-parsing-cross-domain-theft qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.h
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.h.cve-2010-0051-lax-css-parsing-cross-domain-theft	2010-02-11 16:55:19.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.h	2010-02-25 17:07:29.120741848 +0100
+@@ -40,7 +40,7 @@ namespace WebCore {
+         CachedCSSStyleSheet(const String& URL, const String& charset);
+         virtual ~CachedCSSStyleSheet();
+ 
+-        const String sheetText(bool enforceMIMEType = true) const;
++        const String sheetText(bool enforceMIMEType = true, bool* hasValidMIMEType = 0) const;
+ 
+         virtual void didAddClient(CachedResourceClient*);
+         
+@@ -56,7 +56,7 @@ namespace WebCore {
+         void checkNotify();
+     
+     private:
+-        bool canUseSheet(bool enforceMIMEType) const;
++        bool canUseSheet(bool enforceMIMEType, bool* hasValidMIMEType) const;
+ 
+     protected:
+         RefPtr<TextResourceDecoder> m_decoder;

qt-everywhere-opensource-src-4.6.2-cve-2010-0054-image-element-pointer-name-getter.patch

@@ -0,0 +1,85 @@
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLFormElement.cpp.cve-2010-0054-image-element-pointer-name-getter qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLFormElement.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLFormElement.cpp.cve-2010-0054-image-element-pointer-name-getter	2010-02-11 16:55:17.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLFormElement.cpp	2010-02-25 15:50:05.987741463 +0100
+@@ -515,11 +515,13 @@ bool HTMLFormElement::isURLAttribute(Att
+ 
+ void HTMLFormElement::registerImgElement(HTMLImageElement* e)
+ {
++    ASSERT(imgElements.find(e) == notFound);
+     imgElements.append(e);
+ }
+ 
+ void HTMLFormElement::removeImgElement(HTMLImageElement* e)
+ {
++    ASSERT(imgElements.find(e) == notFound);
+     removeFromVector(imgElements, e);
+ }
+ 
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.cpp.cve-2010-0054-image-element-pointer-name-getter qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.cpp.cve-2010-0054-image-element-pointer-name-getter	2010-02-11 16:55:17.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.cpp	2010-02-25 15:43:45.016742027 +0100
+@@ -209,6 +209,40 @@ void HTMLImageElement::removedFromDocume
+     HTMLElement::removedFromDocument();
+ }
+ 
++void HTMLImageElement::insertedIntoTree(bool deep)
++{
++    if (m_form) {
++        // m_form was set by constructor. In debug builds, check that it's an ancestor indeed.
++#ifndef NDEBUG
++        for (Node* ancestor = parentNode(); /* no end condition - there must be a form ancestor */; ancestor = ancestor->parentNode()) {
++            ASSERT(ancestor);
++            if (ancestor->hasTagName(formTag)) {
++                ASSERT(m_form == static_cast<HTMLFormElement*>(ancestor));
++                break;
++            }
++        }
++#endif
++    } else {
++        for (Node* ancestor = parentNode(); ancestor; ancestor = ancestor->parentNode()) {
++            if (ancestor->hasTagName(formTag)) {
++                m_form = static_cast<HTMLFormElement*>(ancestor);
++                m_form->registerImgElement(this);
++                break;
++            }
++        }
++    }
++
++    HTMLElement::insertedIntoTree(deep);
++}
++
++void HTMLImageElement::removedFromTree(bool deep)
++{
++    if (m_form)
++        m_form->removeImgElement(this);
++    m_form = 0;
++    HTMLElement::removedFromTree(deep);
++}
++
+ int HTMLImageElement::width(bool ignorePendingStylesheets) const
+ {
+     if (!renderer()) {
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.h.cve-2010-0054-image-element-pointer-name-getter qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.h
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.h.cve-2010-0054-image-element-pointer-name-getter	2010-02-11 16:55:17.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.h	2010-02-25 15:41:18.340929598 +0100
+@@ -45,8 +45,6 @@ public:
+ 
+     virtual void attach();
+     virtual RenderObject* createRenderer(RenderArena*, RenderStyle*);
+-    virtual void insertedIntoDocument();
+-    virtual void removedFromDocument();
+ 
+     virtual bool canStartSelection() const { return false; }
+ 
+@@ -105,6 +103,11 @@ public:
+     virtual void addSubresourceAttributeURLs(ListHashSet<KURL>&) const;
+ 
+ private:
++    virtual void insertedIntoDocument();
++    virtual void removedFromDocument();
++    virtual void insertedIntoTree(bool deep);
++    virtual void removedFromTree(bool deep);
++
+     HTMLImageLoader m_imageLoader;
+     String usemap;
+     bool ismap;

qt-x11-opensource-src-4.5.3-cve-2010-0046-css-format-mem-corruption.patch

@@ -0,0 +1,25 @@
+diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp.cve-2010-0046-css-format-mem-corruption qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp
+--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp.cve-2010-0046-css-format-mem-corruption	2009-09-29 13:01:35.000000000 +0200
++++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp	2010-02-04 15:00:24.778776273 +0100
+@@ -3085,6 +3085,12 @@ bool CSSParser::parseFontWeight(bool imp
+     return false;
+ }
+ 
++static bool isValidFormatFunction(CSSParserValue* val)
++{
++    CSSParserValueList* args = val->function->args;
++    return equalIgnoringCase(val->function->name, "format(") && (args->current()->unit == CSSPrimitiveValue::CSS_STRING || args->current()->unit == CSSPrimitiveValue::CSS_IDENT);
++}
++
+ bool CSSParser::parseFontFaceSrc()
+ {
+     RefPtr<CSSValueList> values(CSSValueList::createCommaSeparated());
+@@ -3111,7 +3117,7 @@ bool CSSParser::parseFontFaceSrc()
+                     CSSParserValue* a = args->current();
+                     uriValue.clear();
+                     parsedValue = CSSFontFaceSrcValue::createLocal(a->string);
+-                } else if (equalIgnoringCase(val->function->name, "format(") && allowFormat && uriValue) {
++                } else if (allowFormat && uriValue && isValidFormatFunction(val)) {
+                     expectComma = true;
+                     allowFormat = false;
+                     uriValue->setFormat(args->current()->string);

qt-x11-opensource-src-4.5.3-cve-2010-0049-freed-line-boxes-ltr-rtl.patch

@@ -0,0 +1,29 @@
+diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp.cve-2010-0049-freed-line-boxes-ltr-rtl qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp
+--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp.cve-2010-0049-freed-line-boxes-ltr-rtl	2009-09-29 13:01:36.000000000 +0200
++++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/rendering/RenderText.cpp	2010-02-04 15:43:15.707711730 +0100
+@@ -1025,8 +1025,15 @@ void RenderText::position(InlineBox* box
+     if (!s->m_len) {
+         // We want the box to be destroyed.
+         s->remove();
++        if (m_firstTextBox == s)
++            m_firstTextBox = s->nextTextBox();
++        else
++            s->prevTextBox()->setNextLineBox(s->nextTextBox());
++        if (m_lastTextBox == s)
++            m_lastTextBox = s->prevTextBox();
++        else
++            s->nextTextBox()->setPreviousLineBox(s->prevTextBox());
+         s->destroy(renderArena());
+-        m_firstTextBox = m_lastTextBox = 0;
+         return;
+     }
+ 
+@@ -1203,7 +1210,7 @@ void RenderText::checkConsistency() cons
+ #ifdef CHECK_CONSISTENCY
+     const InlineTextBox* prev = 0;
+     for (const InlineTextBox* child = m_firstTextBox; child != 0; child = child->nextTextBox()) {
+-        ASSERT(child->object() == this);
++        ASSERT(child->renderer() == this);
+         ASSERT(child->prevTextBox() == prev);
+         prev = child;
+     }

qt-x11-opensource-src-4.5.3-cve-2010-0050-crash-misnested-style-tags.patch

@@ -0,0 +1,13 @@
+diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLParser.cpp.cve-2010-0050-crash-misnested-style-tags qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLParser.cpp
+--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLParser.cpp.cve-2010-0050-crash-misnested-style-tags	2009-09-29 13:01:36.000000000 +0200
++++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLParser.cpp	2010-02-04 15:54:25.399651321 +0100
+@@ -1208,7 +1208,8 @@ void HTMLParser::handleResidualStyleClos
+             prevMaxElem->next = elem;
+             ASSERT(newNodePtr);
+             prevMaxElem->node = newNodePtr;
+-            prevMaxElem->didRefNode = false;
++            newNodePtr->ref();
++            prevMaxElem->didRefNode = true;
+         } else
+             delete elem;
+     }

qt-x11-opensource-src-4.5.3-cve-2010-0052-destroyed-input-cached.patch

@@ -0,0 +1,21 @@
+diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLInputElement.cpp.cve-2010-0052-destroyed-input-cached qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLInputElement.cpp
+--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLInputElement.cpp.cve-2010-0052-destroyed-input-cached	2009-09-29 13:01:36.000000000 +0200
++++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/html/HTMLInputElement.cpp	2010-02-04 17:50:07.931656712 +0100
+@@ -616,12 +616,15 @@ void HTMLInputElement::parseMappedAttrib
+             m_autocomplete = Off;
+             registerForActivationCallbackIfNeeded();
+         } else {
+-            if (m_autocomplete == Off)
+-                unregisterForActivationCallbackIfNeeded();
++            bool needsToUnregister = m_autocomplete == Off;
++
+             if (attr->isEmpty())
+                 m_autocomplete = Uninitialized;
+             else
+                 m_autocomplete = On;
++
++            if (needsToUnregister)
++                unregisterForActivationCallbackIfNeeded();
+         }
+     } else if (attr->name() == typeAttr) {
+         setInputType(attr->value());

qt.spec

@@ -13,7 +13,7 @@ Summary: Qt toolkit
 Name:    qt
 Epoch:   1
 Version: 4.6.2
-Release: 7%{?dist}
+Release: 8%{?dist}
 
 # See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
 License: LGPLv2 with exceptions or GPLv3 with exceptions
@@ -60,6 +60,12 @@ Patch54: qt-x11-opensource-src-4.5.1-mysql_config.patch
 Patch55: qt-everywhere-opensource-src-4.6.2-cups.patch
 
 # security patches
+Patch100: qt-x11-opensource-src-4.5.3-cve-2010-0046-css-format-mem-corruption.patch
+Patch101: qt-x11-opensource-src-4.5.3-cve-2010-0049-freed-line-boxes-ltr-rtl.patch
+Patch102: qt-x11-opensource-src-4.5.3-cve-2010-0050-crash-misnested-style-tags.patch
+Patch103: qt-x11-opensource-src-4.5.3-cve-2010-0052-destroyed-input-cached.patch
+Patch104: qt-everywhere-opensource-src-4.6.2-cve-2010-0051-lax-css-parsing-cross-domain-theft.patch
+Patch105: qt-everywhere-opensource-src-4.6.2-cve-2010-0054-image-element-pointer-name-getter.patch
 
 # kde-qt git patches
 Patch201: 0001-This-patch-uses-object-name-as-a-fallback-for-window.patch
@@ -410,6 +416,12 @@ Qt libraries used for drawing widgets and OpenGL items.
 %patch55 -p1 -b .cups-1
 
 # security fixes
+%patch100 -p1 -b .cve-2010-0046-css-format-mem-corruption
+%patch101 -p1 -b .cve-2010-0049-freed-line-boxes-ltr-rtl
+%patch102 -p1 -b .cve-2010-0050-crash-misnested-style-tags
+%patch103 -p1 -b .cve-2010-0052-destroyed-input-cached
+%patch104 -p1 -b .cve-2010-0051-lax-css-parsing-cross-domain-theft
+%patch105 -p1 -b .cve-2010-0054-image-element-pointer-name-getter
 
 # kde-qt branch
 %patch201 -p1 -b .kde-qt-0001
@@ -1015,6 +1027,11 @@ fi
 
 
 %changelog
+* Wed Mar 17 2010 Jaroslav Reznik <jreznik@redhat.com> - 4.6.2-8
+- WebKit security update:
+  CVE-2010-0046, CVE-2010-0049, CVE-2010-0050, CVE-2010-0051,
+  CVE-2010-0052, CVE-2010-0054
+
 * Sat Mar 13 2010 Kevin Kofler <Kevin@tigcc.ticalc.org> - 4.6.2-7
 - BR alsa-lib-devel (for QtMultimedia)