- WebKit security update: CVE-2010-1119, CVE-2010-1400, CVE-2010-1778

2010-06-15 13:17:58 +00:00 · 2010-06-15 13:17:58 +00:00 · ff19172b12
parent d4493eb02b
commit ff19172b12
4 changed files with 78 additions and 16 deletions
--- a/qt-everywhere-opensource-src-4.6.3-CVE-2010-1119.patch
+++ b/qt-everywhere-opensource-src-4.6.3-CVE-2010-1119.patch
@ -0,0 +1,15 @@
+diff -up qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Node.cpp.CVE-2010-1119 qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Node.cpp
+--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Node.cpp.CVE-2010-1119	2010-06-02 04:03:12.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/dom/Node.cpp	2010-06-15 13:11:55.974470742 +0200
+@@ -910,7 +910,10 @@ void Node::notifyLocalNodeListsAttribute
+     if (!data->nodeLists())
+         return;
+ 
+-    data->nodeLists()->invalidateCachesThatDependOnAttributes();
+    if (!isAttributeNode())
+        data->nodeLists()->invalidateCachesThatDependOnAttributes();
+    else
+        data->nodeLists()->invalidateCaches();
+ 
+     if (data->nodeLists()->isEmpty()) {
+         data->clearNodeLists();
--- a/qt-everywhere-opensource-src-4.6.3-CVE-2010-1400.patch
+++ b/qt-everywhere-opensource-src-4.6.3-CVE-2010-1400.patch
@ -1,11 +1,21 @@
-Pouze v qt-everywhere-opensource-src-4.6.3-CVE-2010-1400/src/3rdparty/webkit/WebCore: changeset_r54521.diff
-diff -ur qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderObject.cpp qt-everywhere-opensource-src-4.6.3-CVE-2010-1400/src/3rdparty/webkit/WebCore/rendering/RenderObject.cpp
--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderObject.cpp	2010-06-02 04:03:11.000000000 +0200
-+++ qt-everywhere-opensource-src-4.6.3-CVE-2010-1400/src/3rdparty/webkit/WebCore/rendering/RenderObject.cpp	2010-06-10 21:43:55.916193363 +0200
-@@ -1684,6 +1684,15 @@
-     if (repaintContainer == this)
-         return;
+diff -up qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderObject.cpp.CVE-2010-1400 qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderObject.cpp
+--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderObject.cpp.CVE-2010-1400	2010-06-02 04:03:11.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/rendering/RenderObject.cpp	2010-06-15 13:55:36.853463455 +0200
+@@ -1611,7 +1611,7 @@ void RenderObject::styleWillChange(Style
+     }
+ }
 
+-void RenderObject::styleDidChange(StyleDifference diff, const RenderStyle*)
+void RenderObject::styleDidChange(StyleDifference diff, const RenderStyle* oldStyle)
+ {
+     if (s_affectsParentBlock)
+         handleDynamicFloatPositionChange();
+@@ -1619,9 +1619,17 @@ void RenderObject::styleDidChange(StyleD
+     if (!m_parent)
+         return;
+     
+-    if (diff == StyleDifferenceLayout)
+    if (diff == StyleDifferenceLayout) {
 +        // If the object already needs layout, then setNeedsLayout won't do
 +        // any work. But if the containing block has changed, then we may need
 +        // to make the new containing blocks for layout. The change that can
@ -14,7 +24,9 @@ diff -ur qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/renderin
 +        if (m_needsLayout && oldStyle->position() != m_style->position())
 +            markContainingBlocksForLayout();
 +
-+
-     RenderObject* o = parent();
-     if (!o)
-         return;
+         setNeedsLayoutAndPrefWidthsRecalc();
+-    else if (diff == StyleDifferenceLayoutPositionedMovementOnly)
+    } else if (diff == StyleDifferenceLayoutPositionedMovementOnly)
+         setNeedsPositionedMovementLayout();
+ 
+     // Don't check for repaint here; we need to wait until the layer has been
--- a/qt-everywhere-opensource-src-4.6.3-CVE-2010-1778.patch
+++ b/qt-everywhere-opensource-src-4.6.3-CVE-2010-1778.patch
@ -0,0 +1,29 @@
+diff -up qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/page/FrameView.cpp.CVE-2010-1778 qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/page/FrameView.cpp
+--- qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/page/FrameView.cpp.CVE-2010-1778	2010-06-11 16:12:55.786338275 +0200
+++ qt-everywhere-opensource-src-4.6.3/src/3rdparty/webkit/WebCore/page/FrameView.cpp	2010-06-15 13:23:21.114401487 +0200
+@@ -1189,14 +1189,13 @@ void FrameView::scheduleRelayoutOfSubtre
+ {
+     ASSERT(m_frame->view() == this);
+ 
+-    if (!m_layoutSchedulingEnabled || (m_frame->contentRenderer()
+-            && m_frame->contentRenderer()->needsLayout())) {
+    if (m_frame->contentRenderer() && m_frame->contentRenderer()->needsLayout()) {
+         if (relayoutRoot)
+             relayoutRoot->markContainingBlocksForLayout(false);
+         return;
+     }
+ 
+-    if (layoutPending()) {
+    if (layoutPending() || !m_layoutSchedulingEnabled) {
+         if (m_layoutRoot != relayoutRoot) {
+             if (isObjectAncestorContainerOf(m_layoutRoot, relayoutRoot)) {
+                 // Keep the current root
+@@ -1213,7 +1212,7 @@ void FrameView::scheduleRelayoutOfSubtre
+                 relayoutRoot->markContainingBlocksForLayout(false);
+             }
+         }
+-    } else {
+    } else if (m_layoutSchedulingEnabled) {
+         int delay = m_frame->document()->minimumLayoutDelay();
+         m_layoutRoot = relayoutRoot;
+         m_delayedLayout = delay != 0;
--- a/qt.spec
+++ b/qt.spec
@ -13,7 +13,7 @@ Summary: Qt toolkit
 Name:    qt
 Epoch:   1
 Version: 4.6.3
-Release: 2%{?dist}
+Release: 3%{?dist}

 # See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
 License: LGPLv2 with exceptions or GPLv3 with exceptions
@ -72,13 +72,13 @@ Patch110: qt-everywhere-opensource-src-4.6.3-CVE-2010-1392.patch
 Patch111: qt-everywhere-opensource-src-4.6.3-CVE-2010-1396.patch
 Patch112: qt-everywhere-opensource-src-4.6.3-CVE-2010-1397.patch
 Patch113: qt-everywhere-opensource-src-4.6.3-CVE-2010-1398.patch
-# oldStyle undefined in RenderObject::mapLocalToContainer
-# disable before backporting
-#Patch114: qt-everywhere-opensource-src-4.6.3-CVE-2010-1400.patch
+Patch114: qt-everywhere-opensource-src-4.6.3-CVE-2010-1400.patch
 Patch115: qt-everywhere-opensource-src-4.6.3-CVE-2010-1412.patch
 Patch116: qt-everywhere-opensource-src-4.6.3-CVE-2010-1770.patch
 Patch117: qt-everywhere-opensource-src-4.6.3-CVE-2010-1773.patch
 Patch118: qt-everywhere-opensource-src-4.6.3-CVE-2010-1774.patch
+Patch119: qt-everywhere-opensource-src-4.6.3-CVE-2010-1119.patch
+Patch120: qt-everywhere-opensource-src-4.6.3-CVE-2010-1778.patch

 # kde-qt git patches
 Patch201: 0001-This-patch-uses-object-name-as-a-fallback-for-window.patch
@ -445,11 +445,13 @@ Qt libraries used for drawing widgets and OpenGL items.
 %patch111 -p1 -b .CVE-2010-1396
 %patch112 -p1 -b .CVE-2010-1397
 %patch113 -p1 -b .CVE-2010-1398
-#patch114 -p1 -b .CVE-2010-1400
+%patch114 -p1 -b .CVE-2010-1400
 %patch115 -p1 -b .CVE-2010-1412
 %patch116 -p1 -b .CVE-2010-1770
 %patch117 -p1 -b .CVE-2010-1773
 %patch118 -p1 -b .CVE-2010-1774
+%patch119 -p1 -b .CVE-2010-1119
+%patch120 -p1 -b .CVE-2010-1778


 # kde-qt branch
@ -1052,6 +1054,10 @@ fi


 %changelog
+* Tue Jun 15 2010 Jaroslav Reznik <jreznik@redhat.com> - 4.6.3-3
+- WebKit security update:
+  CVE-2010-1119, CVE-2010-1400, CVE-2010-1778
+
 * Fri Jun 11 2010 Jaroslav Reznik <jreznik@redhat.com> - 4.6.3-2
 - WebKit security update:
  CVE-2010-1303_1304, CVE-2010-1392, CVE-2010-1396, CVE-2010-1397,