Accepting request 624328 from GNOME:Factory

OBS-URL: https://build.opensuse.org/request/show/624328
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/webkit2gtk3?expand=0&rev=60

webkit2gtk3-boo1101999-off-by-one.patch

@@ -0,0 +1,46 @@
+Index: Source/ThirdParty/xdgmime/src/xdgmimecache.c
+===================================================================
+--- Source/ThirdParty/xdgmime/src/xdgmimecache.c	(revision 233403)
++++ Source/ThirdParty/xdgmime/src/xdgmimecache.c	(revision 233404)
+@@ -1047,6 +1047,9 @@
+   xdg_uint32_t child_offset;
+   int i;
+ 
++  assert (*n >= 0);
++  assert (depth >= 0);
++
+   if (*n >= n_globs)
+     return FALSE;
+ 
+@@ -1055,7 +1058,7 @@
+       xdg_uint32_t mime_offset = GET_UINT32 (cache->buffer, offset + 4);
+ 
+       if (strcasecmp (cache->buffer + mime_offset, mime) == 0) {
+-        globs[*n] = malloc (depth * sizeof (char));
++        globs[*n] = malloc ((depth + 1) * sizeof (char));
+         for (i = 0; i < depth; i++)
+           globs[*n][depth - i - 1] = prefix[i];
+         globs[*n][depth] = '\0';
+Index: Source/ThirdParty/xdgmime/src/xdgmimeglob.c
+===================================================================
+--- Source/ThirdParty/xdgmime/src/xdgmimeglob.c	(revision 233403)
++++ Source/ThirdParty/xdgmime/src/xdgmimeglob.c	(revision 233404)
+@@ -484,6 +484,9 @@
+                   xdg_unichar_t   *prefix,
+                   int              depth)
+ {
++  assert (*n >= 0);
++  assert (depth >= 0);
++
+   if (*n >= n_globs)
+     return FALSE;
+ 
+@@ -495,7 +498,7 @@
+         {
+           int i;
+ 
+-          globs[*n] = malloc (depth * sizeof (char));
++          globs[*n] = malloc ((depth + 1) * sizeof (char));
+           for (i = 0; i < depth; i++)
+             globs[*n][depth - i - 1] = prefix[i];
+           globs[*n][depth] = '\0';

webkit2gtk3.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Jul 20 15:15:12 UTC 2018 - mgorse@suse.com
+
+- Add webkit2gtk3-boo1101999-off-by-one.patch: fix off-by-one in
+  xdg_mime_get_simple_globs (boo#1101999 CVE-2018-12911).
+
 -------------------------------------------------------------------
 Mon Jun 11 13:22:44 UTC 2018 - bjorn.lie@gmail.com
 

webkit2gtk3.spec

@@ -54,6 +54,8 @@ Patch0:         webkitgtk-typelib-sharelib-link.patch
 Patch1:         webkit2gtk3-python3.patch
 # PATCh-FIX-UPSTREAM webkit2gtk3-boo1088932-a11y-state-set.patch boo#1088932 webkit#184366 mgorse@suse.com -- fix crash when atk_object_ref_state_set is called on an AtkObject that's being destroyed.
 Patch2:         webkit2gtk3-boo1088932-a11y-state-set.patch
+# PATCH-FIX-UPSTREAM webkit2gtk3-boo1101999-off-by-one.patch boo#1101999 mgorse@suse.com -- fix off-by-one error in xdg_mime_get_simple_globs (CVE-2018-12911).
+Patch3:         webkit2gtk3-boo1101999-off-by-one.patch
 
 BuildRequires:  Mesa-libEGL-devel
 BuildRequires:  Mesa-libGL-devel
@@ -264,6 +266,7 @@ invoking a Perl or Python script.
 %patch1 -p1
 %endif
 %patch2 -p1
+%patch3
 
 %build
 # Here we must muzzle our dog so it doesn't eat all the memory