Ubuntu
webkit package

lp://qastaging/ubuntu/intrepid-security/webkit

  1. Intrepid (8.10)
  2. intrepid-security
Created by James Westby and last modified
Get this branch:
bzr branch lp://qastaging/ubuntu/intrepid-security/webkit
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Development

Recent revisions

11. By Marc Deslauriers

* SECURITY UPDATE: remote code execution via document with a SVGPathList
  data structure containing a negative index.
  - WebCore/svg/SVGList.h: make sure index is valid.
  - http://trac.webkit.org/changeset/43590
  - CVE-2009-0945
* SECURITY UPDATE: denial of service or arbitrary code execution via
  JavaScript garbage collector allocation failures.
  - JavaScriptCore/kjs/collector.cpp: make sure numBlocks is valid.
  - http://trac.webkit.org/changeset/41854
  - CVE-2009-1687
* SECURITY UPDATE: denial of service or arbitrary code execution via
  use-after-free.
  - WebCore/html/HTMLParser.{cpp,h}: Fix incorrect handling of the head
    element.
  - http://trac.webkit.org/changeset/42532
  - CVE-2009-1690
* SECURITY UPDATE: denial of service or arbitrary code execution via
  attr function call with a large numerical argument.
  - WebCore/css/{CSSParser,CSSPrimitiveValue}.cpp: fix attr handling.
  - http://trac.webkit.org/changeset/42081
  - CVE-2009-1698
* SECURITY UPDATE: denial of service or arbitrary code execution via
  Attr DOM objects improper memory initialization.
  - WebCore/css/CSSStyleSelector.cpp, WebCore/dom/{Attribute.h,
    MappedAttribute.h,NamedMappedAttrMap.cpp,StyledElement.cpp},
    WebCore/html/HTMLInputElement.cpp, WebCore/svg/{SVGStyledElement,
    SVGForeignObjectElement}.cpp: introduce and use isMappedAttribute().
  - http://trac.webkit.org/changeset/36918
  - CVE-2009-1711
* SECURITY UPDATE: arbitrary code execution via remote loading of
  local java applets.
  - WebCore/html/HTMLAppletElement.cpp, WebCore/loader/FrameLoader.cpp:
    Use same rule for loading java applets as webkit does for images.
  - http://trac.webkit.org/changeset/41568
  - CVE-2009-1712
* SECURITY UPDATE: denial of service or arbitrary code execution via
  numeric character references.
  - WebCore/html/HTMLTokenizer.cpp: increase size of checkBuffer()
  - http://trac.webkit.org/changeset/44799
  - CVE-2009-1725

10. By Marc Deslauriers

* SECURITY UPDATE: denial of service via crafted CSS import statements.
  - WebCore/dom/Document.*, WebCore/loader/DocLoader.*: upstream fix
    to get rid of the Frame pointer on DocLoader.
  - http://trac.webkit.org/changeset/34815
  - CVE-2008-3632

9. By Mike Hommey <email address hidden>

* symbols.filter: As a workaround for #490173, hide all C++ mangled symbols.
  This will be enough for now, while fixing FTBFS on ARM.
* debian/rules: Build with -Wl,--no-relax on alpha, to work around a
  binutils bug causing FTBFS.

8. By Mike Hommey <email address hidden>

[ Mike Hommey ]
* New upstream snapshot
* debian/copyright: Updated to fit additions/removals of files upstream.
* debian/control: Add libpango1.0-dev to build dependencies and tighten
  libgtk2.0-dev build dependency. Closes: #477493.

[ Luca Bruno ]
* debian/libwebkit-1.0-1.install, debian/rules: Install GtkLauncher
  and DumpRenderTree in /usr/lib/webkit-1.0/libexec. Closes: #476514.

7. By Mike Hommey <email address hidden>

* New upstream snapshot
* debian/copyright: Updated to fit additions/removals of files upstream.
* JavaScriptCore/wtf/TCSpinLock.h: Revert our work-around, now that a
  proper patch has been applied upstream.
* WebCore/WebCore.pro: Don't use Qt version as SO version for QtWebKit.
* debian/control, debian/rules, debian/lib*0d.install: Bump SO version to
  1d because of ABI incompatible changes, and change package names
  accordingly.
* debian/rules: Don't remove -lqtwebico from QtWebKit.pc, since it's not
  here anymore.
* debian/rules, debian/lib*1d.install:
  - Install new Gtk port's DumpRenderTree tool.
  - Rename both port's DumpRenderTree tools to <port name>DumpRenderTree
    to avoid conflicting names.
* debian/lib*1d.postrm, debian/lib*1d.preinst: Avoid conflicting files with
  lib*0d packages (*Launcher programs) but allow to install both new and old
  libraries by using diversions.

6. By Mike Hommey <email address hidden>

* JavaScriptCore/JavaScriptCore.pri: cherry-picked change from revision
  28692 to fix FTBFS due to lack of -lpthread on the linker command line.
* debian/control: Add dependencies on necessary development packages
  (essentially for header files) to our own development packages.

5. By Mike Hommey <email address hidden>

* New upstream snapshot
* debian/copyright: Updated to fit additions/removals of files upstream.
* debian/control: Make libwebkitgtk-dev conflict with the old
  libwebkitgdk-dev. Closes: #449001.
* debian/rules: Bump qtwebkit shlibs.
* WebKit/qt/Api/qwebpage.cpp: cherry-picked change from revision 27904 to
  fix crashes when an event is caught outside of the webkit frame in Qt.
  This occurred, for example, when hovering over the QtLauncher toolbar.

4. By Mike Hommey <email address hidden>

* New upstream snapshot
* debian/rules:
  - Add support for DEB_BUILD_OPTIONS=noopt.
  - Bump qtwebkit shlibs, and remove versioning on the webkitgtk ones,
    as the library is new.
* debian/copyright: Updated to fit additions/removals of files upstream.
* debian/control, debian/rules, debian/libwebkitgtk-dev.install,
  debian/libwebkitgtk0d.install: Replace occurences of gdk by gtk, and
  rename libwebkitgdk*, to fit upstream rename of the Gtk port.
  Closes: #445060.

3. By Mike Hommey <email address hidden>

* JavaScriptCore/wtf/Platform.h:
  - Also test if __arm__ is defined, which should fix the FTBFS on arm.
  - Use better defines for our various arm ports.
* JavaScriptCore/kjs/ustring.h, WebCore/platform/DeprecatedString.h: Use
  these new defines. Thanks Riku Voipio.
* debian/control: Build depend on Qt >= 4.3. Thanks Hubert Figuiere.
  Closes: #439672.
* debian/rules: Explicitely use qmake-qt4 instead of qmake to avoid build
  failures when qt3-dev-tools is installed. Thanks Michael Biebl.
  Closes: #441007.

2. By Mike Hommey <email address hidden>

* New upstream snapshot
* debian/copyright: Updated so as to fit what we actually remove (there were
  missing removals previously, which were not appropriate for the most
  anyways), and to fit the additions/removals of files upstream.
* JavaScriptCore/wtf/TCSpinLock.h: Work around an FTBFS on PPC due to a
  probable regression in gcc (#438415).
* debian/rules:
  + Change the place we install QtLauncher from, since it moved.
  + Set binary packages' shlibs correctly.
  + Use $(CURDIR) variable more safely to avoid problem with build
    directories with spaces.
* WebKitQt/Plugins/Plugins.pro: Build plugins with hidden symbols, so that
  they don't expose unwanted symbols.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp://qastaging/ubuntu/karmic/webkit
This branch contains Public information 
Everyone can see this information.

Subscribers