[oe-core,kirkstone,1/1] webkitgtk: fix CVE-2023-23517, CVE-2023-23518

Message ID	20230602084813.270697-1-yogita.urade@windriver.com
State	New
Headers	show Return-Path: <Yogita.Urade@windriver.com> ip: 205.220.166.238, mailfrom: prvs=55178882b4=yogita.urade@windriver.com) From: Yogita Urade <yogita.urade@windriver.com> To: <openembedded-devel@lists.openembedded.org> CC: <hari.gpillai@windriver.com>, <yogita.urade@windriver.com> Subject: [oe-core][kirkstone][PATCH 1/1] webkitgtk: fix CVE-2023-23517, CVE-2023-23518 Date: Fri, 2 Jun 2023 08:48:13 +0000 Message-ID: <20230602084813.270697-1-yogita.urade@windriver.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	[oe-core,kirkstone,1/1] webkitgtk: fix CVE-2023-23517, CVE-2023-23518 \| expand [oe-core,kirkstone,1/1] webkitgtk: fix CVE-2023-23517, CVE-2023-23518

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch new file mode 100644 index 0000000000..f4116f55cd --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch @@ -0,0 +1,131 @@ +From f44648f07471b6c34f61993baa8997f7519a18a1 Mon Sep 17 00:00:00 2001 +From: Youenn Fablet <youennf@gmail.com> +Date: Mon, 28 Nov 2022 00:43:35 -0800 +Subject: [PATCH] Type getter is not needed for internal ReadableStream sources + https://bugs.webkit.org/show_bug.cgi?id=248268 rdar://102338913 + +Reviewed by Eric Carlson. + +Make ReadableStreamSource method privates. +In ReadableStream, use @getters instead of private getters to allow getting private values from prototype. +Covered by added test. + +* LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt: Added. +* LayoutTests/http/wpt/fetch/fetch-stream-source.html: Added. +* Source/WebCore/Modules/streams/ReadableStream.js: +(initializeReadableStream): +* Source/WebCore/Modules/streams/ReadableStreamSource.idl: +* Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h: +(WebCore::IDLOperationReturningPromise::call): + +Canonical link: https://commits.webkit.org/257063@main + +CVE: CVE-2023-23517 CVE-2023-23518 + +Upstream-Status: Backport +[https://github.com/WebKit/WebKit/commit/f44648f07471b6c34f61993baa8997f7519a18a1] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + .../fetch/fetch-stream-source-expected.txt | 3 +++ + .../http/wpt/fetch/fetch-stream-source.html | 24 +++++++++++++++++++ + .../WebCore/Modules/streams/ReadableStream.js | 4 ++-- + .../Modules/streams/ReadableStreamSource.idl | 8 +++---- + .../js/JSDOMOperationReturningPromise.h | 4 +++- + 5 files changed, 36 insertions(+), 7 deletions(-) + create mode 100644 LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt + create mode 100644 LayoutTests/http/wpt/fetch/fetch-stream-source.html + +diff --git a/LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt b/LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt +new file mode 100644 +index 000000000000..856ea8180ca2 +--- /dev/null ++++ b/LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt +@@ -0,0 +1,3 @@ ++ ++PASS Only JS streams should check type ++ +diff --git a/LayoutTests/http/wpt/fetch/fetch-stream-source.html b/LayoutTests/http/wpt/fetch/fetch-stream-source.html +new file mode 100644 +index 000000000000..fbebfa5e524f +--- /dev/null ++++ b/LayoutTests/http/wpt/fetch/fetch-stream-source.html +@@ -0,0 +1,24 @@ ++<!doctype html> ++<html> ++ <head> ++ <meta charset="utf-8"> ++ <title>Fetch and source</title> ++ <script src="/resources/testharness.js"></script> ++ <script src="/resources/testharnessreport.js"></script> ++ </head> ++ <body> ++ <script> ++promise_test(async () => { ++ let counter = 0; ++ Object.prototype.__defineGetter__("type", function() { ++ counter++; ++ }); ++ ++ const response = await fetch('/'); ++ const fetchReadableStream = response.body; ++ const [r1, r2] = fetchReadableStream.tee(); ++ assert_equals(counter, 0); ++}, "Only JS streams should check type"); ++ </script> ++ </body> ++</html> +diff --git a/Source/WebCore/Modules/streams/ReadableStream.js b/Source/WebCore/Modules/streams/ReadableStream.js +index ddef56ecd460..7f0def325d84 100644 +--- a/Source/WebCore/Modules/streams/ReadableStream.js ++++ b/Source/WebCore/Modules/streams/ReadableStream.js +@@ -48,10 +48,10 @@ function initializeReadableStream(underlyingSource, strategy) + + // FIXME: We should introduce https://streams.spec.whatwg.org/#create-readable-stream. + // For now, we emulate this with underlyingSource with private properties. +- if (@getByIdDirectPrivate(underlyingSource, "pull") !== @undefined) { ++ if (underlyingSource.@pull !== @undefined) { + const size = @getByIdDirectPrivate(strategy, "size"); + const highWaterMark = @getByIdDirectPrivate(strategy, "highWaterMark"); +- @setupReadableStreamDefaultController(this, underlyingSource, size, highWaterMark !== @undefined ? highWaterMark : 1, @getByIdDirectPrivate(underlyingSource, "start"), @getByIdDirectPrivate(underlyingSource, "pull"), @getByIdDirectPrivate(underlyingSource, "cancel")); ++ @setupReadableStreamDefaultController(this, underlyingSource, size, highWaterMark !== @undefined ? highWaterMark : 1, underlyingSource.@start, underlyingSource.@pull, underlyingSource.@cancel); + return this; + } + +diff --git a/Source/WebCore/Modules/streams/ReadableStreamSource.idl b/Source/WebCore/Modules/streams/ReadableStreamSource.idl +index cce9ea37ce80..ae7f1403b8ac 100644 +--- a/Source/WebCore/Modules/streams/ReadableStreamSource.idl ++++ b/Source/WebCore/Modules/streams/ReadableStreamSource.idl +@@ -30,10 +30,10 @@ + LegacyNoInterfaceObject, + SkipVTableValidation + ] interface ReadableStreamSource { +- [Custom] Promise<undefined> start(ReadableStreamDefaultController controller); +- [Custom] Promise<undefined> pull(ReadableStreamDefaultController controller); +- undefined cancel(any reason); ++ [Custom, PrivateIdentifier] Promise<undefined> start(ReadableStreamDefaultController controller); ++ [Custom, PrivateIdentifier] Promise<undefined> pull(ReadableStreamDefaultController controller); ++ [PrivateIdentifier] undefined cancel(any reason); + + // Place holder to keep the controller linked to the source. +- [CachedAttribute, CustomGetter] readonly attribute any controller; ++ [CachedAttribute, CustomGetter, PrivateIdentifier] readonly attribute any controller; + }; +diff --git a/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h b/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h +index c4d1513ad5c4..1dda9d3834f7 100644 +--- a/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h ++++ b/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h +@@ -43,8 +43,10 @@ public: + if constexpr (shouldThrow != CastedThisErrorBehavior::Assert) { + if (UNLIKELY(!thisObject)) + return rejectPromiseWithThisTypeError(promise.get(), JSClass::info()->className, operationName); +- } else ++ } else { ++ UNUSED_PARAM(operationName); + ASSERT(thisObject); ++ } + + ASSERT_GC_OBJECT_INHERITS(thisObject, JSClass::info()); + +-- +2.40.0 diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb index 1dac4f5677..e340c3b19d 100644 --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb @@ -17,6 +17,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \ file://0001-When-building-introspection-files-do-not-quote-CFLAG.patch \ file://CVE-2022-32888.patch \ file://CVE-2022-32923.patch \ + file://CVE-2023-23517-CVE-2023-23518.patch \ " SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"

[oe-core,kirkstone,1/1] webkitgtk: fix CVE-2023-23517, CVE-2023-23518

Commit Message

Comments

Patch