diff --git a/CVE-2022-42856.patch b/CVE-2022-42856.patch deleted file mode 100644 index 34f4d749e978d399b644ff79e01e795cc5391285..0000000000000000000000000000000000000000 --- a/CVE-2022-42856.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 98940f219ba0e3eb6d958af483b73dd9cc75c28c Mon Sep 17 00:00:00 2001 -From: Mark Lam -Date: Mon, 19 Dec 2022 17:32:15 -0800 -Subject: [PATCH] Cherry-pick 252432.839@safari-7614-branch (71cdc1c09ef1). - rdar://102531234 - - The provenType filtering in FTL's speculateRealNumber is incorrect. - https://bugs.webkit.org/show_bug.cgi?id=248266 - - - Reviewed by Justin Michaud. - - speculateRealNumber does a doubleEqual compare, which filters out double values which - are not NaN. NaN values will fall through to the `intCase` block. In the `intCase` block, - the isNotInt32() check there was given a proven type that wrongly filters out ~SpecFullDouble. - - Consider a scenario where the edge was proven to be { SpecInt32Only, SpecDoubleReal, - SpecDoublePureNaN }. SpecFullDouble is defined as SpecDoubleReal | SpecDoubleNaN, and - SpecDoubleNaN is defined as SpecDoublePureNaN | SpecDoubleImpureNaN. Hence, the filtering - of the proven type with ~SpecFullDouble means that isNotInt32() will effectively be given - a proven type of - - { SpecInt32Only, SpecDoubleReal, SpecDoublePureNaN } - { SpecDoubleReal, SpecDoublePureNaN } - - which yields - - { SpecInt32Only }. - - As a result, the compiler will think that that isNotIn32() check will always fail. This - is not correct if the actual incoming value for that edge is actually a PureNaN. In this - case, speculateRealNumber should have OSR exited, but it doesn't because it thinks that - the isNotInt32() check will always fail and elide the check altogether. - - In this patch, we fix this by replacing the ~SpecFullDouble with ~SpecDoubleReal. We also - rename the `intCase` block to `intOrNaNCase` to document what it actually handles. - - * JSTests/stress/speculate-real-number-in-object-is.js: Added. - (test.object_is_opt): - (test): - * Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp: - (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): - - Canonical link: https://commits.webkit.org/252432.839@safari-7614-branch - -Canonical link: https://commits.webkit.org/258113@main ---- - .../speculate-real-number-in-object-is.js | 22 +++++++++++++++++++ - Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp | 8 +++---- - 2 files changed, 26 insertions(+), 4 deletions(-) - create mode 100644 JSTests/stress/speculate-real-number-in-object-is.js - -diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp -index 3ba2d21b8072..18d13f1941bb 100644 ---- a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp -+++ b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp -@@ -20574,18 +20574,18 @@ IGNORE_CLANG_WARNINGS_END - LValue value = lowJSValue(edge, ManualOperandSpeculation); - LValue doubleValue = unboxDouble(value); - -- LBasicBlock intCase = m_out.newBlock(); -+ LBasicBlock intOrNaNCase = m_out.newBlock(); - LBasicBlock continuation = m_out.newBlock(); - - m_out.branch( - m_out.doubleEqual(doubleValue, doubleValue), -- usually(continuation), rarely(intCase)); -+ usually(continuation), rarely(intOrNaNCase)); - -- LBasicBlock lastNext = m_out.appendTo(intCase, continuation); -+ LBasicBlock lastNext = m_out.appendTo(intOrNaNCase, continuation); - - typeCheck( - jsValueValue(value), m_node->child1(), SpecBytecodeRealNumber, -- isNotInt32(value, provenType(m_node->child1()) & ~SpecFullDouble)); -+ isNotInt32(value, provenType(m_node->child1()) & ~SpecDoubleReal)); - m_out.jump(continuation); - - m_out.appendTo(continuation, lastNext); diff --git a/CVE-2023-23529.patch b/CVE-2023-23529.patch deleted file mode 100644 index df0ef5688f1e74b86bf852d8d7aca8cace0b8144..0000000000000000000000000000000000000000 --- a/CVE-2023-23529.patch +++ /dev/null @@ -1,55 +0,0 @@ -From d44ded97d14cdb5ac2eb011203e5f4c45dfd94b9 Mon Sep 17 00:00:00 2001 -From: Yusuke Suzuki -Date: Wed, 8 Feb 2023 15:32:00 -0800 -Subject: [PATCH] Cherry-pick 1b2eb138ef92. rdar://problem/105236768 - - [JSC] ToThis object folding should check if AbstractValue is always an object - https://bugs.webkit.org/show_bug.cgi?id=251944 - rdar://105175786 - - Reviewed by Geoffrey Garen and Mark Lam. - - ToThis can become Identity for strict mode if it is just primitive values or its object does not have toThis function overriding. - This is correct, but folding ToThis to Undefined etc. (not Identity) needs to check that an input only contains objects. - This patch adds appropriate checks to prevent from converting ToThis(GlobalObject | Int32) to Undefined for example. - - * Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h: - (JSC::DFG::isToThisAnIdentity): - - Canonical link: https://commits.webkit.org/259548.63@safari-7615-branch ---- - .../JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h -index ea7bcd6b7b31..ef3f6bbe376e 100644 ---- a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h -+++ b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h -@@ -209,7 +209,8 @@ inline ToThisResult isToThisAnIdentity(VM& vm, ECMAMode ecmaMode, AbstractValue& - } - } - -- if ((ecmaMode.isStrict() || (valueForNode.m_type && !(valueForNode.m_type & ~SpecObject))) && valueForNode.m_structure.isFinite()) { -+ bool onlyObjects = valueForNode.m_type && !(valueForNode.m_type & ~SpecObject); -+ if ((ecmaMode.isStrict() || onlyObjects) && valueForNode.m_structure.isFinite()) { - bool allStructuresAreJSScope = !valueForNode.m_structure.isClear(); - bool overridesToThis = false; - valueForNode.m_structure.forEach([&](RegisteredStructure structure) { -@@ -226,9 +227,13 @@ inline ToThisResult isToThisAnIdentity(VM& vm, ECMAMode ecmaMode, AbstractValue& - // If all the structures are JSScope's ones, we know the details of JSScope::toThis() operation. - allStructuresAreJSScope &= structure->classInfo()->methodTable.toThis == JSScope::info()->methodTable.toThis; - }); -+ -+ // This is correct for strict mode even if this can have non objects, since the right semantics is Identity. - if (!overridesToThis) - return ToThisResult::Identity; -- if (allStructuresAreJSScope) { -+ -+ // But this folding is available only if input is always an object. -+ if (onlyObjects && allStructuresAreJSScope) { - if (ecmaMode.isStrict()) - return ToThisResult::Undefined; - return ToThisResult::GlobalThis; --- -2.39.1 - diff --git a/CVE-2023-28205.patch b/CVE-2023-28205.patch index 3fa0f4ae2829530229af5f8941b56c16e730f79b..030bf968d1fd8b6f01df615e3a74a303aa235718 100644 --- a/CVE-2023-28205.patch +++ b/CVE-2023-28205.patch @@ -1,83 +1,80 @@ -From 162f94957f5a65aa0177bdea2b5810d44b637b5a Mon Sep 17 00:00:00 2001 +From b315f620c349e001a697dd7d4c501bdd07fe18c5 Mon Sep 17 00:00:00 2001 From: Mark Lam Date: Fri, 31 Mar 2023 10:49:49 -0700 -Subject: [PATCH] Cherry-pick 259548.395@safari-7615.1.26.11-branch - (1039f0c3235f). +Subject: [PATCH] Cherry-pick 2c49ff7b0481. rdar://problem/107369977 - Cherry-pick 2c49ff7b0481. rdar://problem/107369977 + CloneDeserializer::deserialize() should store cell pointers in a MarkedVector. + https://bugs.webkit.org/show_bug.cgi?id=254797 + rdar://107369977 - CloneDeserializer::deserialize() should store cell pointers in a MarkedVector. - https://bugs.webkit.org/show_bug.cgi?id=254797 - rdar://107369977 + Reviewed by Justin Michaud. - Reviewed by Justin Michaud. + Previously, CloneDeserializer::deserialize() was storing pointers to newly created objects + in a few Vectors. This is problematic because the GC is not aware of Vectors, and cannot + scan them. In this patch, we refactor the MarkedArgumentBuffer class into a MarkedVector + template class that offer 2 enhancements: - Previously, CloneDeserializer::deserialize() was storing pointers to newly created objects - in a few Vectors. This is problematic because the GC is not aware of Vectors, and cannot - scan them. In this patch, we refactor the MarkedArgumentBuffer class into a MarkedVector - template class that offer 2 enhancements: + 1. It can be configured to store specific types of cell pointer types. This avoids us + having to constantly cast JSValues into these pointers. - 1. It can be configured to store specific types of cell pointer types. This avoids us - having to constantly cast JSValues into these pointers. + 2. It allows us to specify the type of OverflowHandler we want to use. In this case, + we want to use CrashOnOverflow. The previous MarkedArgumentBuffer always assumes + RecordOnOverflow. This allows us to avoid having to manually check for overflows, + or have to use appendWithCrashOnOverflow. For our current needs, MarkedVector can be + used as a drop in replacement for Vector. - 2. It allows us to specify the type of OverflowHandler we want to use. In this case, - we want to use CrashOnOverflow. The previous MarkedArgumentBuffer always assumes - RecordOnOverflow. This allows us to avoid having to manually check for overflows, - or have to use appendWithCrashOnOverflow. For our current needs, MarkedVector can be - used as a drop in replacement for Vector. + And we fix the CloneDeserializer::deserialize() issue by replacing the use of Vectors + with MarkedVector instead. - And we fix the CloneDeserializer::deserialize() issue by replacing the use of Vectors - with MarkedVector instead. + * Source/JavaScriptCore/heap/Heap.cpp: + (JSC::Heap::addCoreConstraints): + * Source/JavaScriptCore/heap/Heap.h: + * Source/JavaScriptCore/heap/HeapInlines.h: + * Source/JavaScriptCore/runtime/ArgList.cpp: + (JSC::MarkedVectorBase::addMarkSet): + (JSC::MarkedVectorBase::markLists): + (JSC::MarkedVectorBase::slowEnsureCapacity): + (JSC::MarkedVectorBase::expandCapacity): + (JSC::MarkedVectorBase::slowAppend): + (JSC::MarkedArgumentBufferBase::addMarkSet): Deleted. + (JSC::MarkedArgumentBufferBase::markLists): Deleted. + (JSC::MarkedArgumentBufferBase::slowEnsureCapacity): Deleted. + (JSC::MarkedArgumentBufferBase::expandCapacity): Deleted. + (JSC::MarkedArgumentBufferBase::slowAppend): Deleted. + * Source/JavaScriptCore/runtime/ArgList.h: + (JSC::MarkedVectorWithSize::MarkedVectorWithSize): + (JSC::MarkedVectorWithSize::at const): + (JSC::MarkedVectorWithSize::clear): + (JSC::MarkedVectorWithSize::append): + (JSC::MarkedVectorWithSize::appendWithCrashOnOverflow): + (JSC::MarkedVectorWithSize::last const): + (JSC::MarkedVectorWithSize::takeLast): + (JSC::MarkedVectorWithSize::ensureCapacity): + (JSC::MarkedVectorWithSize::hasOverflowed): + (JSC::MarkedVectorWithSize::fill): + (JSC::MarkedArgumentBufferWithSize::MarkedArgumentBufferWithSize): Deleted. + * Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp: + (WebCore::AudioWorkletProcessor::buildJSArguments): + * Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h: + * Source/WebCore/bindings/js/SerializedScriptValue.cpp: + (WebCore::CloneDeserializer::deserialize): - * Source/JavaScriptCore/heap/Heap.cpp: - (JSC::Heap::addCoreConstraints): - * Source/JavaScriptCore/heap/Heap.h: - * Source/JavaScriptCore/heap/HeapInlines.h: - * Source/JavaScriptCore/runtime/ArgList.cpp: - (JSC::MarkedVectorBase::addMarkSet): - (JSC::MarkedVectorBase::markLists): - (JSC::MarkedVectorBase::slowEnsureCapacity): - (JSC::MarkedVectorBase::expandCapacity): - (JSC::MarkedVectorBase::slowAppend): - (JSC::MarkedArgumentBufferBase::addMarkSet): Deleted. - (JSC::MarkedArgumentBufferBase::markLists): Deleted. - (JSC::MarkedArgumentBufferBase::slowEnsureCapacity): Deleted. - (JSC::MarkedArgumentBufferBase::expandCapacity): Deleted. - (JSC::MarkedArgumentBufferBase::slowAppend): Deleted. - * Source/JavaScriptCore/runtime/ArgList.h: - (JSC::MarkedVectorWithSize::MarkedVectorWithSize): - (JSC::MarkedVectorWithSize::at const): - (JSC::MarkedVectorWithSize::clear): - (JSC::MarkedVectorWithSize::append): - (JSC::MarkedVectorWithSize::appendWithCrashOnOverflow): - (JSC::MarkedVectorWithSize::last const): - (JSC::MarkedVectorWithSize::takeLast): - (JSC::MarkedVectorWithSize::ensureCapacity): - (JSC::MarkedVectorWithSize::hasOverflowed): - (JSC::MarkedVectorWithSize::fill): - (JSC::MarkedArgumentBufferWithSize::MarkedArgumentBufferWithSize): Deleted. - * Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp: - (WebCore::AudioWorkletProcessor::buildJSArguments): - * Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h: - * Source/WebCore/bindings/js/SerializedScriptValue.cpp: - (WebCore::CloneDeserializer::deserialize): + Canonical link: https://commits.webkit.org/259548.530@safari-7615-branch - Canonical link: https://commits.webkit.org/259548.530@safari-7615-branch - - Identifier: 259548.395@safari-7615.1.26.11-branch +Identifier: 259548.395@safari-7615.1.26.11-branch --- - Source/JavaScriptCore/heap/Heap.cpp | 6 +- + Source/JavaScriptCore/heap/Heap.cpp | 4 +- Source/JavaScriptCore/heap/Heap.h | 8 +- - Source/JavaScriptCore/heap/HeapInlines.h | 6 +- + Source/JavaScriptCore/heap/HeapInlines.h | 2 +- Source/JavaScriptCore/runtime/ArgList.cpp | 46 ++-- - Source/JavaScriptCore/runtime/ArgList.h | 206 ++++++++++-------- + Source/JavaScriptCore/runtime/ArgList.h | 207 ++++++++++-------- .../webaudio/AudioWorkletProcessor.cpp | 4 +- .../Modules/webaudio/AudioWorkletProcessor.h | 7 +- .../bindings/js/SerializedScriptValue.cpp | 11 +- - 8 files changed, 160 insertions(+), 134 deletions(-) + 8 files changed, 159 insertions(+), 130 deletions(-) diff --git a/Source/JavaScriptCore/heap/Heap.cpp b/Source/JavaScriptCore/heap/Heap.cpp -index 8e53ddead1fd..7e3f8487f3db 100644 +index 8a4c082cb36e..632b01f14546 100644 --- a/Source/JavaScriptCore/heap/Heap.cpp +++ b/Source/JavaScriptCore/heap/Heap.cpp @@ -1,5 +1,5 @@ @@ -87,20 +84,17 @@ index 8e53ddead1fd..7e3f8487f3db 100644 * Copyright (C) 2007 Eric Seidel * * This library is free software; you can redistribute it and/or -@@ -2836,9 +2836,9 @@ void Heap::addCoreConstraints() - visitor.appendUnbarriered(pair.key); - } +@@ -2847,7 +2847,7 @@ void Heap::addCoreConstraints() -- if (m_markListSet && m_markListSet->size()) { -+ if (!m_markListSet.isEmpty()) { + if (!m_markListSet.isEmpty()) { SetRootMarkReasonScope rootScope(visitor, RootMarkReason::ConservativeScan); -- MarkedArgumentBufferBase::markLists(visitor, *m_markListSet); +- MarkedArgumentBufferBase::markLists(visitor, m_markListSet); + MarkedVectorBase::markLists(visitor, m_markListSet); } { diff --git a/Source/JavaScriptCore/heap/Heap.h b/Source/JavaScriptCore/heap/Heap.h -index af0e4c46a6ce..fd8cf668baae 100644 +index 418f24fd1212..8df576acf7f8 100644 --- a/Source/JavaScriptCore/heap/Heap.h +++ b/Source/JavaScriptCore/heap/Heap.h @@ -1,7 +1,7 @@ @@ -121,7 +115,7 @@ index af0e4c46a6ce..fd8cf668baae 100644 class MarkingConstraint; class MarkingConstraintSet; class MutatorScheduler; -@@ -410,7 +410,7 @@ public: +@@ -409,7 +409,7 @@ public: JS_EXPORT_PRIVATE std::unique_ptr protectedObjectTypeCounts(); JS_EXPORT_PRIVATE std::unique_ptr objectTypeCounts(); @@ -130,33 +124,28 @@ index af0e4c46a6ce..fd8cf668baae 100644 void addMarkedJSValueRefArray(MarkedJSValueRefArray*); template void forEachProtectedCell(const Functor&); -@@ -779,7 +779,7 @@ private: +@@ -778,7 +778,7 @@ private: size_t m_deprecatedExtraMemorySize { 0 }; ProtectCountSet m_protectedValues; -- std::unique_ptr> m_markListSet; +- HashSet m_markListSet; + HashSet m_markListSet; SentinelLinkedList> m_markedJSValueRefArrays; std::unique_ptr m_machineThreads; diff --git a/Source/JavaScriptCore/heap/HeapInlines.h b/Source/JavaScriptCore/heap/HeapInlines.h -index 39c06b659d9c..4d767a564d5f 100644 +index 66d8317e317c..4d767a564d5f 100644 --- a/Source/JavaScriptCore/heap/HeapInlines.h +++ b/Source/JavaScriptCore/heap/HeapInlines.h -@@ -206,11 +206,9 @@ inline void Heap::decrementDeferralDepthAndGCIfNeeded() +@@ -206,7 +206,7 @@ inline void Heap::decrementDeferralDepthAndGCIfNeeded() } } -inline HashSet& Heap::markListSet() +inline HashSet& Heap::markListSet() { -- if (!m_markListSet) -- m_markListSet = makeUnique>(); -- return *m_markListSet; -+ return m_markListSet; + return m_markListSet; } - - inline void Heap::reportExtraMemoryAllocated(size_t size) diff --git a/Source/JavaScriptCore/runtime/ArgList.cpp b/Source/JavaScriptCore/runtime/ArgList.cpp index f2815b80c8c7..a72dea74a56f 100644 --- a/Source/JavaScriptCore/runtime/ArgList.cpp @@ -270,10 +259,17 @@ index f2815b80c8c7..a72dea74a56f 100644 } // namespace JSC diff --git a/Source/JavaScriptCore/runtime/ArgList.h b/Source/JavaScriptCore/runtime/ArgList.h -index 8ea9b0e308b8..07632263266b 100644 +index 8ea9b0e308b8..01a6d5e0e5dc 100644 --- a/Source/JavaScriptCore/runtime/ArgList.h +++ b/Source/JavaScriptCore/runtime/ArgList.h -@@ -28,20 +28,20 @@ +@@ -22,26 +22,27 @@ + #pragma once + + #include "CallFrame.h" ++#include "JSCast.h" + #include + #include + #include namespace JSC { @@ -301,7 +297,7 @@ index 8ea9b0e308b8..07632263266b 100644 if (m_markSet) m_markSet->remove(this); -@@ -52,92 +52,20 @@ public: +@@ -52,92 +53,20 @@ public: size_t size() const { return m_size; } bool isEmpty() const { return !m_size; } @@ -395,7 +391,7 @@ index 8ea9b0e308b8..07632263266b 100644 : m_size(0) , m_capacity(capacity) , m_buffer(inlineBuffer()) -@@ -147,17 +75,16 @@ protected: +@@ -147,17 +76,16 @@ protected: EncodedJSValue* inlineBuffer() { @@ -418,7 +414,7 @@ index 8ea9b0e308b8..07632263266b 100644 EncodedJSValue& slotFor(int item) const { -@@ -172,11 +99,14 @@ private: +@@ -172,11 +100,14 @@ private: } #if ASSERT_ENABLED @@ -434,7 +430,7 @@ index 8ea9b0e308b8..07632263266b 100644 void setNeedsOverflowCheck() { } void clearNeedsOverflowCheck() { } #endif // ASSERT_ENABLED -@@ -186,22 +116,114 @@ private: +@@ -186,22 +117,114 @@ private: ListSet* m_markSet; }; @@ -555,7 +551,7 @@ index 8ea9b0e308b8..07632263266b 100644 class ArgList { WTF_MAKE_FAST_ALLOCATED; diff --git a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp -index c8c486a6e9a6..4f0a26574132 100644 +index 13d04e3bdb3b..f827b2ec6a6b 100644 --- a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp +++ b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp @@ -1,5 +1,5 @@ @@ -565,17 +561,17 @@ index c8c486a6e9a6..4f0a26574132 100644 * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions -@@ -218,7 +218,7 @@ AudioWorkletProcessor::AudioWorkletProcessor(AudioWorkletGlobalScope& globalScop +@@ -219,7 +219,7 @@ AudioWorkletProcessor::AudioWorkletProcessor(AudioWorkletGlobalScope& globalScop ASSERT(!isMainThread()); } --void AudioWorkletProcessor::buildJSArguments(VM& vm, JSGlobalObject& globalObject, MarkedArgumentBufferBase& args, const Vector>& inputs, Vector>& outputs, const HashMap>& paramValuesMap) -+void AudioWorkletProcessor::buildJSArguments(VM& vm, JSGlobalObject& globalObject, MarkedArgumentBuffer& args, const Vector>& inputs, Vector>& outputs, const HashMap>& paramValuesMap) +-void AudioWorkletProcessor::buildJSArguments(VM& vm, JSGlobalObject& globalObject, MarkedArgumentBufferBase& args, const Vector>& inputs, Vector>& outputs, const MemoryCompactLookupOnlyRobinHoodHashMap>& paramValuesMap) ++void AudioWorkletProcessor::buildJSArguments(VM& vm, JSGlobalObject& globalObject, MarkedArgumentBuffer& args, const Vector>& inputs, Vector>& outputs, const MemoryCompactLookupOnlyRobinHoodHashMap>& paramValuesMap) { // For performance reasons, we cache the arrays passed to JS and reconstruct them only when the topology changes. - if (!copyDataFromBusesToJSArray(vm, globalObject, inputs, toJSArray(m_jsInputs))) + if (!copyDataFromBusesToJSArray(globalObject, inputs, toJSArray(m_jsInputs))) diff --git a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h -index 7d256ea557bb..9ad78225ee51 100644 +index 3f3d708c7ae4..b0bce3609198 100644 --- a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h +++ b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h @@ -1,5 +1,5 @@ @@ -585,7 +581,7 @@ index 7d256ea557bb..9ad78225ee51 100644 * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions -@@ -40,7 +40,8 @@ +@@ -41,7 +41,8 @@ namespace JSC { class JSArray; @@ -595,20 +591,20 @@ index 7d256ea557bb..9ad78225ee51 100644 } namespace WebCore { -@@ -69,7 +70,7 @@ public: +@@ -71,7 +72,7 @@ public: private: explicit AudioWorkletProcessor(AudioWorkletGlobalScope&, const AudioWorkletProcessorConstructionData&); -- void buildJSArguments(JSC::VM&, JSC::JSGlobalObject&, JSC::MarkedArgumentBufferBase&, const Vector>& inputs, Vector>& outputs, const HashMap>& paramValuesMap); -+ void buildJSArguments(JSC::VM&, JSC::JSGlobalObject&, JSC::MarkedArgumentBuffer&, const Vector>& inputs, Vector>& outputs, const HashMap>& paramValuesMap); +- void buildJSArguments(JSC::VM&, JSC::JSGlobalObject&, JSC::MarkedArgumentBufferBase&, const Vector>& inputs, Vector>& outputs, const MemoryCompactLookupOnlyRobinHoodHashMap>& paramValuesMap); ++ void buildJSArguments(JSC::VM&, JSC::JSGlobalObject&, JSC::MarkedArgumentBuffer&, const Vector>& inputs, Vector>& outputs, const MemoryCompactLookupOnlyRobinHoodHashMap>& paramValuesMap); AudioWorkletGlobalScope& m_globalScope; String m_name; diff --git a/Source/WebCore/bindings/js/SerializedScriptValue.cpp b/Source/WebCore/bindings/js/SerializedScriptValue.cpp -index 2e6038948a8a..a9841fe057b8 100644 +index e0d4316a169f..5897e1066512 100644 --- a/Source/WebCore/bindings/js/SerializedScriptValue.cpp +++ b/Source/WebCore/bindings/js/SerializedScriptValue.cpp -@@ -539,6 +539,7 @@ static const unsigned StringDataIs8BitFlag = 0x80000000; +@@ -540,6 +540,7 @@ static const unsigned StringDataIs8BitFlag = 0x80000000; using DeserializationResult = std::pair; class CloneBase { @@ -616,7 +612,7 @@ index 2e6038948a8a..a9841fe057b8 100644 protected: CloneBase(JSGlobalObject* lexicalGlobalObject) : m_lexicalGlobalObject(lexicalGlobalObject) -@@ -616,6 +617,7 @@ template <> bool writeLittleEndian(Vector& buffer, const uint8 +@@ -617,6 +618,7 @@ template <> bool writeLittleEndian(Vector& buffer, const uint8 } class CloneSerializer : CloneBase { @@ -624,7 +620,7 @@ index 2e6038948a8a..a9841fe057b8 100644 public: static SerializationReturnCode serialize(JSGlobalObject* lexicalGlobalObject, JSValue value, Vector>& messagePorts, Vector>& arrayBuffers, const Vector>& imageBitmaps, #if ENABLE(OFFSCREEN_CANVAS_IN_WORKERS) -@@ -2148,6 +2150,7 @@ SerializationReturnCode CloneSerializer::serialize(JSValue in) +@@ -2150,6 +2152,7 @@ SerializationReturnCode CloneSerializer::serialize(JSValue in) } class CloneDeserializer : CloneBase { @@ -632,7 +628,7 @@ index 2e6038948a8a..a9841fe057b8 100644 public: static String deserializeString(const Vector& buffer) { -@@ -3920,10 +3923,10 @@ DeserializationResult CloneDeserializer::deserialize() +@@ -3921,10 +3924,10 @@ DeserializationResult CloneDeserializer::deserialize() Vector indexStack; Vector propertyNameStack; @@ -650,15 +646,3 @@ index 2e6038948a8a..a9841fe057b8 100644 -- 2.40.0 -diff --git a/Source/JavaScriptCore/runtime/ArgList.h b/Source/JavaScriptCore/runtime/ArgList.h -index 8ea9b0e308b8..04cbc452f846 100644 ---- a/Source/JavaScriptCore/runtime/ArgList.h -+++ b/Source/JavaScriptCore/runtime/ArgList.h -@@ -22,6 +22,7 @@ - #pragma once - - #include "CallFrame.h" -+#include "JSCast.h" - #include - #include - #include diff --git a/aarch64-page-size.patch b/aarch64-page-size.patch deleted file mode 100644 index 15aaacb390a7e7b94971b374c7daaa801b73240a..0000000000000000000000000000000000000000 --- a/aarch64-page-size.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff --git a/Source/WTF/wtf/PageBlock.h b/Source/WTF/wtf/PageBlock.h -index 9bb7fffcc1ae..3e1e24aa69f5 100644 ---- a/Source/WTF/wtf/PageBlock.h -+++ b/Source/WTF/wtf/PageBlock.h -@@ -45,11 +45,11 @@ namespace WTF { - // On Linux, Power systems normally use 64 KiB pages. - // - // Use 64 KiB for any unknown CPUs to be conservative. --#if OS(DARWIN) || PLATFORM(PLAYSTATION) || CPU(MIPS) || CPU(MIPS64) || (OS(LINUX) && CPU(ARM64)) -+#if OS(DARWIN) || PLATFORM(PLAYSTATION) || CPU(MIPS) || CPU(MIPS64) - constexpr size_t CeilingOnPageSize = 16 * KB; --#elif CPU(PPC) || CPU(PPC64) || CPU(PPC64LE) || CPU(UNKNOWN) -+#elif CPU(PPC) || CPU(PPC64) || CPU(PPC64LE) || CPU(UNKNOWN) || CPU(ARM64) - constexpr size_t CeilingOnPageSize = 64 * KB; --#elif OS(WINDOWS) || CPU(X86) || CPU(X86_64) || CPU(ARM) || CPU(ARM64) || CPU(RISCV64) -+#elif OS(WINDOWS) || CPU(X86) || CPU(X86_64) || CPU(ARM) || CPU(RISCV64) - constexpr size_t CeilingOnPageSize = 4 * KB; - #else - #error Must set CeilingOnPageSize in PageBlock.h when adding a new CPU architecture! diff --git a/dist b/dist index 535c6900412d365bb0ff6de8d1f27110833b3ae3..5aa45c5bf3f5e5b781981aec176b4910ac39baaf 100644 --- a/dist +++ b/dist @@ -1 +1 @@ -an8_7 +an8_8 diff --git a/download b/download index 6189380656da4dd46c16e73e8a963e32e70e3347..412bb4e01ecea42ff255e12eae25d5bcead8b66a 100644 --- a/download +++ b/download @@ -1,2 +1,2 @@ -466351cf35e4f742590919380b5dee93 webkitgtk-2.36.7.tar.xz -860c5c85bff4c71c2044715b957017ef webkitgtk-2.36.7.tar.xz.asc +de05d314a3ecb5fb3835e4d84f8f466d webkitgtk-2.38.5.tar.xz +523bd532589f6f44600be0533d7549ad webkitgtk-2.38.5.tar.xz.asc diff --git a/evolution-shared-secondary-process.patch b/evolution-shared-secondary-process.patch index 22c2d00eb4899f9cf7129123db6b569dbbec3854..d5f6f10f4d8f1f104e1ccfe9b5fcbbbd3890c956 100644 --- a/evolution-shared-secondary-process.patch +++ b/evolution-shared-secondary-process.patch @@ -1,10 +1,19 @@ +From ffe84688fc8a91b1e6d1c4462120fc44349a7c05 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Thu, 27 Oct 2022 19:12:43 -0500 +Subject: [PATCH] Force Evolution to use single secondary process + +--- + Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp | 3 +++ + 1 file changed, 3 insertions(+) + diff --git a/Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp b/Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp -index bd2d4d20206f..0fe471bde384 100644 +index 6bb6767869af..2a05a69d9b0d 100644 --- a/Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp +++ b/Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp -@@ -415,6 +415,9 @@ static void webkitWebContextConstructed(GObject* object) - g_clear_pointer(&priv->memoryPressureSettings, webkit_memory_pressure_settings_free); +@@ -431,6 +431,9 @@ static void webkitWebContextConstructed(GObject* object) } + configuration.setTimeZoneOverride(String::fromUTF8(priv->timeZoneOverride.data(), priv->timeZoneOverride.length())); + if (!g_strcmp0(g_get_prgname(), "evolution")) + configuration.setUsesSingleWebProcess(true); @@ -12,3 +21,6 @@ index bd2d4d20206f..0fe471bde384 100644 if (!priv->websiteDataManager) priv->websiteDataManager = adoptGRef(webkit_website_data_manager_new("local-storage-directory", priv->localStorageDirectory.data(), nullptr)); +-- +2.31.1 + diff --git a/icu60.patch b/icu60.patch index 775bbc5522b5a6da4f6127f3bffa99d6912f4303..303cc00235efeacbeccfb28c917ff6d98650c072 100644 --- a/icu60.patch +++ b/icu60.patch @@ -1,6 +1,22 @@ ---- a/Source/JavaScriptCore/runtime/IntlCache.cpp -+++ a/Source/JavaScriptCore/runtime/IntlCache.cpp -@@ -26,6 +26,7 @@ +From 833cfdd150b6f7f0fb021ac5de7890dff158f5fd Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Thu, 27 Oct 2022 16:32:43 -0500 +Subject: [PATCH] Build against ICU 60 + +--- + Source/JavaScriptCore/runtime/IntlCache.cpp | 3 +++ + Source/JavaScriptCore/runtime/IntlCache.h | 3 +++ + Source/JavaScriptCore/runtime/IntlDisplayNames.cpp | 11 +++++++++++ + Source/JavaScriptCore/runtime/IntlDisplayNames.h | 7 +++++++ + Source/JavaScriptCore/runtime/IntlObject.cpp | 6 +++++- + Source/cmake/OptionsGTK.cmake | 2 +- + 6 files changed, 30 insertions(+), 2 deletions(-) + +diff --git a/Source/JavaScriptCore/runtime/IntlCache.cpp b/Source/JavaScriptCore/runtime/IntlCache.cpp +index b17d7340df56..94a5474059b6 100644 +--- a/Source/JavaScriptCore/runtime/IntlCache.cpp ++++ b/Source/JavaScriptCore/runtime/IntlCache.cpp +@@ -26,6 +26,7 @@ #include "config.h" #include "IntlCache.h" @@ -23,9 +39,11 @@ +#endif } // namespace JSC ---- a/Source/JavaScriptCore/runtime/IntlCache.h -+++ a/Source/JavaScriptCore/runtime/IntlCache.h -@@ -25,6 +25,7 @@ +diff --git a/Source/JavaScriptCore/runtime/IntlCache.h b/Source/JavaScriptCore/runtime/IntlCache.h +index 058b2423786d..e7a8c82f392b 100644 +--- a/Source/JavaScriptCore/runtime/IntlCache.h ++++ b/Source/JavaScriptCore/runtime/IntlCache.h +@@ -25,6 +25,7 @@ #pragma once @@ -43,8 +61,10 @@ private: UDateTimePatternGenerator* getSharedPatternGenerator(const CString& locale, UErrorCode& status) ---- a/Source/JavaScriptCore/runtime/IntlDisplayNames.cpp -+++ a/Source/JavaScriptCore/runtime/IntlDisplayNames.cpp +diff --git a/Source/JavaScriptCore/runtime/IntlDisplayNames.cpp b/Source/JavaScriptCore/runtime/IntlDisplayNames.cpp +index c281f796eaee..1bc3c0c8a8c6 100644 +--- a/Source/JavaScriptCore/runtime/IntlDisplayNames.cpp ++++ b/Source/JavaScriptCore/runtime/IntlDisplayNames.cpp @@ -110,6 +110,7 @@ void IntlDisplayNames::initializeDisplayNames(JSGlobalObject* globalObject, JSVa m_languageDisplay = intlOption(globalObject, options, vm.propertyNames->languageDisplay, { { "dialect"_s, LanguageDisplay::Dialect }, { "standard"_s, LanguageDisplay::Standard } }, "languageDisplay must be either \"dialect\" or \"standard\""_s, LanguageDisplay::Dialect); RETURN_IF_EXCEPTION(scope, void()); @@ -58,8 +78,8 @@ return; } +#else -+ throwTypeError(globalObject, scope, "Failed to initialize Intl.DisplayNames since used feature is not supported in the linked ICU version"_s); -+ return; ++ throwTypeError(globalObject, scope, "failed to initialize Intl.DisplayNames since feature is not supported by the ICU version"_s); ++ return; +#endif } @@ -75,20 +95,22 @@ @@ -350,6 +356,11 @@ JSValue IntlDisplayNames::of(JSGlobalObject* globalObject, JSValue codeValue) co return throwTypeError(globalObject, scope, "Failed to query a display name."_s); } - return jsString(vm, String(buffer)); + return jsString(vm, String(WTFMove(buffer))); +#else + UNUSED_PARAM(codeValue); -+ throwTypeError(globalObject, scope, "Failed to initialize Intl.DisplayNames since used feature is not supported in the linked ICU version"_s); ++ throwTypeError(globalObject, scope, "failed to initialize Intl.DisplayNames since feature is not supported by the ICU version"_s); + return { }; +#endif } // https://tc39.es/proposal-intl-displaynames/#sec-Intl.DisplayNames.prototype.resolvedOptions ---- a/Source/JavaScriptCore/runtime/IntlDisplayNames.h -+++ a/Source/JavaScriptCore/runtime/IntlDisplayNames.h -@@ -31,6 +31,13 @@ - - namespace JSC { +diff --git a/Source/JavaScriptCore/runtime/IntlDisplayNames.h b/Source/JavaScriptCore/runtime/IntlDisplayNames.h +index d80dc3d83a15..f2bf36275c79 100644 +--- a/Source/JavaScriptCore/runtime/IntlDisplayNames.h ++++ b/Source/JavaScriptCore/runtime/IntlDisplayNames.h +@@ -29,6 +29,13 @@ + #include + #include +#if !defined(HAVE_ICU_U_LOCALE_DISPLAY_NAMES) +// We need 61 or later since part of implementation uses UCURR_NARROW_SYMBOL_NAME. @@ -97,11 +119,13 @@ +#endif +#endif + - enum class RelevantExtensionKey : uint8_t; + namespace JSC { - class IntlDisplayNames final : public JSNonFinalObject { ---- a/Source/JavaScriptCore/runtime/IntlObject.cpp -+++ a/Source/JavaScriptCore/runtime/IntlObject.cpp + enum class RelevantExtensionKey : uint8_t; +diff --git a/Source/JavaScriptCore/runtime/IntlObject.cpp b/Source/JavaScriptCore/runtime/IntlObject.cpp +index f7dc4d578d77..a6ccbe1b9f74 100644 +--- a/Source/JavaScriptCore/runtime/IntlObject.cpp ++++ b/Source/JavaScriptCore/runtime/IntlObject.cpp @@ -153,7 +153,6 @@ namespace JSC { getCanonicalLocales intlObjectFuncGetCanonicalLocales DontEnum|Function 1 Collator createCollatorConstructor DontEnum|PropertyCallback @@ -112,7 +136,7 @@ PluralRules createPluralRulesConstructor DontEnum|PropertyCallback @@ -239,6 +238,11 @@ void IntlObject::finishCreation(VM& vm, JSGlobalObject* globalObject) Base::finishCreation(vm); - ASSERT(inherits(vm, info())); + ASSERT(inherits(info())); JSC_TO_STRING_TAG_WITHOUT_TRANSITION(); +#if HAVE(ICU_U_LOCALE_DISPLAY_NAMES) + putDirectWithoutTransition(vm, vm.propertyNames->DisplayNames, createDisplayNamesConstructor(vm, this), static_cast(PropertyAttribute::DontEnum)); @@ -122,9 +146,11 @@ #if HAVE(ICU_U_LIST_FORMATTER) putDirectWithoutTransition(vm, vm.propertyNames->ListFormat, createListFormatConstructor(vm, this), static_cast(PropertyAttribute::DontEnum)); #else ---- a/Source/cmake/OptionsGTK.cmake -+++ a/Source/cmake/OptionsGTK.cmake -@@ -14,7 +14,7 @@ find_package(Freetype 2.4.2 REQUIRED) +diff --git a/Source/cmake/OptionsGTK.cmake b/Source/cmake/OptionsGTK.cmake +index 5e653a9e0b5a..0977f2c49037 100644 +--- a/Source/cmake/OptionsGTK.cmake ++++ b/Source/cmake/OptionsGTK.cmake +@@ -19,7 +19,7 @@ find_package(Freetype 2.4.2 REQUIRED) find_package(LibGcrypt 1.6.0 REQUIRED) find_package(GLIB 2.56.4 REQUIRED COMPONENTS gio gio-unix gobject gthread gmodule) find_package(HarfBuzz 0.9.18 REQUIRED COMPONENTS ICU) @@ -133,3 +159,6 @@ find_package(JPEG REQUIRED) find_package(LibXml2 2.8.0 REQUIRED) find_package(PNG REQUIRED) +-- +2.31.1 + diff --git a/webkit2gtk3.spec b/webkit2gtk3.spec index 8e8b866bcf773a0219508db87fa55c2ee89e64b1..d68a05ffb8ae7e46503dc77b4e650f0226fdad13 100644 --- a/webkit2gtk3.spec +++ b/webkit2gtk3.spec @@ -1,4 +1,4 @@ -%define anolis_release .0.2 +%define anolis_release .0.1 ## NOTE: Lots of files in various subdirectories have the same name (such as ## "LICENSE") so this short macro allows us to distinguish them by using their ## directory names (from the source tree) as prefixes for the files. @@ -6,13 +6,8 @@ mkdir -p _license_files ; \ cp -p %1 _license_files/$(echo '%1' | sed -e 's!/!.!g') -# Build documentation by default (use `rpmbuild --without docs` to override it). -# This is used by Coverity. Coverity injects custom compiler warnings, but -# any warning during WebKit docs build is fatal! -%bcond_without docs - Name: webkit2gtk3 -Version: 2.36.7 +Version: 2.38.5 Release: 1%{anolis_release}%{?dist}.3 Summary: GTK Web content engine library @@ -28,19 +23,11 @@ Source2: webkitgtk-keys.gpg # https://bugs.webkit.org/show_bug.cgi?id=193749 Patch0: evolution-shared-secondary-process.patch -# https://bugs.webkit.org/show_bug.cgi?id=217989 -# https://bugs.webkit.org/show_bug.cgi?id=227905 -Patch1: aarch64-page-size.patch - # https://bugs.webkit.org/show_bug.cgi?id=235367 -Patch2: icu60.patch +Patch1: icu60.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2153683 -Patch3: CVE-2022-42856.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2169934 -Patch4: CVE-2023-23529.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2185744 -Patch5: CVE-2023-28205.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2185741 +Patch2: CVE-2023-28205.patch Patch1000: 0001-webkitgtk-add-loongarch.patch @@ -51,7 +38,6 @@ BuildRequires: gcc-c++ BuildRequires: gettext BuildRequires: git BuildRequires: gperf -BuildRequires: gtk-doc BuildRequires: hyphen-devel BuildRequires: libatomic BuildRequires: ninja-build @@ -103,6 +89,8 @@ BuildRequires: pkgconfig(wayland-client) BuildRequires: pkgconfig(wayland-egl) BuildRequires: pkgconfig(wayland-protocols) BuildRequires: pkgconfig(wayland-server) +BuildRequires: pkgconfig(wpe-1.0) +BuildRequires: pkgconfig(wpebackend-fdo-1.0) BuildRequires: pkgconfig(xt) # If Geoclue is not running, the geolocation API will not work. @@ -126,6 +114,10 @@ Provides: webkit2gtk3-plugin-process-gtk2 = %{version}-%{release} Obsoletes: webkitgtk4-plugin-process-gtk2 < %{version}-%{release} Provides: webkitgtk4-plugin-process-gtk2 = %{version}-%{release} +# Don't build documentation anymore to avoid gi-docgen dependency +Obsoletes: webkit2gtk3-doc < %{version}-%{release} +Provides: webkit2gtk3-doc = %{version}-%{release} + # We're supposed to specify versions here, but these libraries don't do # normal releases. Accordingly, they're not suitable to be system libs. Provides: bundled(angle) @@ -155,18 +147,6 @@ Provides: webkitgtk4-devel = %{version}-%{release} The %{name}-devel package contains libraries, build data, and header files for developing applications that use %{name}. -%if %{with docs} -%package doc -Summary: Documentation files for %{name} -BuildArch: noarch -Requires: %{name} = %{version}-%{release} -Obsoletes: webkitgtk4-doc < %{version}-%{release} -Provides: webkitgtk4-doc = %{version}-%{release} - -%description doc -This package contains developer documentation for %{name}. -%endif - %package jsc Summary: JavaScript engine from %{name} Obsoletes: webkitgtk4-jsc < %{version}-%{release} @@ -221,16 +201,11 @@ pushd %{_target_platform} -DCMAKE_BUILD_TYPE=Release \ -DENABLE_BUBBLEWRAP_SANDBOX=OFF \ -DUSE_SOUP2=ON \ -%if %{with docs} - -DENABLE_GTKDOC=ON \ -%endif - -DENABLE_MINIBROWSER=ON \ - -DUSE_WPE_RENDERER=OFF \ + -DENABLE_DOCUMENTATION=OFF \ -DENABLE_GAMEPAD=OFF \ %if 0%{?rhel} %ifarch aarch64 - -DENABLE_JIT=OFF \ - -DUSE_SYSTEM_MALLOC=ON \ + -DUSE_64KB_PAGE_BLOCK=ON \ %endif %endif .. @@ -303,30 +278,46 @@ export NINJA_STATUS="[%f/%t][%e] " %dir %{_datadir}/gir-1.0 %{_datadir}/gir-1.0/JavaScriptCore-4.0.gir -%if %{with docs} -%files doc -%dir %{_datadir}/gtk-doc -%dir %{_datadir}/gtk-doc/html -%{_datadir}/gtk-doc/html/jsc-glib-4.0/ -%{_datadir}/gtk-doc/html/webkit2gtk-4.0/ -%{_datadir}/gtk-doc/html/webkitdomgtk-4.0/ -%endif - %changelog -* Fri Apr 21 2023 Liwei Ge - 2.36.7-1.0.2.3 +* Wed May 17 2023 Liwei Ge - 2.38.5-1.0.1.3 - Sync loongsons patch webkitgtk-add-loongarch.patch (XueZhixin) -* Wed Apr 12 2023 Michael Catanzaro - 2.36.7-1.3 +* Fri Apr 14 2023 Michael Catanzaro - 2.38.5-1.3 +- Restore libwpe and wpebackend-fdo dependencies + Related: #2185741 (sort of) + +* Wed Apr 12 2023 Michael Catanzaro - 2.38.5-1.2 +- Disable libwpe and wpebackend-fdo dependencies + Related: #2185741 (sort of) + +* Tue Apr 11 2023 Michael Catanzaro - 2.38.5-1.1 - Add patch for CVE-2023-28205 - Resolves: #2185740 + Resolves: #2185741 + +* Wed Feb 15 2023 Michael Catanzaro - 2.38.5-1 +- Update to 2.38.5 + Related: #2127468 + +* Thu Feb 02 2023 Michael Catanzaro - 2.38.4-1 +- Update to 2.38.4 + Related: #2127468 + +* Thu Dec 22 2022 Michael Catanzaro - 2.38.3-1 +- Update to 2.38.3 + Related: #2127468 + +* Fri Nov 04 2022 Michael Catanzaro - 2.38.2-1 +- Update to 2.38.2 + Related: #2127468 -* Wed Feb 15 2023 Michael Catanzaro - 2.36.7-1.2 -- Add patch for CVE-2023-23529 - Resolves: #2170007 +* Wed Nov 02 2022 Michael Catanzaro - 2.38.1-2 +- Fix crashes on aarch64 + Enable WPE renderer + Related: #2127468 -* Wed Dec 21 2022 Michael Catanzaro - 2.36.7-1.1 -- Add patch for CVE-2022-42856 - Resolves: #2153735 +* Thu Oct 27 2022 Michael Catanzaro - 2.38.1-1 +- Update to 2.38.1 + Related: #2127468 * Wed Aug 24 2022 Michael Catanzaro - 2.36.7-1 - Update to 2.36.7