diff --git a/SOURCES/CVE-2023-28204.patch b/SOURCES/CVE-2023-28204.patch new file mode 100644 index 0000000..cc19fd0 --- /dev/null +++ b/SOURCES/CVE-2023-28204.patch @@ -0,0 +1,167 @@ +From 8efa99e7b5d5a37aefb476cc27ee24c2be4da0c7 Mon Sep 17 00:00:00 2001 +From: Michael Saboff +Date: Mon, 22 May 2023 13:40:46 -0700 +Subject: [PATCH] Cherry-pick 264365@main (698c6e293734). + https://bugs.webkit.org/show_bug.cgi?id=254930 + + [JSC] RegExpGlobalData::performMatch issue leading to OOB read + https://bugs.webkit.org/show_bug.cgi?id=254930 + rdar://107436732 + + Reviewed by Alexey Shvayka. + + Fixed two issues: + 1) In YarrInterpreter.cpp::matchAssertionBOL() we were advancing the string position for non-BMP + characters. Since it is an assertion, we shouldn't advance the character position. + Made the same fix to matchAssertionEOL(). + 2) In StringPrototype.cpp::replaceUsingRegExpSearch(), we need to advance past both elements of + a non-BMP character for the case where the RegExp match is empty. + + * JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js: New test. + * Source/JavaScriptCore/runtime/StringPrototype.cpp: + (JSC::replaceUsingRegExpSearch): + * Source/JavaScriptCore/yarr/YarrInterpreter.cpp: + (JSC::Yarr::Interpreter::InputStream::readCheckedDontAdvance): + (JSC::Yarr::Interpreter::matchAssertionBOL): + (JSC::Yarr::Interpreter::matchAssertionEOL): + + Originally-landed-as: 259548.551@safari-7615-branch (e34edaa74575). rdar://107436732 + Canonical link: https://commits.webkit.org/264365@main +--- + ...place-regexp-matchBOL-correct-advancing.js | 35 ++++++++++++++++++ + .../runtime/StringPrototype.cpp | 10 ++++++ + .../JavaScriptCore/yarr/YarrInterpreter.cpp | 36 +++++++++++++++++-- + 3 files changed, 79 insertions(+), 2 deletions(-) + create mode 100644 JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js + +diff --git a/JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js b/JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js +new file mode 100644 +index 000000000000..25b1a70b81d2 +--- /dev/null ++++ b/JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js +@@ -0,0 +1,35 @@ ++// Check that we don't advance for BOL assertions when matching a non-BMP character in the YARR interpreter ++// and that we do advance in String.replace() when processing an empty match. ++ ++let expected = "|"; ++ ++for (let i = 0; i < 11; ++i) ++ expected += String.fromCodePoint(128512) + '|'; ++ ++let str = String.fromCodePoint(128512).repeat(11); ++ ++let result1 = str.replace(/(?!(?=^a|()+()+x)(abc))/gmu, r => { ++ return '|'; ++}); ++ ++ ++if (result1 !== expected) ++ print("FAILED: \"" + result1 + " !== " + expected + '"'); ++ ++let result2= str.replace(/(?!(?=^a|x)(abc))/gmu, r => { ++ return '|'; ++}); ++ ++if (result2 !== expected) ++ print("FAILED: \"" + result2 + " !== " + expected + '"'); ++ ++expected = "|" + String.fromCodePoint(128512); ++ ++str = String.fromCodePoint(128512).repeat(1); ++ ++let result3= str.replace(/(?!(?=^a|x)(abc))/mu, r => { ++ return '|'; ++}); ++ ++if (result3 !== expected) ++ print("FAILED: \"" + result3 + " !== " + expected + '"'); +diff --git a/Source/JavaScriptCore/runtime/StringPrototype.cpp b/Source/JavaScriptCore/runtime/StringPrototype.cpp +index 08104b1dbfa9..459295f728a7 100644 +--- a/Source/JavaScriptCore/runtime/StringPrototype.cpp ++++ b/Source/JavaScriptCore/runtime/StringPrototype.cpp +@@ -603,6 +603,11 @@ static ALWAYS_INLINE JSString* replaceUsingRegExpSearch( + startPosition++; + if (startPosition > sourceLen) + break; ++ if (U16_IS_LEAD(source[startPosition - 1]) && U16_IS_TRAIL(source[startPosition])) { ++ startPosition++; ++ if (startPosition > sourceLen) ++ break; ++ } + } + } + } else { +@@ -682,6 +687,11 @@ static ALWAYS_INLINE JSString* replaceUsingRegExpSearch( + startPosition++; + if (startPosition > sourceLen) + break; ++ if (U16_IS_LEAD(source[startPosition - 1]) && U16_IS_TRAIL(source[startPosition])) { ++ startPosition++; ++ if (startPosition > sourceLen) ++ break; ++ } + } + } while (global); + } +diff --git a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp +index 95a848a1a66d..b1a22b253866 100644 +--- a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp ++++ b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp +@@ -209,6 +209,38 @@ public: + } + return result; + } ++ ++ int readCheckedDontAdvance(unsigned negativePositionOffest) ++ { ++ RELEASE_ASSERT(pos >= negativePositionOffest); ++ unsigned p = pos - negativePositionOffest; ++ ASSERT(p < length); ++ int result = input[p]; ++ if (U16_IS_LEAD(result) && decodeSurrogatePairs && p + 1 < length && U16_IS_TRAIL(input[p + 1])) { ++ if (atEnd()) ++ return -1; ++ ++ result = U16_GET_SUPPLEMENTARY(result, input[p + 1]); ++ } ++ return result; ++ } ++ ++ // readForCharacterDump() is only for use by the DUMP_CURR_CHAR macro. ++ // We don't want any side effects like the next() in readChecked() above. ++ int readForCharacterDump(unsigned negativePositionOffest) ++ { ++ RELEASE_ASSERT(pos >= negativePositionOffest); ++ unsigned p = pos - negativePositionOffest; ++ ASSERT(p < length); ++ int result = input[p]; ++ if (U16_IS_LEAD(result) && decodeSurrogatePairs && p + 1 < length && U16_IS_TRAIL(input[p + 1])) { ++ if (atEnd()) ++ return -1; ++ ++ result = U16_GET_SUPPLEMENTARY(result, input[p + 1]); ++ } ++ return result; ++ } + + int readSurrogatePairChecked(unsigned negativePositionOffset) + { +@@ -482,13 +514,13 @@ public: + + bool matchAssertionBOL(ByteTerm& term) + { +- return (input.atStart(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readChecked(term.inputPosition + 1))); ++ return (input.atStart(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readCheckedDontAdvance(term.inputPosition + 1))); + } + + bool matchAssertionEOL(ByteTerm& term) + { + if (term.inputPosition) +- return (input.atEnd(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readChecked(term.inputPosition))); ++ return (input.atEnd(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readCheckedDontAdvance(term.inputPosition))); + + return (input.atEnd()) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.read())); + } +-- +2.40.1 + diff --git a/SOURCES/CVE-2023-32373.patch b/SOURCES/CVE-2023-32373.patch new file mode 100644 index 0000000..83d6bdd --- /dev/null +++ b/SOURCES/CVE-2023-32373.patch @@ -0,0 +1,36 @@ +From 85fd2302d16a09a82d9a6e81eb286babb23c4b3c Mon Sep 17 00:00:00 2001 +From: Antoine Quint +Date: Mon, 22 May 2023 13:37:32 -0700 +Subject: [PATCH] Potential use-after-free in WebAnimation::commitStyles + https://bugs.webkit.org/show_bug.cgi?id=254840 rdar://107444873 + +Reviewed by Dean Jackson and Darin Adler. + +Ensure that the animation's effect and target are kept alive for the duration of this method +since it is possible that calling updateStyleIfNeeded() could call into JavaScript and thus +these two pointers could be changed to a null value using the Web Animations API. + +* Source/WebCore/animation/WebAnimation.cpp: +(WebCore::WebAnimation::commitStyles): + +Originally-landed-as: 259548.532@safari-7615-branch (1d6fe184ea53). rdar://107444873 +Canonical link: https://commits.webkit.org/264363@main +--- + Source/WebCore/animation/WebAnimation.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Source/WebCore/animation/WebAnimation.cpp b/Source/WebCore/animation/WebAnimation.cpp +index 68ea47985807..ae20c79c36cf 100644 +--- a/Source/WebCore/animation/WebAnimation.cpp ++++ b/Source/WebCore/animation/WebAnimation.cpp +@@ -1531,8 +1531,8 @@ ExceptionOr WebAnimation::commitStyles() + // https://drafts.csswg.org/web-animations-1/#commit-computed-styles + + // 1. Let targets be the set of all effect targets for animation effects associated with animation. +- auto* effect = dynamicDowncast(m_effect.get()); +- auto* target = effect ? effect->target() : nullptr; ++ RefPtr effect = dynamicDowncast(m_effect.get()); ++ RefPtr target = effect ? effect->target() : nullptr; + + // 2. For each target in targets: + // diff --git a/SPECS/webkit2gtk3.spec b/SPECS/webkit2gtk3.spec index 3388b74..5a0152c 100644 --- a/SPECS/webkit2gtk3.spec +++ b/SPECS/webkit2gtk3.spec @@ -12,7 +12,7 @@ Name: webkit2gtk3 Version: 2.38.5 -Release: 1%{?dist}.1 +Release: 1%{?dist}.2 Summary: GTK Web content engine library License: LGPLv2 @@ -24,8 +24,12 @@ Source1: https://webkitgtk.org/releases/webkitgtk-%{version}.tar.xz.asc # $ gpg --export --export-options export-minimal D7FCF61CF9A2DEAB31D81BD3F3D322D0EC4582C3 5AA3BC334FD7E3369E7C77B291C559DBE4C9123B > webkitgtk-keys.gpg Source2: webkitgtk-keys.gpg +# https://bugzilla.redhat.com/show_bug.cgi?id=2209208 +Patch0: CVE-2023-28204.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2185745 -Patch0: CVE-2023-28205.patch +Patch1: CVE-2023-28205.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2209214 +Patch2: CVE-2023-32373.patch BuildRequires: bison BuildRequires: bubblewrap @@ -290,6 +294,12 @@ export NINJA_STATUS="[%f/%t][%e] " %{_datadir}/gir-1.0/JavaScriptCore-4.0.gir %changelog +* Thu May 25 2023 Michael Catanzaro - 2.38.5-1.2 +- Add patch for CVE-2023-28204 + Resolves: #2209747 +- Add patch for CVE-2023-32373 + Resolves: #2209730 + * Tue Apr 11 2023 Michael Catanzaro - 2.38.5-1.1 - Add patch for CVE-2023-28205 Resolves: #2185745