[kirkstone,07/14] webkitgtk: fix CVE-2023-23529

Message ID	f8bce477ad88da70c3a4196912ba72049b2aa765.1694004064.git.steve@sakoman.com
State	Accepted, archived
Commit	f8bce477ad88da70c3a4196912ba72049b2aa765
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.214.176, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 07/14] webkitgtk: fix CVE-2023-23529 Date: Wed, 6 Sep 2023 02:48:14 -1000 Message-Id: <f8bce477ad88da70c3a4196912ba72049b2aa765.1694004064.git.steve@sakoman.com> In-Reply-To: <cover.1694004064.git.steve@sakoman.com> References: <cover.1694004064.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[kirkstone,01/14] tiff: fix CVE-2023-2908,CVE-2023-3316,CVE-2023-3618 \| expand [kirkstone,01/14] tiff: fix CVE-2023-2908,CVE-2023-3316,CVE-2023-3618 [kirkstone,02/14] inetutils: Backport fix for CVE-2023-40303 [kirkstone,03/14] libtiff: fix CVE-2023-26966 Buffer Overflow [kirkstone,04/14] json-c: fix CVE-2021-32292 [kirkstone,05/14] ncurses: fix CVE-2023-29491 [kirkstone,06/14] busybox: fix CVE-2022-48174 [kirkstone,07/14] webkitgtk: fix CVE-2023-23529 [kirkstone,08/14] libssh2: fix CVE-2020-22218 [kirkstone,09/14] file: fix CVE-2022-48554 [kirkstone,10/14] nasm: fix CVE-2020-21528 [kirkstone,11/14] python3: upgrade to 3.10.13 [kirkstone,12/14] efivar: backport 5 patches to fix build with gold [kirkstone,13/14] libdnf: resolve cstdint inclusion for newer gcc versions [kirkstone,14/14] sysklogd: fix integration with systemd-journald

Message ID

f8bce477ad88da70c3a4196912ba72049b2aa765.1694004064.git.steve@sakoman.com

State

Accepted, archived

Commit

f8bce477ad88da70c3a4196912ba72049b2aa765

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 07/14] webkitgtk: fix CVE-2023-23529
Date: Wed,  6 Sep 2023 02:48:14 -1000
Message-Id: 
 <f8bce477ad88da70c3a4196912ba72049b2aa765.1694004064.git.steve@sakoman.com>
In-Reply-To: <cover.1694004064.git.steve@sakoman.com>
References: <cover.1694004064.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[kirkstone,01/14] tiff: fix CVE-2023-2908,CVE-2023-3316,CVE-2023-3618 | expand

Commit Message

Steve Sakoman Sept. 6, 2023, 12:48 p.m. UTC

From: Kai Kang <kai.kang@windriver.com>

Backport and rebase patch to fix CVE-2023-23529.

CVE: CVE-2023-23529

Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../webkit/webkitgtk/CVE-2023-23529.patch     | 65 +++++++++++++++++++
 meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |  1 +
 2 files changed, 66 insertions(+)
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2023-23529.patch

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23529.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23529.patch
new file mode 100644
index 0000000000..f2e9808ab4
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23529.patch
@@ -0,0 +1,65 @@ 
+CVE: CVE-2023-23529
+Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/6cc943c]
+
+With the help from webkit maillist, backport and rebase patch to fix
+CVE-2023-23529.
+
+https://lists.webkit.org/pipermail/webkit-gtk/2023-August/003931.html
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From 6cc943c3323a1a1368934c812e5e8ec08f54dcd4 Mon Sep 17 00:00:00 2001
+From: Yusuke Suzuki <ysuzuki@apple.com>
+Date: Fri, 17 Feb 2023 10:39:19 -0800
+Subject: [PATCH] Cherry-pick 259548.63@safari-7615-branch (1b2eb138ef92).
+ rdar://105598149
+
+    [JSC] ToThis object folding should check if AbstractValue is always an object
+    https://bugs.webkit.org/show_bug.cgi?id=251944
+    rdar://105175786
+
+    Reviewed by Geoffrey Garen and Mark Lam.
+
+    ToThis can become Identity for strict mode if it is just primitive values or its object does not have toThis function overriding.
+    This is correct, but folding ToThis to Undefined etc. (not Identity) needs to check that an input only contains objects.
+    This patch adds appropriate checks to prevent from converting ToThis(GlobalObject | Int32) to Undefined for example.
+
+    * Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
+    (JSC::DFG::isToThisAnIdentity):
+
+    Canonical link: https://commits.webkit.org/259548.63@safari-7615-branch
+
+Canonical link: https://commits.webkit.org/260455@main
+---
+ .../JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h   | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
+index 928328ffab826..82481455e651d 100644
+--- a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
++++ b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
+@@ -209,7 +209,8 @@ inline ToThisResult isToThisAnIdentity(VM& vm, ECMAMode ecmaMode, AbstractValue&
+         }
+     }
+ 
+-    if ((ecmaMode.isStrict() || (valueForNode.m_type && !(valueForNode.m_type & ~SpecObject))) && valueForNode.m_structure.isFinite()) {
++    bool onlyObjects = valueForNode.m_type && !(valueForNode.m_type & ~SpecObject);
++    if ((ecmaMode.isStrict() || onlyObjects) && valueForNode.m_structure.isFinite()) {
+         bool allStructuresAreJSScope = !valueForNode.m_structure.isClear();
+         bool overridesToThis = false;
+         valueForNode.m_structure.forEach([&](RegisteredStructure structure) {
+@@ -226,9 +227,13 @@ inline ToThisResult isToThisAnIdentity(VM& vm, ECMAMode ecmaMode, AbstractValue&
+             // If all the structures are JSScope's ones, we know the details of JSScope::toThis() operation.
+             allStructuresAreJSScope &= structure->classInfo()->methodTable.toThis == JSScope::info()->methodTable.toThis;
+         });
++
++        // This is correct for strict mode even if this can have non objects, since the right semantics is Identity.
+         if (!overridesToThis)
+             return ToThisResult::Identity;
+-        if (allStructuresAreJSScope) {
++
++        // But this folding is available only if input is always an object.
++        if (onlyObjects && allStructuresAreJSScope) {
+             if (ecmaMode.isStrict())
+                 return ToThisResult::Undefined;
+             return ToThisResult::GlobalThis;
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
index edd64b7b11..20f475bebd 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -21,6 +21,7 @@  SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
            file://CVE-2022-46699.patch \
            file://CVE-2022-42867.patch \
            file://CVE-2022-46700.patch \
+           file://CVE-2023-23529.patch \
            "
 SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"

[kirkstone,07/14] webkitgtk: fix CVE-2023-23529

Commit Message

Patch