diff --git a/CVE-2023-23529.patch b/CVE-2023-23529.patch new file mode 100644 index 0000000000000000000000000000000000000000..df0ef5688f1e74b86bf852d8d7aca8cace0b8144 --- /dev/null +++ b/CVE-2023-23529.patch @@ -0,0 +1,55 @@ +From d44ded97d14cdb5ac2eb011203e5f4c45dfd94b9 Mon Sep 17 00:00:00 2001 +From: Yusuke Suzuki +Date: Wed, 8 Feb 2023 15:32:00 -0800 +Subject: [PATCH] Cherry-pick 1b2eb138ef92. rdar://problem/105236768 + + [JSC] ToThis object folding should check if AbstractValue is always an object + https://bugs.webkit.org/show_bug.cgi?id=251944 + rdar://105175786 + + Reviewed by Geoffrey Garen and Mark Lam. + + ToThis can become Identity for strict mode if it is just primitive values or its object does not have toThis function overriding. + This is correct, but folding ToThis to Undefined etc. (not Identity) needs to check that an input only contains objects. + This patch adds appropriate checks to prevent from converting ToThis(GlobalObject | Int32) to Undefined for example. + + * Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::isToThisAnIdentity): + + Canonical link: https://commits.webkit.org/259548.63@safari-7615-branch +--- + .../JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h +index ea7bcd6b7b31..ef3f6bbe376e 100644 +--- a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h ++++ b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h +@@ -209,7 +209,8 @@ inline ToThisResult isToThisAnIdentity(VM& vm, ECMAMode ecmaMode, AbstractValue& + } + } + +- if ((ecmaMode.isStrict() || (valueForNode.m_type && !(valueForNode.m_type & ~SpecObject))) && valueForNode.m_structure.isFinite()) { ++ bool onlyObjects = valueForNode.m_type && !(valueForNode.m_type & ~SpecObject); ++ if ((ecmaMode.isStrict() || onlyObjects) && valueForNode.m_structure.isFinite()) { + bool allStructuresAreJSScope = !valueForNode.m_structure.isClear(); + bool overridesToThis = false; + valueForNode.m_structure.forEach([&](RegisteredStructure structure) { +@@ -226,9 +227,13 @@ inline ToThisResult isToThisAnIdentity(VM& vm, ECMAMode ecmaMode, AbstractValue& + // If all the structures are JSScope's ones, we know the details of JSScope::toThis() operation. + allStructuresAreJSScope &= structure->classInfo()->methodTable.toThis == JSScope::info()->methodTable.toThis; + }); ++ ++ // This is correct for strict mode even if this can have non objects, since the right semantics is Identity. + if (!overridesToThis) + return ToThisResult::Identity; +- if (allStructuresAreJSScope) { ++ ++ // But this folding is available only if input is always an object. ++ if (onlyObjects && allStructuresAreJSScope) { + if (ecmaMode.isStrict()) + return ToThisResult::Undefined; + return ToThisResult::GlobalThis; +-- +2.39.1 + diff --git a/dist b/dist index 9c0e36ec42a2d9bfefacb21ac6354c9ddd910533..535c6900412d365bb0ff6de8d1f27110833b3ae3 100644 --- a/dist +++ b/dist @@ -1 +1 @@ -an8 +an8_7 diff --git a/webkit2gtk3.spec b/webkit2gtk3.spec index 453646590113555cae0d3f003b1f63d4ad0564a4..a2fd416241549e9fa6158a9fb77667f0bbd24f65 100644 --- a/webkit2gtk3.spec +++ b/webkit2gtk3.spec @@ -13,7 +13,7 @@ Name: webkit2gtk3 Version: 2.36.7 -Release: 1%{anolis_release}%{?dist}.1 +Release: 1%{anolis_release}%{?dist}.2 Summary: GTK Web content engine library License: LGPLv2 @@ -38,6 +38,9 @@ Patch2: icu60.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2153683 Patch3: CVE-2022-42856.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2169934 +Patch4: CVE-2023-23529.patch + Patch1000: 0001-webkitgtk-add-loongarch.patch BuildRequires: bison @@ -309,9 +312,13 @@ export NINJA_STATUS="[%f/%t][%e] " %endif %changelog -* Thu Jan 05 2023 Liwei Ge - 2.36.7-1.0.2.1 +* Thu Feb 23 2023 Liwei Ge - 2.36.7-1.0.2.2 - Sync loongsons patch webkitgtk-add-loongarch.patch (XueZhixin) +* Wed Feb 15 2023 Michael Catanzaro - 2.36.7-1.2 +- Add patch for CVE-2023-23529 + Resolves: #2170007 + * Wed Dec 21 2022 Michael Catanzaro - 2.36.7-1.1 - Add patch for CVE-2022-42856 Resolves: #2153735