import webkit2gtk3-2.36.7-1.el9_1.2
This commit is contained in:
parent
98ea41e6b5
commit
38e5f49c6a
55
SOURCES/CVE-2023-23529.patch
Normal file
55
SOURCES/CVE-2023-23529.patch
Normal file
@ -0,0 +1,55 @@
|
||||
From d44ded97d14cdb5ac2eb011203e5f4c45dfd94b9 Mon Sep 17 00:00:00 2001
|
||||
From: Yusuke Suzuki <ysuzuki@apple.com>
|
||||
Date: Wed, 8 Feb 2023 15:32:00 -0800
|
||||
Subject: [PATCH] Cherry-pick 1b2eb138ef92. rdar://problem/105236768
|
||||
|
||||
[JSC] ToThis object folding should check if AbstractValue is always an object
|
||||
https://bugs.webkit.org/show_bug.cgi?id=251944
|
||||
rdar://105175786
|
||||
|
||||
Reviewed by Geoffrey Garen and Mark Lam.
|
||||
|
||||
ToThis can become Identity for strict mode if it is just primitive values or its object does not have toThis function overriding.
|
||||
This is correct, but folding ToThis to Undefined etc. (not Identity) needs to check that an input only contains objects.
|
||||
This patch adds appropriate checks to prevent from converting ToThis(GlobalObject | Int32) to Undefined for example.
|
||||
|
||||
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
|
||||
(JSC::DFG::isToThisAnIdentity):
|
||||
|
||||
Canonical link: https://commits.webkit.org/259548.63@safari-7615-branch
|
||||
---
|
||||
.../JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h | 9 +++++++--
|
||||
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
|
||||
index ea7bcd6b7b31..ef3f6bbe376e 100644
|
||||
--- a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
|
||||
+++ b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
|
||||
@@ -209,7 +209,8 @@ inline ToThisResult isToThisAnIdentity(VM& vm, ECMAMode ecmaMode, AbstractValue&
|
||||
}
|
||||
}
|
||||
|
||||
- if ((ecmaMode.isStrict() || (valueForNode.m_type && !(valueForNode.m_type & ~SpecObject))) && valueForNode.m_structure.isFinite()) {
|
||||
+ bool onlyObjects = valueForNode.m_type && !(valueForNode.m_type & ~SpecObject);
|
||||
+ if ((ecmaMode.isStrict() || onlyObjects) && valueForNode.m_structure.isFinite()) {
|
||||
bool allStructuresAreJSScope = !valueForNode.m_structure.isClear();
|
||||
bool overridesToThis = false;
|
||||
valueForNode.m_structure.forEach([&](RegisteredStructure structure) {
|
||||
@@ -226,9 +227,13 @@ inline ToThisResult isToThisAnIdentity(VM& vm, ECMAMode ecmaMode, AbstractValue&
|
||||
// If all the structures are JSScope's ones, we know the details of JSScope::toThis() operation.
|
||||
allStructuresAreJSScope &= structure->classInfo()->methodTable.toThis == JSScope::info()->methodTable.toThis;
|
||||
});
|
||||
+
|
||||
+ // This is correct for strict mode even if this can have non objects, since the right semantics is Identity.
|
||||
if (!overridesToThis)
|
||||
return ToThisResult::Identity;
|
||||
- if (allStructuresAreJSScope) {
|
||||
+
|
||||
+ // But this folding is available only if input is always an object.
|
||||
+ if (onlyObjects && allStructuresAreJSScope) {
|
||||
if (ecmaMode.isStrict())
|
||||
return ToThisResult::Undefined;
|
||||
return ToThisResult::GlobalThis;
|
||||
--
|
||||
2.39.1
|
||||
|
@ -17,7 +17,7 @@
|
||||
|
||||
Name: webkit2gtk3
|
||||
Version: 2.36.7
|
||||
Release: 1%{?dist}.1
|
||||
Release: 1%{?dist}.2
|
||||
Summary: GTK Web content engine library
|
||||
|
||||
License: LGPLv2
|
||||
@ -38,6 +38,9 @@ Patch0: aarch64-page-size.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2153683
|
||||
Patch1: CVE-2022-42856.patch
|
||||
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2169934
|
||||
Patch2: CVE-2023-23529.patch
|
||||
|
||||
BuildRequires: bison
|
||||
BuildRequires: bubblewrap
|
||||
BuildRequires: cmake
|
||||
@ -323,6 +326,10 @@ export NINJA_STATUS="[%f/%t][%e] "
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Feb 15 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.7-1.2
|
||||
- Add patch for CVE-2023-23529
|
||||
Resolves: #2170000
|
||||
|
||||
* Wed Dec 21 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.7-1.1
|
||||
- Add patch for CVE-2022-42856
|
||||
Resolves: #2153738
|
||||
|
Loading…
Reference in New Issue
Block a user