which can lead to crashes and possibly code injection
(cve-2010-4205, cve-2011-0471, cve-2011-0473, cve-2011-0478,
cve-2011-0981, cve-2011-0982)
bump PKGREV
changes:
-fix some security problems (CVE-2010-4492, CVE-2010-4493, CVE-2011-0482,
CVE-2010-4199, CVE-2010-4578)
-fix some crashes (which were partly patched in pkgsrc before)
This release has essentially security fixes, covering the following
CVEs:
CVE-2010-4198 CVE-2010-4197 CVE-2010-4204 CVE-2010-4206
CVE-2010-1791 CVE-2010-3812 CVE-2010-3813
(plus 2 patches from upstream which fix crashes)
alternative from mk/jpeg.buildlink3.mk
This allows selection of an alternative jpeg library (namely the x86 MMX,
SSE, SSE2 accelerated libjpeg-turbo) via JPEG_DEFAULT=libjpeg-turbo, and
follows the current standard model for alternatives (fam, motif, fuse etc).
The mechanical edits were applied via the following script:
#!/bin/sh
for d in */*; do
[ -d "$d" ] || continue
for i in "$d/"Makefile* "$d/"*.mk; do
case "$i" in *.orig|*"*"*) continue;; esac
out="$d/x"
sed -e 's;graphics/jpeg/buildlink3\.mk;mk/jpeg.buildlink3.mk;g' \
-e 's;BUILDLINK_PREFIX\.jpeg;JPEGBASE;g' \
< "$i" > "$out"
if cmp -s "$i" "$out"; then
rm -f "$out"
else
echo "Edited $i"
mv -f "$i" "$i.orig" && mv "$out" "$i"
fi
done
done
changes:
The patches to fix the following CVEs are included with help from
Vincent Danen and other members of the Red Hat security team:
CVE-2010-1781 CVE-2010-1782 CVE-2010-1784 CVE-2010-1785
CVE-2010-1786 CVE-2010-1787 CVE-2010-1788 CVE-2010-1790
CVE-2010-1792 CVE-2010-1793 CVE-2010-2648
Changes:
- We found out that WebKitWebHistoryItems were being kept with a
reference count of 2 instead of 1 as they should; nobody should be
relying on that, but if you hit reference counting problems with
items you were creating yourself, this is for you.
- You can now copy images from the web page to the clipboard.
- Improvements were made to the Plugin handling code.
- Scroll events will now be correctly reported to web applications.
- You can now embed arbitrary widgets as if it was a plugin, with
the new "create-plugin-widget" signal.
- The atk_text_get_text_{at,after,before}_offset methods are now
implemented for all boundary types except LINE_AFTER and
LINE_BEFORE.
- The usual stream of minor fixes and improvements, as always.
Changes:
- Do not handle KeyEvents with Ctrl or Alt modifiers that we
otherwise know nothing about. Otherwise shortcuts defined in the
WebView will never be executed.
- Add information about the SVG index bounds check committed in r43590.
- For paste from middle button (button==2) we want to use
the GDK_PRIMARY_SELECTION. Implement the new getCurrentTarget
method in PasteboardHelperGtk by asking the WebView which
clipboard to use.
- Add glib-2.0 to the list of required package.
- (test_webkit_web_frame_create_destroy): Declare webView as a GtkWidget*
to fix pointer type incompatibility warnings.
- Make the scan program call g_thread_init(NULL) in addition to
g_type_init(), so that it actually works.
- Unify scrolling code via adjustments and keys. Use the WebCore
defined constants, since that's what people are most used to at
this point.
- Add missing call to notifyStatus in the committed case and a
missing property notify.
- When a download is requested by an ongoing request, use the already
provided response to set the suggested filename for the WebKitDownload
object, if available.
- Remove bogus extern "C" from some source files.
- Misc fixes to InspectorClientGtk: use g_filename_to_uri to
get the URI and use web_view_load_uri instead of the deprecated
web_view_open method for loading the URI.
- Add #if ENABLE(DATABASE) guards around database code so toggling
ENABLE_DATABASE off does not break builds.
- Implement load-status and progress properties on the view, as well as
load-status on the frame. This supersedes the different load signals
load-progress-changed, load-committed, load-done, load-started and
load-finished which are not only misnamed but broken by design.
- Fix memory leaks.
- Use strlen instead of g_utf8_strlen when calculating the size of
the data that is being given to webkit_web_frame_load_string to be
loaded, so that we don't miss any of the content.
- Fix mis-applied patch.
- Add a FrameLoaderClient callback for ResourceRetrievedByXMLHttpRequest.
- Provide a mechanism to create a quirks delegate for HTMLParser
- Add MessageSource and MessageLevel parameters to
ChromeClient::addMessageToConsole.
