import webkit2gtk3-2.38.5-1.el9_2.2
This commit is contained in:
		
							parent
							
								
									bf4ac994c8
								
							
						
					
					
						commit
						b74bce62d4
					
				
							
								
								
									
										167
									
								
								SOURCES/CVE-2023-28204.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										167
									
								
								SOURCES/CVE-2023-28204.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,167 @@ | |||||||
|  | From 8efa99e7b5d5a37aefb476cc27ee24c2be4da0c7 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Michael Saboff <msaboff@apple.com> | ||||||
|  | Date: Mon, 22 May 2023 13:40:46 -0700 | ||||||
|  | Subject: [PATCH] Cherry-pick 264365@main (698c6e293734). | ||||||
|  |  https://bugs.webkit.org/show_bug.cgi?id=254930 | ||||||
|  | 
 | ||||||
|  |     [JSC] RegExpGlobalData::performMatch issue leading to OOB read | ||||||
|  |     https://bugs.webkit.org/show_bug.cgi?id=254930 | ||||||
|  |     rdar://107436732 | ||||||
|  | 
 | ||||||
|  |     Reviewed by Alexey Shvayka. | ||||||
|  | 
 | ||||||
|  |     Fixed two issues: | ||||||
|  |     1) In YarrInterpreter.cpp::matchAssertionBOL() we were advancing the string position for non-BMP | ||||||
|  |        characters.  Since it is an assertion, we shouldn't advance the character position. | ||||||
|  |        Made the same fix to matchAssertionEOL(). | ||||||
|  |     2) In StringPrototype.cpp::replaceUsingRegExpSearch(), we need to advance past both elements of | ||||||
|  |        a non-BMP character for the case where the RegExp match is empty. | ||||||
|  | 
 | ||||||
|  |     * JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js: New test. | ||||||
|  |     * Source/JavaScriptCore/runtime/StringPrototype.cpp: | ||||||
|  |     (JSC::replaceUsingRegExpSearch): | ||||||
|  |     * Source/JavaScriptCore/yarr/YarrInterpreter.cpp: | ||||||
|  |     (JSC::Yarr::Interpreter::InputStream::readCheckedDontAdvance): | ||||||
|  |     (JSC::Yarr::Interpreter::matchAssertionBOL): | ||||||
|  |     (JSC::Yarr::Interpreter::matchAssertionEOL): | ||||||
|  | 
 | ||||||
|  |     Originally-landed-as: 259548.551@safari-7615-branch (e34edaa74575). rdar://107436732 | ||||||
|  |     Canonical link: https://commits.webkit.org/264365@main | ||||||
|  | ---
 | ||||||
|  |  ...place-regexp-matchBOL-correct-advancing.js | 35 ++++++++++++++++++ | ||||||
|  |  .../runtime/StringPrototype.cpp               | 10 ++++++ | ||||||
|  |  .../JavaScriptCore/yarr/YarrInterpreter.cpp   | 36 +++++++++++++++++-- | ||||||
|  |  3 files changed, 79 insertions(+), 2 deletions(-) | ||||||
|  |  create mode 100644 JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js | ||||||
|  | 
 | ||||||
|  | diff --git a/JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js b/JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js
 | ||||||
|  | new file mode 100644 | ||||||
|  | index 000000000000..25b1a70b81d2
 | ||||||
|  | --- /dev/null
 | ||||||
|  | +++ b/JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js
 | ||||||
|  | @@ -0,0 +1,35 @@
 | ||||||
|  | +// Check that we don't advance for BOL assertions when matching a non-BMP character in the YARR interpreter
 | ||||||
|  | +// and that we do advance in String.replace() when processing an empty match.
 | ||||||
|  | +
 | ||||||
|  | +let expected = "|";
 | ||||||
|  | +
 | ||||||
|  | +for (let i = 0; i < 11; ++i)
 | ||||||
|  | +    expected += String.fromCodePoint(128512) + '|';
 | ||||||
|  | +
 | ||||||
|  | +let str = String.fromCodePoint(128512).repeat(11);
 | ||||||
|  | +
 | ||||||
|  | +let result1 = str.replace(/(?!(?=^a|()+()+x)(abc))/gmu, r => {
 | ||||||
|  | +    return '|';
 | ||||||
|  | +});
 | ||||||
|  | +
 | ||||||
|  | +
 | ||||||
|  | +if (result1 !== expected)
 | ||||||
|  | +    print("FAILED: \"" + result1 + " !== " + expected + '"');
 | ||||||
|  | +
 | ||||||
|  | +let result2= str.replace(/(?!(?=^a|x)(abc))/gmu, r => {
 | ||||||
|  | +    return '|';
 | ||||||
|  | +});
 | ||||||
|  | +
 | ||||||
|  | +if (result2 !== expected)
 | ||||||
|  | +    print("FAILED: \"" + result2 + " !== " + expected + '"');
 | ||||||
|  | +
 | ||||||
|  | +expected = "|" + String.fromCodePoint(128512);
 | ||||||
|  | +
 | ||||||
|  | +str = String.fromCodePoint(128512).repeat(1);
 | ||||||
|  | +
 | ||||||
|  | +let result3= str.replace(/(?!(?=^a|x)(abc))/mu, r => {
 | ||||||
|  | +    return '|';
 | ||||||
|  | +});
 | ||||||
|  | +
 | ||||||
|  | +if (result3 !== expected)
 | ||||||
|  | +    print("FAILED: \"" + result3 + " !== " + expected + '"');
 | ||||||
|  | diff --git a/Source/JavaScriptCore/runtime/StringPrototype.cpp b/Source/JavaScriptCore/runtime/StringPrototype.cpp
 | ||||||
|  | index 08104b1dbfa9..459295f728a7 100644
 | ||||||
|  | --- a/Source/JavaScriptCore/runtime/StringPrototype.cpp
 | ||||||
|  | +++ b/Source/JavaScriptCore/runtime/StringPrototype.cpp
 | ||||||
|  | @@ -603,6 +603,11 @@ static ALWAYS_INLINE JSString* replaceUsingRegExpSearch(
 | ||||||
|  |                  startPosition++; | ||||||
|  |                  if (startPosition > sourceLen) | ||||||
|  |                      break; | ||||||
|  | +                if (U16_IS_LEAD(source[startPosition - 1]) && U16_IS_TRAIL(source[startPosition])) {
 | ||||||
|  | +                    startPosition++;
 | ||||||
|  | +                    if (startPosition > sourceLen)
 | ||||||
|  | +                        break;
 | ||||||
|  | +                }
 | ||||||
|  |              } | ||||||
|  |          } | ||||||
|  |      } else { | ||||||
|  | @@ -682,6 +687,11 @@ static ALWAYS_INLINE JSString* replaceUsingRegExpSearch(
 | ||||||
|  |                  startPosition++; | ||||||
|  |                  if (startPosition > sourceLen) | ||||||
|  |                      break; | ||||||
|  | +                if (U16_IS_LEAD(source[startPosition - 1]) && U16_IS_TRAIL(source[startPosition])) {
 | ||||||
|  | +                    startPosition++;
 | ||||||
|  | +                    if (startPosition > sourceLen)
 | ||||||
|  | +                        break;
 | ||||||
|  | +                }
 | ||||||
|  |              } | ||||||
|  |          } while (global); | ||||||
|  |      } | ||||||
|  | diff --git a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
 | ||||||
|  | index 95a848a1a66d..b1a22b253866 100644
 | ||||||
|  | --- a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
 | ||||||
|  | +++ b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
 | ||||||
|  | @@ -209,6 +209,38 @@ public:
 | ||||||
|  |              } | ||||||
|  |              return result; | ||||||
|  |          } | ||||||
|  | +
 | ||||||
|  | +        int readCheckedDontAdvance(unsigned negativePositionOffest)
 | ||||||
|  | +        {
 | ||||||
|  | +            RELEASE_ASSERT(pos >= negativePositionOffest);
 | ||||||
|  | +            unsigned p = pos - negativePositionOffest;
 | ||||||
|  | +            ASSERT(p < length);
 | ||||||
|  | +            int result = input[p];
 | ||||||
|  | +            if (U16_IS_LEAD(result) && decodeSurrogatePairs && p + 1 < length && U16_IS_TRAIL(input[p + 1])) {
 | ||||||
|  | +                if (atEnd())
 | ||||||
|  | +                    return -1;
 | ||||||
|  | +
 | ||||||
|  | +                result = U16_GET_SUPPLEMENTARY(result, input[p + 1]);
 | ||||||
|  | +            }
 | ||||||
|  | +            return result;
 | ||||||
|  | +        }
 | ||||||
|  | +
 | ||||||
|  | +        // readForCharacterDump() is only for use by the DUMP_CURR_CHAR macro.
 | ||||||
|  | +        // We don't want any side effects like the next() in readChecked() above.
 | ||||||
|  | +        int readForCharacterDump(unsigned negativePositionOffest)
 | ||||||
|  | +        {
 | ||||||
|  | +            RELEASE_ASSERT(pos >= negativePositionOffest);
 | ||||||
|  | +            unsigned p = pos - negativePositionOffest;
 | ||||||
|  | +            ASSERT(p < length);
 | ||||||
|  | +            int result = input[p];
 | ||||||
|  | +            if (U16_IS_LEAD(result) && decodeSurrogatePairs && p + 1 < length && U16_IS_TRAIL(input[p + 1])) {
 | ||||||
|  | +                if (atEnd())
 | ||||||
|  | +                    return -1;
 | ||||||
|  | +
 | ||||||
|  | +                result = U16_GET_SUPPLEMENTARY(result, input[p + 1]);
 | ||||||
|  | +            }
 | ||||||
|  | +            return result;
 | ||||||
|  | +        }
 | ||||||
|  |           | ||||||
|  |          int readSurrogatePairChecked(unsigned negativePositionOffset) | ||||||
|  |          { | ||||||
|  | @@ -482,13 +514,13 @@ public:
 | ||||||
|  |   | ||||||
|  |      bool matchAssertionBOL(ByteTerm& term) | ||||||
|  |      { | ||||||
|  | -        return (input.atStart(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readChecked(term.inputPosition + 1)));
 | ||||||
|  | +        return (input.atStart(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readCheckedDontAdvance(term.inputPosition + 1)));
 | ||||||
|  |      } | ||||||
|  |   | ||||||
|  |      bool matchAssertionEOL(ByteTerm& term) | ||||||
|  |      { | ||||||
|  |          if (term.inputPosition) | ||||||
|  | -            return (input.atEnd(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readChecked(term.inputPosition)));
 | ||||||
|  | +            return (input.atEnd(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readCheckedDontAdvance(term.inputPosition)));
 | ||||||
|  |   | ||||||
|  |          return (input.atEnd()) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.read())); | ||||||
|  |      } | ||||||
|  | -- 
 | ||||||
|  | 2.40.1 | ||||||
|  | 
 | ||||||
							
								
								
									
										36
									
								
								SOURCES/CVE-2023-32373.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										36
									
								
								SOURCES/CVE-2023-32373.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,36 @@ | |||||||
|  | From 85fd2302d16a09a82d9a6e81eb286babb23c4b3c Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Antoine Quint <graouts@webkit.org> | ||||||
|  | Date: Mon, 22 May 2023 13:37:32 -0700 | ||||||
|  | Subject: [PATCH] Potential use-after-free in WebAnimation::commitStyles | ||||||
|  |  https://bugs.webkit.org/show_bug.cgi?id=254840 rdar://107444873 | ||||||
|  | 
 | ||||||
|  | Reviewed by Dean Jackson and Darin Adler. | ||||||
|  | 
 | ||||||
|  | Ensure that the animation's effect and target are kept alive for the duration of this method | ||||||
|  | since it is possible that calling updateStyleIfNeeded() could call into JavaScript and thus | ||||||
|  | these two pointers could be changed to a null value using the Web Animations API. | ||||||
|  | 
 | ||||||
|  | * Source/WebCore/animation/WebAnimation.cpp: | ||||||
|  | (WebCore::WebAnimation::commitStyles): | ||||||
|  | 
 | ||||||
|  | Originally-landed-as: 259548.532@safari-7615-branch (1d6fe184ea53). rdar://107444873 | ||||||
|  | Canonical link: https://commits.webkit.org/264363@main | ||||||
|  | ---
 | ||||||
|  |  Source/WebCore/animation/WebAnimation.cpp | 4 ++-- | ||||||
|  |  1 file changed, 2 insertions(+), 2 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/Source/WebCore/animation/WebAnimation.cpp b/Source/WebCore/animation/WebAnimation.cpp
 | ||||||
|  | index 68ea47985807..ae20c79c36cf 100644
 | ||||||
|  | --- a/Source/WebCore/animation/WebAnimation.cpp
 | ||||||
|  | +++ b/Source/WebCore/animation/WebAnimation.cpp
 | ||||||
|  | @@ -1531,8 +1531,8 @@ ExceptionOr<void> WebAnimation::commitStyles()
 | ||||||
|  |      // https://drafts.csswg.org/web-animations-1/#commit-computed-styles | ||||||
|  |   | ||||||
|  |      // 1. Let targets be the set of all effect targets for animation effects associated with animation. | ||||||
|  | -    auto* effect = dynamicDowncast<KeyframeEffect>(m_effect.get());
 | ||||||
|  | -    auto* target = effect ? effect->target() : nullptr;
 | ||||||
|  | +    RefPtr effect = dynamicDowncast<KeyframeEffect>(m_effect.get());
 | ||||||
|  | +    RefPtr target = effect ? effect->target() : nullptr;
 | ||||||
|  |   | ||||||
|  |      // 2. For each target in targets: | ||||||
|  |      // | ||||||
| @ -12,7 +12,7 @@ | |||||||
| 
 | 
 | ||||||
| Name:           webkit2gtk3 | Name:           webkit2gtk3 | ||||||
| Version:        2.38.5 | Version:        2.38.5 | ||||||
| Release:        1%{?dist}.1 | Release:        1%{?dist}.2 | ||||||
| Summary:        GTK Web content engine library | Summary:        GTK Web content engine library | ||||||
| 
 | 
 | ||||||
| License:        LGPLv2 | License:        LGPLv2 | ||||||
| @ -24,8 +24,12 @@ Source1:        https://webkitgtk.org/releases/webkitgtk-%{version}.tar.xz.asc | |||||||
| # $ gpg --export --export-options export-minimal D7FCF61CF9A2DEAB31D81BD3F3D322D0EC4582C3 5AA3BC334FD7E3369E7C77B291C559DBE4C9123B > webkitgtk-keys.gpg | # $ gpg --export --export-options export-minimal D7FCF61CF9A2DEAB31D81BD3F3D322D0EC4582C3 5AA3BC334FD7E3369E7C77B291C559DBE4C9123B > webkitgtk-keys.gpg | ||||||
| Source2:        webkitgtk-keys.gpg | Source2:        webkitgtk-keys.gpg | ||||||
| 
 | 
 | ||||||
|  | # https://bugzilla.redhat.com/show_bug.cgi?id=2209208 | ||||||
|  | Patch0:         CVE-2023-28204.patch | ||||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=2185745 | # https://bugzilla.redhat.com/show_bug.cgi?id=2185745 | ||||||
| Patch0:         CVE-2023-28205.patch | Patch1:         CVE-2023-28205.patch | ||||||
|  | # https://bugzilla.redhat.com/show_bug.cgi?id=2209214 | ||||||
|  | Patch2:         CVE-2023-32373.patch | ||||||
| 
 | 
 | ||||||
| BuildRequires:  bison | BuildRequires:  bison | ||||||
| BuildRequires:  bubblewrap | BuildRequires:  bubblewrap | ||||||
| @ -290,6 +294,12 @@ export NINJA_STATUS="[%f/%t][%e] " | |||||||
| %{_datadir}/gir-1.0/JavaScriptCore-4.0.gir | %{_datadir}/gir-1.0/JavaScriptCore-4.0.gir | ||||||
| 
 | 
 | ||||||
| %changelog | %changelog | ||||||
|  | * Thu May 25 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.38.5-1.2 | ||||||
|  | - Add patch for CVE-2023-28204 | ||||||
|  |   Resolves: #2209747 | ||||||
|  | - Add patch for CVE-2023-32373 | ||||||
|  |   Resolves: #2209730 | ||||||
|  | 
 | ||||||
| * Tue Apr 11 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.38.5-1.1 | * Tue Apr 11 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.38.5-1.1 | ||||||
| - Add patch for CVE-2023-28205 | - Add patch for CVE-2023-28205 | ||||||
|   Resolves: #2185745 |   Resolves: #2185745 | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user