[Pkg-chromium-commit] [SCM] Git repository for pkg-chromium branch, squeeze, updated. a4382fe5f958c34a0cb0f288df2e1bdc3df8f2a8

Giuseppe Iuculano iuculano at debian.org
Wed Aug 31 15:48:53 UTC 2011 

The following commit has been merged in the squeeze branch:
commit a4382fe5f958c34a0cb0f288df2e1bdc3df8f2a8
Author: Giuseppe Iuculano <iuculano at debian.org>
Date:   Wed Aug 31 17:48:44 2011 +0200

    CVE-2011-2800

diff --git a/debian/changelog b/debian/changelog
index 11b89de..ab55b8c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,8 +5,10 @@ chromium-browser (6.0.472.63~r59945-5+squeeze6) UNRELEASED; urgency=low
     Credit to miaubiz.
   * Fixed CVE-2011-2818: Use-after-free in display box rendering.
     Credit to Martin Barbella.
+  * Fixed CVE-2011-2800: Leak of client-side redirect target.
+    Credit to Juho Nurminen
 
- -- Giuseppe Iuculano <iuculano at debian.org>  Wed, 31 Aug 2011 17:42:42 +0200
+ -- Giuseppe Iuculano <iuculano at debian.org>  Wed, 31 Aug 2011 17:47:56 +0200
 
 chromium-browser (6.0.472.63~r59945-5+squeeze5) stable-security; urgency=low
 
diff --git a/debian/patches/CVE-2011-2800.patch b/debian/patches/CVE-2011-2800.patch
new file mode 100644
index 0000000..aa9b285
--- /dev/null
+++ b/debian/patches/CVE-2011-2800.patch
@@ -0,0 +1,17 @@
+--- a/src/third_party/WebKit/WebCore/loader/FrameLoader.cpp
++++ b/src/third_party/WebKit/WebCore/loader/FrameLoader.cpp
+@@ -1535,7 +1535,13 @@ void FrameLoader::loadWithDocumentLoader
+             loader->setTriggeringAction(NavigationAction(newURL, policyChecker()->loadType(), isFormSubmission));
+ 
+         if (Element* ownerElement = m_frame->document()->ownerElement()) {
+-            if (!ownerElement->dispatchBeforeLoadEvent(loader->request().url().string())) {
++            // We skip dispatching the beforeload event if we've already
++            // committed a real document load because the event would leak
++            // subsequent activity by the frame which the parent frame isn't
++            // supposed to learn. For example, if the child frame navigated to
++            // a new URL, the parent frame shouldn't learn the URL.
++            if (!m_stateMachine.committedFirstRealDocumentLoad()
++                && !ownerElement->dispatchBeforeLoadEvent(loader->request().url().string())) {
+                 continueLoadAfterNavigationPolicy(loader->request(), formState, false);
+                 return;
+             }
diff --git a/debian/patches/series b/debian/patches/series
index 4149fad..3062146 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -81,3 +81,4 @@ CVE-2011-1797.patch
 CVE-2011-1799.patch
 CVE-2011-2824.patch
 CVE-2011-2818.patch
+CVE-2011-2800.patch

-- 
Git repository for pkg-chromium

More information about the Pkg-chromium-commit mailing list