From c236ed448615581ace397b2da341fef1ed80525c Mon Sep 17 00:00:00 2001 From: anolis-bot Date: Mon, 5 Jun 2023 17:28:13 +0800 Subject: [PATCH 1/2] update to webkit2gtk3-2.38.5-1.el8_8.4 Signed-off-by: anolis-bot --- 0001-webkitgtk-add-loongarch.patch | 11 -- CVE-2023-28204.patch | 167 +++++++++++++++++++++++++++++ CVE-2023-32373.patch | 36 +++++++ webkit2gtk3.spec | 20 ++-- 4 files changed, 215 insertions(+), 19 deletions(-) delete mode 100644 0001-webkitgtk-add-loongarch.patch create mode 100644 CVE-2023-28204.patch create mode 100644 CVE-2023-32373.patch diff --git a/0001-webkitgtk-add-loongarch.patch b/0001-webkitgtk-add-loongarch.patch deleted file mode 100644 index bcecd2d..0000000 --- a/0001-webkitgtk-add-loongarch.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- webkitgtk-2.28.4.orig/Source/WTF/wtf/dtoa/utils.h 2020-02-04 10:24:07.000000000 +0000 -+++ webkitgtk-2.28.4/Source/WTF/wtf/dtoa/utils.h 2021-01-20 05:38:56.527343750 +0000 -@@ -86,7 +86,7 @@ int main(int argc, char** argv) { - defined(__powerpc__) || defined(__ppc__) || defined(__ppc64__) || \ - defined(_POWER) || defined(_ARCH_PPC) || defined(_ARCH_PPC64) || \ - defined(__sparc__) || defined(__sparc) || defined(__s390__) || \ -- defined(__SH4__) || defined(__alpha__) || \ -+ defined(__SH4__) || defined(__alpha__) || defined(__loongarch64) || \ - defined(_MIPS_ARCH_MIPS32R2) || \ - defined(__AARCH64EL__) || defined(__aarch64__) || defined(__AARCH64EB__) || \ - defined(__riscv) || \ diff --git a/CVE-2023-28204.patch b/CVE-2023-28204.patch new file mode 100644 index 0000000..cc19fd0 --- /dev/null +++ b/CVE-2023-28204.patch @@ -0,0 +1,167 @@ +From 8efa99e7b5d5a37aefb476cc27ee24c2be4da0c7 Mon Sep 17 00:00:00 2001 +From: Michael Saboff +Date: Mon, 22 May 2023 13:40:46 -0700 +Subject: [PATCH] Cherry-pick 264365@main (698c6e293734). + https://bugs.webkit.org/show_bug.cgi?id=254930 + + [JSC] RegExpGlobalData::performMatch issue leading to OOB read + https://bugs.webkit.org/show_bug.cgi?id=254930 + rdar://107436732 + + Reviewed by Alexey Shvayka. + + Fixed two issues: + 1) In YarrInterpreter.cpp::matchAssertionBOL() we were advancing the string position for non-BMP + characters. Since it is an assertion, we shouldn't advance the character position. + Made the same fix to matchAssertionEOL(). + 2) In StringPrototype.cpp::replaceUsingRegExpSearch(), we need to advance past both elements of + a non-BMP character for the case where the RegExp match is empty. + + * JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js: New test. + * Source/JavaScriptCore/runtime/StringPrototype.cpp: + (JSC::replaceUsingRegExpSearch): + * Source/JavaScriptCore/yarr/YarrInterpreter.cpp: + (JSC::Yarr::Interpreter::InputStream::readCheckedDontAdvance): + (JSC::Yarr::Interpreter::matchAssertionBOL): + (JSC::Yarr::Interpreter::matchAssertionEOL): + + Originally-landed-as: 259548.551@safari-7615-branch (e34edaa74575). rdar://107436732 + Canonical link: https://commits.webkit.org/264365@main +--- + ...place-regexp-matchBOL-correct-advancing.js | 35 ++++++++++++++++++ + .../runtime/StringPrototype.cpp | 10 ++++++ + .../JavaScriptCore/yarr/YarrInterpreter.cpp | 36 +++++++++++++++++-- + 3 files changed, 79 insertions(+), 2 deletions(-) + create mode 100644 JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js + +diff --git a/JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js b/JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js +new file mode 100644 +index 000000000000..25b1a70b81d2 +--- /dev/null ++++ b/JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js +@@ -0,0 +1,35 @@ ++// Check that we don't advance for BOL assertions when matching a non-BMP character in the YARR interpreter ++// and that we do advance in String.replace() when processing an empty match. ++ ++let expected = "|"; ++ ++for (let i = 0; i < 11; ++i) ++ expected += String.fromCodePoint(128512) + '|'; ++ ++let str = String.fromCodePoint(128512).repeat(11); ++ ++let result1 = str.replace(/(?!(?=^a|()+()+x)(abc))/gmu, r => { ++ return '|'; ++}); ++ ++ ++if (result1 !== expected) ++ print("FAILED: \"" + result1 + " !== " + expected + '"'); ++ ++let result2= str.replace(/(?!(?=^a|x)(abc))/gmu, r => { ++ return '|'; ++}); ++ ++if (result2 !== expected) ++ print("FAILED: \"" + result2 + " !== " + expected + '"'); ++ ++expected = "|" + String.fromCodePoint(128512); ++ ++str = String.fromCodePoint(128512).repeat(1); ++ ++let result3= str.replace(/(?!(?=^a|x)(abc))/mu, r => { ++ return '|'; ++}); ++ ++if (result3 !== expected) ++ print("FAILED: \"" + result3 + " !== " + expected + '"'); +diff --git a/Source/JavaScriptCore/runtime/StringPrototype.cpp b/Source/JavaScriptCore/runtime/StringPrototype.cpp +index 08104b1dbfa9..459295f728a7 100644 +--- a/Source/JavaScriptCore/runtime/StringPrototype.cpp ++++ b/Source/JavaScriptCore/runtime/StringPrototype.cpp +@@ -603,6 +603,11 @@ static ALWAYS_INLINE JSString* replaceUsingRegExpSearch( + startPosition++; + if (startPosition > sourceLen) + break; ++ if (U16_IS_LEAD(source[startPosition - 1]) && U16_IS_TRAIL(source[startPosition])) { ++ startPosition++; ++ if (startPosition > sourceLen) ++ break; ++ } + } + } + } else { +@@ -682,6 +687,11 @@ static ALWAYS_INLINE JSString* replaceUsingRegExpSearch( + startPosition++; + if (startPosition > sourceLen) + break; ++ if (U16_IS_LEAD(source[startPosition - 1]) && U16_IS_TRAIL(source[startPosition])) { ++ startPosition++; ++ if (startPosition > sourceLen) ++ break; ++ } + } + } while (global); + } +diff --git a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp +index 95a848a1a66d..b1a22b253866 100644 +--- a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp ++++ b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp +@@ -209,6 +209,38 @@ public: + } + return result; + } ++ ++ int readCheckedDontAdvance(unsigned negativePositionOffest) ++ { ++ RELEASE_ASSERT(pos >= negativePositionOffest); ++ unsigned p = pos - negativePositionOffest; ++ ASSERT(p < length); ++ int result = input[p]; ++ if (U16_IS_LEAD(result) && decodeSurrogatePairs && p + 1 < length && U16_IS_TRAIL(input[p + 1])) { ++ if (atEnd()) ++ return -1; ++ ++ result = U16_GET_SUPPLEMENTARY(result, input[p + 1]); ++ } ++ return result; ++ } ++ ++ // readForCharacterDump() is only for use by the DUMP_CURR_CHAR macro. ++ // We don't want any side effects like the next() in readChecked() above. ++ int readForCharacterDump(unsigned negativePositionOffest) ++ { ++ RELEASE_ASSERT(pos >= negativePositionOffest); ++ unsigned p = pos - negativePositionOffest; ++ ASSERT(p < length); ++ int result = input[p]; ++ if (U16_IS_LEAD(result) && decodeSurrogatePairs && p + 1 < length && U16_IS_TRAIL(input[p + 1])) { ++ if (atEnd()) ++ return -1; ++ ++ result = U16_GET_SUPPLEMENTARY(result, input[p + 1]); ++ } ++ return result; ++ } + + int readSurrogatePairChecked(unsigned negativePositionOffset) + { +@@ -482,13 +514,13 @@ public: + + bool matchAssertionBOL(ByteTerm& term) + { +- return (input.atStart(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readChecked(term.inputPosition + 1))); ++ return (input.atStart(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readCheckedDontAdvance(term.inputPosition + 1))); + } + + bool matchAssertionEOL(ByteTerm& term) + { + if (term.inputPosition) +- return (input.atEnd(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readChecked(term.inputPosition))); ++ return (input.atEnd(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readCheckedDontAdvance(term.inputPosition))); + + return (input.atEnd()) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.read())); + } +-- +2.40.1 + diff --git a/CVE-2023-32373.patch b/CVE-2023-32373.patch new file mode 100644 index 0000000..83d6bdd --- /dev/null +++ b/CVE-2023-32373.patch @@ -0,0 +1,36 @@ +From 85fd2302d16a09a82d9a6e81eb286babb23c4b3c Mon Sep 17 00:00:00 2001 +From: Antoine Quint +Date: Mon, 22 May 2023 13:37:32 -0700 +Subject: [PATCH] Potential use-after-free in WebAnimation::commitStyles + https://bugs.webkit.org/show_bug.cgi?id=254840 rdar://107444873 + +Reviewed by Dean Jackson and Darin Adler. + +Ensure that the animation's effect and target are kept alive for the duration of this method +since it is possible that calling updateStyleIfNeeded() could call into JavaScript and thus +these two pointers could be changed to a null value using the Web Animations API. + +* Source/WebCore/animation/WebAnimation.cpp: +(WebCore::WebAnimation::commitStyles): + +Originally-landed-as: 259548.532@safari-7615-branch (1d6fe184ea53). rdar://107444873 +Canonical link: https://commits.webkit.org/264363@main +--- + Source/WebCore/animation/WebAnimation.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Source/WebCore/animation/WebAnimation.cpp b/Source/WebCore/animation/WebAnimation.cpp +index 68ea47985807..ae20c79c36cf 100644 +--- a/Source/WebCore/animation/WebAnimation.cpp ++++ b/Source/WebCore/animation/WebAnimation.cpp +@@ -1531,8 +1531,8 @@ ExceptionOr WebAnimation::commitStyles() + // https://drafts.csswg.org/web-animations-1/#commit-computed-styles + + // 1. Let targets be the set of all effect targets for animation effects associated with animation. +- auto* effect = dynamicDowncast(m_effect.get()); +- auto* target = effect ? effect->target() : nullptr; ++ RefPtr effect = dynamicDowncast(m_effect.get()); ++ RefPtr target = effect ? effect->target() : nullptr; + + // 2. For each target in targets: + // diff --git a/webkit2gtk3.spec b/webkit2gtk3.spec index d68a05f..bfa5b7a 100644 --- a/webkit2gtk3.spec +++ b/webkit2gtk3.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.1 ## NOTE: Lots of files in various subdirectories have the same name (such as ## "LICENSE") so this short macro allows us to distinguish them by using their ## directory names (from the source tree) as prefixes for the files. @@ -8,7 +7,7 @@ Name: webkit2gtk3 Version: 2.38.5 -Release: 1%{anolis_release}%{?dist}.3 +Release: 1%{?dist}.4 Summary: GTK Web content engine library License: LGPLv2 @@ -26,10 +25,12 @@ Patch0: evolution-shared-secondary-process.patch # https://bugs.webkit.org/show_bug.cgi?id=235367 Patch1: icu60.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2185741 -Patch2: CVE-2023-28205.patch - -Patch1000: 0001-webkitgtk-add-loongarch.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2209208 +Patch2: CVE-2023-28204.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2185745 +Patch3: CVE-2023-28205.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2209214 +Patch4: CVE-2023-32373.patch BuildRequires: bison BuildRequires: cmake @@ -279,8 +280,11 @@ export NINJA_STATUS="[%f/%t][%e] " %{_datadir}/gir-1.0/JavaScriptCore-4.0.gir %changelog -* Wed May 17 2023 Liwei Ge - 2.38.5-1.0.1.3 -- Sync loongsons patch webkitgtk-add-loongarch.patch (XueZhixin) +* Thu May 25 2023 Michael Catanzaro - 2.38.5-1.4 +- Add patch for CVE-2023-28204 + Resolves: #2209744 +- Add patch for CVE-2023-32373 + Resolves: #2209727 * Fri Apr 14 2023 Michael Catanzaro - 2.38.5-1.3 - Restore libwpe and wpebackend-fdo dependencies -- Gitee From da53879f14d1e34a4539d0241dd682a3c2bb55e8 Mon Sep 17 00:00:00 2001 From: mahailiang Date: Wed, 22 Sep 2021 12:19:06 -0400 Subject: [PATCH 2/2] Sync loongsons patch webkitgtk-add-loongarch.patch --- 0001-webkitgtk-add-loongarch.patch | 11 +++++++++++ webkit2gtk3.spec | 8 +++++++- 2 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 0001-webkitgtk-add-loongarch.patch diff --git a/0001-webkitgtk-add-loongarch.patch b/0001-webkitgtk-add-loongarch.patch new file mode 100644 index 0000000..bcecd2d --- /dev/null +++ b/0001-webkitgtk-add-loongarch.patch @@ -0,0 +1,11 @@ +--- webkitgtk-2.28.4.orig/Source/WTF/wtf/dtoa/utils.h 2020-02-04 10:24:07.000000000 +0000 ++++ webkitgtk-2.28.4/Source/WTF/wtf/dtoa/utils.h 2021-01-20 05:38:56.527343750 +0000 +@@ -86,7 +86,7 @@ int main(int argc, char** argv) { + defined(__powerpc__) || defined(__ppc__) || defined(__ppc64__) || \ + defined(_POWER) || defined(_ARCH_PPC) || defined(_ARCH_PPC64) || \ + defined(__sparc__) || defined(__sparc) || defined(__s390__) || \ +- defined(__SH4__) || defined(__alpha__) || \ ++ defined(__SH4__) || defined(__alpha__) || defined(__loongarch64) || \ + defined(_MIPS_ARCH_MIPS32R2) || \ + defined(__AARCH64EL__) || defined(__aarch64__) || defined(__AARCH64EB__) || \ + defined(__riscv) || \ diff --git a/webkit2gtk3.spec b/webkit2gtk3.spec index bfa5b7a..07e1fd3 100644 --- a/webkit2gtk3.spec +++ b/webkit2gtk3.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.1 ## NOTE: Lots of files in various subdirectories have the same name (such as ## "LICENSE") so this short macro allows us to distinguish them by using their ## directory names (from the source tree) as prefixes for the files. @@ -7,7 +8,7 @@ Name: webkit2gtk3 Version: 2.38.5 -Release: 1%{?dist}.4 +Release: 1%{anolis_release}%{?dist}.4 Summary: GTK Web content engine library License: LGPLv2 @@ -32,6 +33,8 @@ Patch3: CVE-2023-28205.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2209214 Patch4: CVE-2023-32373.patch +Patch1000: 0001-webkitgtk-add-loongarch.patch + BuildRequires: bison BuildRequires: cmake BuildRequires: flex @@ -280,6 +283,9 @@ export NINJA_STATUS="[%f/%t][%e] " %{_datadir}/gir-1.0/JavaScriptCore-4.0.gir %changelog +* Mon Jun 05 2023 Liwei Ge - 2.38.5-1.0.1.4 +- Sync loongsons patch webkitgtk-add-loongarch.patch (XueZhixin) + * Thu May 25 2023 Michael Catanzaro - 2.38.5-1.4 - Add patch for CVE-2023-28204 Resolves: #2209744 -- Gitee