new file mode 100644
@@ -0,0 +1,131 @@
+From f44648f07471b6c34f61993baa8997f7519a18a1 Mon Sep 17 00:00:00 2001
+From: Youenn Fablet <youennf@gmail.com>
+Date: Mon, 28 Nov 2022 00:43:35 -0800
+Subject: [PATCH] Type getter is not needed for internal ReadableStream sources
+ https://bugs.webkit.org/show_bug.cgi?id=248268 rdar://102338913
+
+Reviewed by Eric Carlson.
+
+Make ReadableStreamSource method privates.
+In ReadableStream, use @getters instead of private getters to allow getting private values from prototype.
+Covered by added test.
+
+* LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt: Added.
+* LayoutTests/http/wpt/fetch/fetch-stream-source.html: Added.
+* Source/WebCore/Modules/streams/ReadableStream.js:
+(initializeReadableStream):
+* Source/WebCore/Modules/streams/ReadableStreamSource.idl:
+* Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h:
+(WebCore::IDLOperationReturningPromise::call):
+
+Canonical link: https://commits.webkit.org/257063@main
+
+CVE: CVE-2023-23517 CVE-2023-23518
+
+Upstream-Status: Backport
+[https://github.com/WebKit/WebKit/commit/f44648f07471b6c34f61993baa8997f7519a18a1]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ .../fetch/fetch-stream-source-expected.txt | 3 +++
+ .../http/wpt/fetch/fetch-stream-source.html | 24 +++++++++++++++++++
+ .../WebCore/Modules/streams/ReadableStream.js | 4 ++--
+ .../Modules/streams/ReadableStreamSource.idl | 8 +++----
+ .../js/JSDOMOperationReturningPromise.h | 4 +++-
+ 5 files changed, 36 insertions(+), 7 deletions(-)
+ create mode 100644 LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt
+ create mode 100644 LayoutTests/http/wpt/fetch/fetch-stream-source.html
+
+diff --git a/LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt b/LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt
+new file mode 100644
+index 000000000000..856ea8180ca2
+--- /dev/null
++++ b/LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt
+@@ -0,0 +1,3 @@
++
++PASS Only JS streams should check type
++
+diff --git a/LayoutTests/http/wpt/fetch/fetch-stream-source.html b/LayoutTests/http/wpt/fetch/fetch-stream-source.html
+new file mode 100644
+index 000000000000..fbebfa5e524f
+--- /dev/null
++++ b/LayoutTests/http/wpt/fetch/fetch-stream-source.html
+@@ -0,0 +1,24 @@
++<!doctype html>
++<html>
++ <head>
++ <meta charset="utf-8">
++ <title>Fetch and source</title>
++ <script src="/resources/testharness.js"></script>
++ <script src="/resources/testharnessreport.js"></script>
++ </head>
++ <body>
++ <script>
++promise_test(async () => {
++ let counter = 0;
++ Object.prototype.__defineGetter__("type", function() {
++ counter++;
++ });
++
++ const response = await fetch('/');
++ const fetchReadableStream = response.body;
++ const [r1, r2] = fetchReadableStream.tee();
++ assert_equals(counter, 0);
++}, "Only JS streams should check type");
++ </script>
++ </body>
++</html>
+diff --git a/Source/WebCore/Modules/streams/ReadableStream.js b/Source/WebCore/Modules/streams/ReadableStream.js
+index ddef56ecd460..7f0def325d84 100644
+--- a/Source/WebCore/Modules/streams/ReadableStream.js
++++ b/Source/WebCore/Modules/streams/ReadableStream.js
+@@ -48,10 +48,10 @@ function initializeReadableStream(underlyingSource, strategy)
+
+ // FIXME: We should introduce https://streams.spec.whatwg.org/#create-readable-stream.
+ // For now, we emulate this with underlyingSource with private properties.
+- if (@getByIdDirectPrivate(underlyingSource, "pull") !== @undefined) {
++ if (underlyingSource.@pull !== @undefined) {
+ const size = @getByIdDirectPrivate(strategy, "size");
+ const highWaterMark = @getByIdDirectPrivate(strategy, "highWaterMark");
+- @setupReadableStreamDefaultController(this, underlyingSource, size, highWaterMark !== @undefined ? highWaterMark : 1, @getByIdDirectPrivate(underlyingSource, "start"), @getByIdDirectPrivate(underlyingSource, "pull"), @getByIdDirectPrivate(underlyingSource, "cancel"));
++ @setupReadableStreamDefaultController(this, underlyingSource, size, highWaterMark !== @undefined ? highWaterMark : 1, underlyingSource.@start, underlyingSource.@pull, underlyingSource.@cancel);
+ return this;
+ }
+
+diff --git a/Source/WebCore/Modules/streams/ReadableStreamSource.idl b/Source/WebCore/Modules/streams/ReadableStreamSource.idl
+index cce9ea37ce80..ae7f1403b8ac 100644
+--- a/Source/WebCore/Modules/streams/ReadableStreamSource.idl
++++ b/Source/WebCore/Modules/streams/ReadableStreamSource.idl
+@@ -30,10 +30,10 @@
+ LegacyNoInterfaceObject,
+ SkipVTableValidation
+ ] interface ReadableStreamSource {
+- [Custom] Promise<undefined> start(ReadableStreamDefaultController controller);
+- [Custom] Promise<undefined> pull(ReadableStreamDefaultController controller);
+- undefined cancel(any reason);
++ [Custom, PrivateIdentifier] Promise<undefined> start(ReadableStreamDefaultController controller);
++ [Custom, PrivateIdentifier] Promise<undefined> pull(ReadableStreamDefaultController controller);
++ [PrivateIdentifier] undefined cancel(any reason);
+
+ // Place holder to keep the controller linked to the source.
+- [CachedAttribute, CustomGetter] readonly attribute any controller;
++ [CachedAttribute, CustomGetter, PrivateIdentifier] readonly attribute any controller;
+ };
+diff --git a/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h b/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h
+index c4d1513ad5c4..1dda9d3834f7 100644
+--- a/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h
++++ b/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h
+@@ -43,8 +43,10 @@ public:
+ if constexpr (shouldThrow != CastedThisErrorBehavior::Assert) {
+ if (UNLIKELY(!thisObject))
+ return rejectPromiseWithThisTypeError(promise.get(), JSClass::info()->className, operationName);
+- } else
++ } else {
++ UNUSED_PARAM(operationName);
+ ASSERT(thisObject);
++ }
+
+ ASSERT_GC_OBJECT_INHERITS(thisObject, JSClass::info());
+
+--
+2.40.0
@@ -17,6 +17,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
file://0001-When-building-introspection-files-do-not-quote-CFLAG.patch \
file://CVE-2022-32888.patch \
file://CVE-2022-32923.patch \
+ file://CVE-2023-23517-CVE-2023-23518.patch \
"
SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
The issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.2, macOS Monterey 12.6.3, tvOS 16.3, Safari 16.3, watchOS 9.3, iOS 16.3 and iPadOS 16.3, macOS Big Sur 11.7.3. Processing maliciously crafted web content may lead to arbitrary code execution. References: https://nvd.nist.gov/vuln/detail/CVE-2023-23517 https://support.apple.com/en-us/HT213638 https://bugs.webkit.org/show_bug.cgi?id=248268 https://github.com/WebKit/WebKit/pull/6756 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> --- .../CVE-2023-23517-CVE-2023-23518.patch | 131 ++++++++++++++++++ meta/recipes-sato/webkit/webkitgtk_2.36.8.bb | 1 + 2 files changed, 132 insertions(+) create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch