[Pkg-chromium-commit] [SCM] Git repository for pkg-chromium branch, squeeze, updated. a4382fe5f958c34a0cb0f288df2e1bdc3df8f2a8
Giuseppe Iuculano
iuculano at debian.org
Wed Aug 31 15:48:53 UTC 2011
The following commit has been merged in the squeeze branch:
commit a4382fe5f958c34a0cb0f288df2e1bdc3df8f2a8
Author: Giuseppe Iuculano <iuculano at debian.org>
Date: Wed Aug 31 17:48:44 2011 +0200
CVE-2011-2800
diff --git a/debian/changelog b/debian/changelog
index 11b89de..ab55b8c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,8 +5,10 @@ chromium-browser (6.0.472.63~r59945-5+squeeze6) UNRELEASED; urgency=low
Credit to miaubiz.
* Fixed CVE-2011-2818: Use-after-free in display box rendering.
Credit to Martin Barbella.
+ * Fixed CVE-2011-2800: Leak of client-side redirect target.
+ Credit to Juho Nurminen
- -- Giuseppe Iuculano <iuculano at debian.org> Wed, 31 Aug 2011 17:42:42 +0200
+ -- Giuseppe Iuculano <iuculano at debian.org> Wed, 31 Aug 2011 17:47:56 +0200
chromium-browser (6.0.472.63~r59945-5+squeeze5) stable-security; urgency=low
diff --git a/debian/patches/CVE-2011-2800.patch b/debian/patches/CVE-2011-2800.patch
new file mode 100644
index 0000000..aa9b285
--- /dev/null
+++ b/debian/patches/CVE-2011-2800.patch
@@ -0,0 +1,17 @@
+--- a/src/third_party/WebKit/WebCore/loader/FrameLoader.cpp
++++ b/src/third_party/WebKit/WebCore/loader/FrameLoader.cpp
+@@ -1535,7 +1535,13 @@ void FrameLoader::loadWithDocumentLoader
+ loader->setTriggeringAction(NavigationAction(newURL, policyChecker()->loadType(), isFormSubmission));
+
+ if (Element* ownerElement = m_frame->document()->ownerElement()) {
+- if (!ownerElement->dispatchBeforeLoadEvent(loader->request().url().string())) {
++ // We skip dispatching the beforeload event if we've already
++ // committed a real document load because the event would leak
++ // subsequent activity by the frame which the parent frame isn't
++ // supposed to learn. For example, if the child frame navigated to
++ // a new URL, the parent frame shouldn't learn the URL.
++ if (!m_stateMachine.committedFirstRealDocumentLoad()
++ && !ownerElement->dispatchBeforeLoadEvent(loader->request().url().string())) {
+ continueLoadAfterNavigationPolicy(loader->request(), formState, false);
+ return;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 4149fad..3062146 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -81,3 +81,4 @@ CVE-2011-1797.patch
CVE-2011-1799.patch
CVE-2011-2824.patch
CVE-2011-2818.patch
+CVE-2011-2800.patch
--
Git repository for pkg-chromium
More information about the Pkg-chromium-commit
mailing list