[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.2.1-2-29-g5dbcb1c
Michael Gilbert
michael.s.gilbert at gmail.com
Tue Jun 29 04:11:14 UTC 2010
The following commit has been merged in the debian/unstable branch:
commit aeb5b88eca09535db785d3849beea269964ebfb0
Author: Michael Gilbert <michael.s.gilbert at gmail.com>
Date: Mon Jun 28 21:10:49 2010 -0400
fix cve-2010-1407
diff --git a/WebCore/loader/HistoryController.cpp b/WebCore/loader/HistoryController.cpp
index 55b68dc..e065e8e 100644
--- a/WebCore/loader/HistoryController.cpp
+++ b/WebCore/loader/HistoryController.cpp
@@ -656,15 +656,17 @@ void HistoryController::pushState(PassRefPtr<SerializedScriptValue> stateObject,
void HistoryController::replaceState(PassRefPtr<SerializedScriptValue> stateObject, const String& title, const String& urlString)
{
- Page* page = m_frame->page();
- ASSERT(page);
- HistoryItem* current = page->backForwardList()->currentItem();
- ASSERT(current);
+ // FIXME: We should always have m_currentItem here!!
+ // https://bugs.webkit.org/show_bug.cgi?id=36464
+ if (!m_currentItem) {
+ ASSERT_NOT_REACHED();
+ return;
+ }
if (!urlString.isEmpty())
- current->setURLString(urlString);
- current->setTitle(title);
- current->setStateObject(stateObject);
+ m_currentItem->setURLString(urlString);
+ m_currentItem->setTitle(title);
+ m_currentItem->setStateObject(stateObject);
}
} // namespace WebCore
diff --git a/debian/changelog b/debian/changelog
index ffd22ed..d72c6e4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,9 +2,10 @@ webkit (1.2.1-3) UNRELEASED; urgency=low
* Use system libtool.
* Turn direct source changes into a patch.
- * Fix cve-2010-1368: geolocation info disclosure.
- * Fix cve-2010-1392: possibly exploitable html button logic error.
- * Fix cve-2010-1405: possibly exploitable vertical positioning logic error.
+ * Fix cve-2010-1368: geolocation information disclosure.
+ * Fix cve-2010-1392: possible code execution in html button logic.
+ * Fix cve-2010-1405: possible code execution in vertical positioning logic.
+ * Fix cve-2010-1407: iframe information disclosure.
-- Michael Gilbert <michael.s.gilbert at gmail.com> Thu, 27 May 2010 20:36:41 -0400
diff --git a/debian/patches/cve-2010-1407.patch b/debian/patches/cve-2010-1407.patch
new file mode 100644
index 0000000..7280993
--- /dev/null
+++ b/debian/patches/cve-2010-1407.patch
@@ -0,0 +1,32 @@
+description: fix cve-2010-1392
+author: Michael Gilbert <michael.s.gilbert at gmail.com>
+origin: http://trac.webkit.org/changeset/56365
+Index: webkit-1.2.1/WebCore/loader/HistoryController.cpp
+===================================================================
+--- webkit-1.2.1.orig/WebCore/loader/HistoryController.cpp 2010-05-13 16:31:30.000000000 -0400
++++ webkit-1.2.1/WebCore/loader/HistoryController.cpp 2010-06-28 21:08:29.000000000 -0400
+@@ -656,15 +656,17 @@
+
+ void HistoryController::replaceState(PassRefPtr<SerializedScriptValue> stateObject, const String& title, const String& urlString)
+ {
+- Page* page = m_frame->page();
+- ASSERT(page);
+- HistoryItem* current = page->backForwardList()->currentItem();
+- ASSERT(current);
++ // FIXME: We should always have m_currentItem here!!
++ // https://bugs.webkit.org/show_bug.cgi?id=36464
++ if (!m_currentItem) {
++ ASSERT_NOT_REACHED();
++ return;
++ }
+
+ if (!urlString.isEmpty())
+- current->setURLString(urlString);
+- current->setTitle(title);
+- current->setStateObject(stateObject);
++ m_currentItem->setURLString(urlString);
++ m_currentItem->setTitle(title);
++ m_currentItem->setStateObject(stateObject);
+ }
+
+ } // namespace WebCore
diff --git a/debian/patches/series b/debian/patches/series
index 56c394a..ee9015d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,4 @@
cve-2010-1386.patch
cve-2010-1392.patch
cve-2010-1405.patch
+cve-2010-1407.patch
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list