[Pkg-chromium-commit] [SCM] Git repository for pkg-chromium branch, squeeze, updated. a4382fe5f958c34a0cb0f288df2e1bdc3df8f2a8

Giuseppe Iuculano iuculano at debian.org
Wed Aug 31 15:48:53 UTC 2011 

The following commit has been merged in the squeeze branch:
commit c328fac229ae93d635184ad843738f32ad57cd99
Author: Giuseppe Iuculano <iuculano at debian.org>
Date:   Wed Aug 31 17:44:06 2011 +0200

    CVE-2011-2818

diff --git a/debian/changelog b/debian/changelog
index d72b0e7..11b89de 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,8 +3,10 @@ chromium-browser (6.0.472.63~r59945-5+squeeze6) UNRELEASED; urgency=low
   * Added gbp.conf
   * Fixed CVE-2011-2824: Use-after-free with counter nodes.
     Credit to miaubiz.
+  * Fixed CVE-2011-2818: Use-after-free in display box rendering.
+    Credit to Martin Barbella.
 
- -- Giuseppe Iuculano <iuculano at debian.org>  Wed, 31 Aug 2011 17:30:01 +0200
+ -- Giuseppe Iuculano <iuculano at debian.org>  Wed, 31 Aug 2011 17:42:42 +0200
 
 chromium-browser (6.0.472.63~r59945-5+squeeze5) stable-security; urgency=low
 
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..270f6c1
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,5 @@
+[git-buildpackage]
+tarball-dir=..
+overlay= True
+debian-branch=squeeze
+export-dir=../build-area
diff --git a/debian/patches/CVE-2011-2818.patch b/debian/patches/CVE-2011-2818.patch
new file mode 100644
index 0000000..7146544
--- /dev/null
+++ b/debian/patches/CVE-2011-2818.patch
@@ -0,0 +1,21 @@
+--- a/src/third_party/WebKit/WebCore/rendering/RenderBox.cpp
++++ b/src/third_party/WebKit/WebCore/rendering/RenderBox.cpp
+@@ -2828,7 +2828,7 @@ bool RenderBox::shrinkToAvoidFloats() co
+ 
+ bool RenderBox::avoidsFloats() const
+ {
+-    return isReplaced() || hasOverflowClip() || isHR();
++    return isReplaced() || hasOverflowClip() || isHR() || isDeprecatedFlexItem();
+ }
+ 
+ void RenderBox::addShadowOverflow()
+--- a/src/third_party/WebKit/WebCore/rendering/RenderObject.h
++++ b/src/third_party/WebKit/WebCore/rendering/RenderObject.h
+@@ -409,6 +409,7 @@ public:
+ 
+     bool hasTransform() const { return m_hasTransform; }
+     bool hasMask() const { return style() && style()->hasMask(); }
++    bool isDeprecatedFlexItem() const { return !isInline() && !isFloatingOrPositioned() && parent() && parent()->isDeprecatedFlexibleBox(); }
+ 
+     void drawLineForBoxSide(GraphicsContext*, int x1, int y1, int x2, int y2, BoxSide,
+                             Color, EBorderStyle, int adjbw1, int adjbw2);
diff --git a/debian/patches/series b/debian/patches/series
index e930a8c..4149fad 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -80,3 +80,4 @@ CVE-2011-1444.patch
 CVE-2011-1797.patch
 CVE-2011-1799.patch
 CVE-2011-2824.patch
+CVE-2011-2818.patch

-- 
Git repository for pkg-chromium

More information about the Pkg-chromium-commit mailing list