import webkit2gtk3-2.36.7-1.el8_7.2

SOURCES/CVE-2023-23529.patch

@@ -0,0 +1,55 @@
+From d44ded97d14cdb5ac2eb011203e5f4c45dfd94b9 Mon Sep 17 00:00:00 2001
+From: Yusuke Suzuki <ysuzuki@apple.com>
+Date: Wed, 8 Feb 2023 15:32:00 -0800
+Subject: [PATCH] Cherry-pick 1b2eb138ef92. rdar://problem/105236768
+
+    [JSC] ToThis object folding should check if AbstractValue is always an object
+    https://bugs.webkit.org/show_bug.cgi?id=251944
+    rdar://105175786
+
+    Reviewed by Geoffrey Garen and Mark Lam.
+
+    ToThis can become Identity for strict mode if it is just primitive values or its object does not have toThis function overriding.
+    This is correct, but folding ToThis to Undefined etc. (not Identity) needs to check that an input only contains objects.
+    This patch adds appropriate checks to prevent from converting ToThis(GlobalObject | Int32) to Undefined for example.
+
+    * Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
+    (JSC::DFG::isToThisAnIdentity):
+
+    Canonical link: https://commits.webkit.org/259548.63@safari-7615-branch
+---
+ .../JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h   | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
+index ea7bcd6b7b31..ef3f6bbe376e 100644
+--- a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
++++ b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
+@@ -209,7 +209,8 @@ inline ToThisResult isToThisAnIdentity(VM& vm, ECMAMode ecmaMode, AbstractValue&
+         }
+     }
+ 
+-    if ((ecmaMode.isStrict() || (valueForNode.m_type && !(valueForNode.m_type & ~SpecObject))) && valueForNode.m_structure.isFinite()) {
++    bool onlyObjects = valueForNode.m_type && !(valueForNode.m_type & ~SpecObject);
++    if ((ecmaMode.isStrict() || onlyObjects) && valueForNode.m_structure.isFinite()) {
+         bool allStructuresAreJSScope = !valueForNode.m_structure.isClear();
+         bool overridesToThis = false;
+         valueForNode.m_structure.forEach([&](RegisteredStructure structure) {
+@@ -226,9 +227,13 @@ inline ToThisResult isToThisAnIdentity(VM& vm, ECMAMode ecmaMode, AbstractValue&
+             // If all the structures are JSScope's ones, we know the details of JSScope::toThis() operation.
+             allStructuresAreJSScope &= structure->classInfo()->methodTable.toThis == JSScope::info()->methodTable.toThis;
+         });
++
++        // This is correct for strict mode even if this can have non objects, since the right semantics is Identity.
+         if (!overridesToThis)
+             return ToThisResult::Identity;
+-        if (allStructuresAreJSScope) {
++
++        // But this folding is available only if input is always an object.
++        if (onlyObjects && allStructuresAreJSScope) {
+             if (ecmaMode.isStrict())
+                 return ToThisResult::Undefined;
+             return ToThisResult::GlobalThis;
+-- 
+2.39.1
+

SPECS/webkit2gtk3.spec

@@ -12,7 +12,7 @@
 
 Name:           webkit2gtk3
 Version:        2.36.7
-Release:        1%{?dist}.1
+Release:        1%{?dist}.2
 Summary:        GTK Web content engine library
 
 License:        LGPLv2
@@ -37,6 +37,9 @@ Patch2:         icu60.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2153683
 Patch3:         CVE-2022-42856.patch
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=2169934
+Patch4:         CVE-2023-23529.patch
+
 BuildRequires:  bison
 BuildRequires:  cmake
 BuildRequires:  flex
@@ -306,6 +309,10 @@ export NINJA_STATUS="[%f/%t][%e] "
 %endif
 
 %changelog
+* Wed Feb 15 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.7-1.2
+- Add patch for CVE-2023-23529
+  Resolves: #2170007
+
 * Wed Dec 21 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.7-1.1
 - Add patch for CVE-2022-42856
   Resolves: #2153735