From 539a0ee29a097f518353ec34058c949253969a96 Mon Sep 17 00:00:00 2001 From: anolis-bot Date: Wed, 22 Feb 2023 22:14:28 +0800 Subject: [PATCH 1/2] update to webkit2gtk3-2.36.7-1.el8_7.2 Signed-off-by: anolis-bot --- 0001-webkitgtk-add-loongarch.patch | 11 ------ CVE-2023-23529.patch | 55 ++++++++++++++++++++++++++++++ dist | 2 +- webkit2gtk3.spec | 11 +++--- 4 files changed, 62 insertions(+), 17 deletions(-) delete mode 100644 0001-webkitgtk-add-loongarch.patch create mode 100644 CVE-2023-23529.patch diff --git a/0001-webkitgtk-add-loongarch.patch b/0001-webkitgtk-add-loongarch.patch deleted file mode 100644 index bcecd2d..0000000 --- a/0001-webkitgtk-add-loongarch.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- webkitgtk-2.28.4.orig/Source/WTF/wtf/dtoa/utils.h 2020-02-04 10:24:07.000000000 +0000 -+++ webkitgtk-2.28.4/Source/WTF/wtf/dtoa/utils.h 2021-01-20 05:38:56.527343750 +0000 -@@ -86,7 +86,7 @@ int main(int argc, char** argv) { - defined(__powerpc__) || defined(__ppc__) || defined(__ppc64__) || \ - defined(_POWER) || defined(_ARCH_PPC) || defined(_ARCH_PPC64) || \ - defined(__sparc__) || defined(__sparc) || defined(__s390__) || \ -- defined(__SH4__) || defined(__alpha__) || \ -+ defined(__SH4__) || defined(__alpha__) || defined(__loongarch64) || \ - defined(_MIPS_ARCH_MIPS32R2) || \ - defined(__AARCH64EL__) || defined(__aarch64__) || defined(__AARCH64EB__) || \ - defined(__riscv) || \ diff --git a/CVE-2023-23529.patch b/CVE-2023-23529.patch new file mode 100644 index 0000000..df0ef56 --- /dev/null +++ b/CVE-2023-23529.patch @@ -0,0 +1,55 @@ +From d44ded97d14cdb5ac2eb011203e5f4c45dfd94b9 Mon Sep 17 00:00:00 2001 +From: Yusuke Suzuki +Date: Wed, 8 Feb 2023 15:32:00 -0800 +Subject: [PATCH] Cherry-pick 1b2eb138ef92. rdar://problem/105236768 + + [JSC] ToThis object folding should check if AbstractValue is always an object + https://bugs.webkit.org/show_bug.cgi?id=251944 + rdar://105175786 + + Reviewed by Geoffrey Garen and Mark Lam. + + ToThis can become Identity for strict mode if it is just primitive values or its object does not have toThis function overriding. + This is correct, but folding ToThis to Undefined etc. (not Identity) needs to check that an input only contains objects. + This patch adds appropriate checks to prevent from converting ToThis(GlobalObject | Int32) to Undefined for example. + + * Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::isToThisAnIdentity): + + Canonical link: https://commits.webkit.org/259548.63@safari-7615-branch +--- + .../JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h +index ea7bcd6b7b31..ef3f6bbe376e 100644 +--- a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h ++++ b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h +@@ -209,7 +209,8 @@ inline ToThisResult isToThisAnIdentity(VM& vm, ECMAMode ecmaMode, AbstractValue& + } + } + +- if ((ecmaMode.isStrict() || (valueForNode.m_type && !(valueForNode.m_type & ~SpecObject))) && valueForNode.m_structure.isFinite()) { ++ bool onlyObjects = valueForNode.m_type && !(valueForNode.m_type & ~SpecObject); ++ if ((ecmaMode.isStrict() || onlyObjects) && valueForNode.m_structure.isFinite()) { + bool allStructuresAreJSScope = !valueForNode.m_structure.isClear(); + bool overridesToThis = false; + valueForNode.m_structure.forEach([&](RegisteredStructure structure) { +@@ -226,9 +227,13 @@ inline ToThisResult isToThisAnIdentity(VM& vm, ECMAMode ecmaMode, AbstractValue& + // If all the structures are JSScope's ones, we know the details of JSScope::toThis() operation. + allStructuresAreJSScope &= structure->classInfo()->methodTable.toThis == JSScope::info()->methodTable.toThis; + }); ++ ++ // This is correct for strict mode even if this can have non objects, since the right semantics is Identity. + if (!overridesToThis) + return ToThisResult::Identity; +- if (allStructuresAreJSScope) { ++ ++ // But this folding is available only if input is always an object. ++ if (onlyObjects && allStructuresAreJSScope) { + if (ecmaMode.isStrict()) + return ToThisResult::Undefined; + return ToThisResult::GlobalThis; +-- +2.39.1 + diff --git a/dist b/dist index 9c0e36e..535c690 100644 --- a/dist +++ b/dist @@ -1 +1 @@ -an8 +an8_7 diff --git a/webkit2gtk3.spec b/webkit2gtk3.spec index 4536465..b5a7c4c 100644 --- a/webkit2gtk3.spec +++ b/webkit2gtk3.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.2 ## NOTE: Lots of files in various subdirectories have the same name (such as ## "LICENSE") so this short macro allows us to distinguish them by using their ## directory names (from the source tree) as prefixes for the files. @@ -13,7 +12,7 @@ Name: webkit2gtk3 Version: 2.36.7 -Release: 1%{anolis_release}%{?dist}.1 +Release: 1%{?dist}.2 Summary: GTK Web content engine library License: LGPLv2 @@ -38,7 +37,8 @@ Patch2: icu60.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2153683 Patch3: CVE-2022-42856.patch -Patch1000: 0001-webkitgtk-add-loongarch.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2169934 +Patch4: CVE-2023-23529.patch BuildRequires: bison BuildRequires: cmake @@ -309,8 +309,9 @@ export NINJA_STATUS="[%f/%t][%e] " %endif %changelog -* Thu Jan 05 2023 Liwei Ge - 2.36.7-1.0.2.1 -- Sync loongsons patch webkitgtk-add-loongarch.patch (XueZhixin) +* Wed Feb 15 2023 Michael Catanzaro - 2.36.7-1.2 +- Add patch for CVE-2023-23529 + Resolves: #2170007 * Wed Dec 21 2022 Michael Catanzaro - 2.36.7-1.1 - Add patch for CVE-2022-42856 -- Gitee From c64e485169edac56ae2918c1d8a7202edb09fe61 Mon Sep 17 00:00:00 2001 From: mahailiang Date: Wed, 22 Sep 2021 12:19:06 -0400 Subject: [PATCH 2/2] Sync loongsons patch webkitgtk-add-loongarch.patch --- 0001-webkitgtk-add-loongarch.patch | 11 +++++++++++ webkit2gtk3.spec | 8 +++++++- 2 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 0001-webkitgtk-add-loongarch.patch diff --git a/0001-webkitgtk-add-loongarch.patch b/0001-webkitgtk-add-loongarch.patch new file mode 100644 index 0000000..bcecd2d --- /dev/null +++ b/0001-webkitgtk-add-loongarch.patch @@ -0,0 +1,11 @@ +--- webkitgtk-2.28.4.orig/Source/WTF/wtf/dtoa/utils.h 2020-02-04 10:24:07.000000000 +0000 ++++ webkitgtk-2.28.4/Source/WTF/wtf/dtoa/utils.h 2021-01-20 05:38:56.527343750 +0000 +@@ -86,7 +86,7 @@ int main(int argc, char** argv) { + defined(__powerpc__) || defined(__ppc__) || defined(__ppc64__) || \ + defined(_POWER) || defined(_ARCH_PPC) || defined(_ARCH_PPC64) || \ + defined(__sparc__) || defined(__sparc) || defined(__s390__) || \ +- defined(__SH4__) || defined(__alpha__) || \ ++ defined(__SH4__) || defined(__alpha__) || defined(__loongarch64) || \ + defined(_MIPS_ARCH_MIPS32R2) || \ + defined(__AARCH64EL__) || defined(__aarch64__) || defined(__AARCH64EB__) || \ + defined(__riscv) || \ diff --git a/webkit2gtk3.spec b/webkit2gtk3.spec index b5a7c4c..a2fd416 100644 --- a/webkit2gtk3.spec +++ b/webkit2gtk3.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.2 ## NOTE: Lots of files in various subdirectories have the same name (such as ## "LICENSE") so this short macro allows us to distinguish them by using their ## directory names (from the source tree) as prefixes for the files. @@ -12,7 +13,7 @@ Name: webkit2gtk3 Version: 2.36.7 -Release: 1%{?dist}.2 +Release: 1%{anolis_release}%{?dist}.2 Summary: GTK Web content engine library License: LGPLv2 @@ -40,6 +41,8 @@ Patch3: CVE-2022-42856.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2169934 Patch4: CVE-2023-23529.patch +Patch1000: 0001-webkitgtk-add-loongarch.patch + BuildRequires: bison BuildRequires: cmake BuildRequires: flex @@ -309,6 +312,9 @@ export NINJA_STATUS="[%f/%t][%e] " %endif %changelog +* Thu Feb 23 2023 Liwei Ge - 2.36.7-1.0.2.2 +- Sync loongsons patch webkitgtk-add-loongarch.patch (XueZhixin) + * Wed Feb 15 2023 Michael Catanzaro - 2.36.7-1.2 - Add patch for CVE-2023-23529 Resolves: #2170007 -- Gitee