From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Adrian Perez de Castro <aperez@igalia.com>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/2] package/wpewebkit: security bump to version 2.42.5
Date: Wed, 21 Feb 2024 18:20:50 +0100 [thread overview]
Message-ID: <ZdYw8pl7diVV4b80@landeda> (raw)
In-Reply-To: <20240212143222.1555220-2-aperez@igalia.com>
Adrian, All,
On 2024-02-12 16:32 +0200, Adrian Perez de Castro spake thusly:
> Fixes the following security issues:
>
> https://wpewebkit.org/security/WSA-2024-0001.html
>
> - CVE-2024-23222: Processing maliciously crafted web content may lead to
> arbitrary code execution. Apple is aware of a report that this issue
> may have been exploited. Description: A type confusion issue was
> addressed with improved checks.
>
> - CVE-2024-23206: A maliciously crafted webpage may be able to
> fingerprint the user. Description: An access issue was addressed with
> improved access restrictions.
>
> - CVE-2024-23213: Processing web content may lead to arbitrary code
> execution. Description: The issue was addressed with improved memory
> handling.
>
> Add an upstream post-2.42.5 patch to fix an issue with an invalid
> backport causing a build issue.
>
> Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> ...velInterpreter.cpp-339-21-error-t6-w.patch | 39 +++++++++++++++++++
> package/wpewebkit/wpewebkit.hash | 6 +--
> package/wpewebkit/wpewebkit.mk | 3 +-
> 3 files changed, 44 insertions(+), 4 deletions(-)
> create mode 100644 package/wpewebkit/0002-GTK-2.42.5-LowLevelInterpreter.cpp-339-21-error-t6-w.patch
>
> diff --git a/package/wpewebkit/0002-GTK-2.42.5-LowLevelInterpreter.cpp-339-21-error-t6-w.patch b/package/wpewebkit/0002-GTK-2.42.5-LowLevelInterpreter.cpp-339-21-error-t6-w.patch
> new file mode 100644
> index 0000000000..a15d9e647f
> --- /dev/null
> +++ b/package/wpewebkit/0002-GTK-2.42.5-LowLevelInterpreter.cpp-339-21-error-t6-w.patch
> @@ -0,0 +1,39 @@
> +From 3d5373575695b293b8559155431d0079a6153aff Mon Sep 17 00:00:00 2001
> +From: Michael Catanzaro <mcatanzaro@redhat.com>
> +Date: Mon, 5 Feb 2024 11:00:49 -0600
> +Subject: [PATCH] =?UTF-8?q?[GTK]=20[2.42.5]=20LowLevelInterpreter.cpp:339:?=
> + =?UTF-8?q?21:=20error:=20=E2=80=98t6=E2=80=99=20was=20not=20declared=20in?=
> + =?UTF-8?q?=20this=20scope=20https://bugs.webkit.org/show=5Fbug.cgi=3Fid?=
> + =?UTF-8?q?=3D268739?=
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Unreviewed build fix. Seems a backport went badly, and we didn't notice
> +because the code is architecture-specific.
> +
> +* Source/JavaScriptCore/llint/LowLevelInterpreter.cpp:
> +(JSC::CLoop::execute):
> +
> +Upstream: https://github.com/WebKit/WebKit/commit/3d5373575695b293b8559155431d0079a6153aff
> +Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
> +---
> + Source/JavaScriptCore/llint/LowLevelInterpreter.cpp | 2 --
> + 1 file changed, 2 deletions(-)
> +
> +diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter.cpp b/Source/JavaScriptCore/llint/LowLevelInterpreter.cpp
> +index 5064ead6cd2e..9a2e2653b121 100644
> +--- a/Source/JavaScriptCore/llint/LowLevelInterpreter.cpp
> ++++ b/Source/JavaScriptCore/llint/LowLevelInterpreter.cpp
> +@@ -336,8 +336,6 @@ JSValue CLoop::execute(OpcodeID entryOpcodeID, void* executableAddress, VM* vm,
> + UNUSED_VARIABLE(t2);
> + UNUSED_VARIABLE(t3);
> + UNUSED_VARIABLE(t5);
> +- UNUSED_VARIABLE(t6);
> +- UNUSED_VARIABLE(t7);
> +
> + struct StackPointerScope {
> + StackPointerScope(CLoopStack& stack)
> +--
> +2.43.1
> +
> diff --git a/package/wpewebkit/wpewebkit.hash b/package/wpewebkit/wpewebkit.hash
> index 322e494c36..71e41bb1dd 100644
> --- a/package/wpewebkit/wpewebkit.hash
> +++ b/package/wpewebkit/wpewebkit.hash
> @@ -1,6 +1,6 @@
> -# From https://wpewebkit.org/releases/wpewebkit-2.42.4.tar.xz.sums
> -sha1 34da38e9554586154c83fdbb5c20e353b6d97277 wpewebkit-2.42.4.tar.xz
> -sha256 8836040a3687581970b47a232b713e7023c080d5613427f52db619c29fb253a4 wpewebkit-2.42.4.tar.xz
> +# From https://wpewebkit.org/releases/wpewebkit-2.42.5.tar.xz.sums
> +sha1 50a18f43452520e9f34f84c04bc0166af655ffff wpewebkit-2.42.5.tar.xz
> +sha256 4dbab6c5e6dc0c65a3d7dffc1c2390be5f9abd423faf983fe3a55fe081df0532 wpewebkit-2.42.5.tar.xz
>
> # Hashes for license files:
> sha256 0b5d3a7cc325942567373b0ecd757d07c132e0ebd7c97bfc63f7e1a76094edb4 Source/WebCore/LICENSE-APPLE
> diff --git a/package/wpewebkit/wpewebkit.mk b/package/wpewebkit/wpewebkit.mk
> index e54ec2952f..60a45b13b1 100644
> --- a/package/wpewebkit/wpewebkit.mk
> +++ b/package/wpewebkit/wpewebkit.mk
> @@ -4,7 +4,8 @@
> #
> ################################################################################
>
> -WPEWEBKIT_VERSION = 2.42.4
> +# The middle number is even for stable releases, odd for development ones.
> +WPEWEBKIT_VERSION = 2.42.5
> WPEWEBKIT_SITE = https://wpewebkit.org/releases
> WPEWEBKIT_SOURCE = wpewebkit-$(WPEWEBKIT_VERSION).tar.xz
> WPEWEBKIT_INSTALL_STAGING = YES
> --
> 2.43.1
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2024-02-21 17:21 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-12 14:32 [Buildroot] [PATCH 0/2] Update wpewebkit to 2.42.5 and update patch Adrian Perez de Castro
2024-02-12 14:32 ` [Buildroot] [PATCH 1/2] package/wpewebkit: security bump to version 2.42.5 Adrian Perez de Castro
2024-02-21 17:20 ` Yann E. MORIN [this message]
2024-03-16 22:29 ` Peter Korsgaard
2024-02-12 14:32 ` [Buildroot] [PATCH 2/2] package/wpewebkit: update ARM NEON patch for 2.42.x Adrian Perez de Castro
2024-02-21 17:21 ` Yann E. MORIN
2024-03-16 22:29 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZdYw8pl7diVV4b80@landeda \
--to=yann.morin.1998@free.fr \
--cc=aperez@igalia.com \
--cc=buildroot@buildroot.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox