[pkgsrc/trunk]: pkgsrc/lang/spidermonkey52 spidermonkey52: backport patch for...

[maya <maya%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/c29d479a785a
branches:  trunk
changeset: 313593:c29d479a785a
user:      maya <maya%pkgsrc.org@localhost>
date:      Wed Oct 03 18:58:22 2018 +0000

description:
spidermonkey52: backport patch for CVE-2018-12387

Don't inline push with more than 1 argument

A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push with multiple arguments that results in the stack pointer being off by 8 bytes after a bailout. This leaks a memory 
address to the calling function which can be used as part of an exploit inside the sandboxed content process.

Bump PKGREVISION

diffstat:

 lang/spidermonkey52/Makefile                     |   4 +-
 lang/spidermonkey52/distinfo                     |   3 +-
 lang/spidermonkey52/patches/patch-CVE-2018-12387 |  25 ++++++++++++++++++++++++
 3 files changed, 29 insertions(+), 3 deletions(-)

diffs (57 lines):

diff -r 203a2663225d -r c29d479a785a lang/spidermonkey52/Makefile
--- a/lang/spidermonkey52/Makefile      Wed Oct 03 17:31:07 2018 +0000
+++ b/lang/spidermonkey52/Makefile      Wed Oct 03 18:58:22 2018 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.9 2018/08/22 09:45:22 wiz Exp $
+# $NetBSD: Makefile,v 1.10 2018/10/03 18:58:22 maya Exp $
 
 DISTNAME=      mozjs-52.7.4
-PKGREVISION=   4
+PKGREVISION=   5
 PKGNAME=       ${DISTNAME:S/mozjs/spidermonkey52/}
 CATEGORIES=    lang
 MASTER_SITES=  https://queue.taskcluster.net/v1/task/YqG2fjJJSTGzGX090FjDYg/runs/0/artifacts/public/build/
diff -r 203a2663225d -r c29d479a785a lang/spidermonkey52/distinfo
--- a/lang/spidermonkey52/distinfo      Wed Oct 03 17:31:07 2018 +0000
+++ b/lang/spidermonkey52/distinfo      Wed Oct 03 18:58:22 2018 +0000
@@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.4 2018/05/19 12:38:28 youri Exp $
+$NetBSD: distinfo,v 1.5 2018/10/03 18:58:22 maya Exp $
 
 SHA1 (mozjs-52.7.4.tar.bz2) = ff009853040bb46017204fda4ed69a79484fd321
 RMD160 (mozjs-52.7.4.tar.bz2) = 71ee71c2444d8b6a1b2b3c744c9f52a2b7129879
 SHA512 (mozjs-52.7.4.tar.bz2) = 7381f251ca9a4983d181eee2198f89b30505a0de636020e52c0c5b174f4d5cd19ca851222b6d8013bb657f2f1ce1ffcb54816eb928e481be2c9242f918d0125e
 Size (mozjs-52.7.4.tar.bz2) = 30494311 bytes
+SHA1 (patch-CVE-2018-12387) = a0e3198e1009db01bb5a39220764e7dcdfd52591
 SHA1 (patch-build_moz.configure_init.configure) = 63ed71d4269e8fbf990f44eecadca796991d5c1f
 SHA1 (patch-config_gcc__hidden.h) = c2042035288e01601b6c240fb08c8a1f598b9dfd
 SHA1 (patch-intl_icu_source_configure) = 1ff1be8ca68566e153219e15b8db696afd08b746
diff -r 203a2663225d -r c29d479a785a lang/spidermonkey52/patches/patch-CVE-2018-12387
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/spidermonkey52/patches/patch-CVE-2018-12387  Wed Oct 03 18:58:22 2018 +0000
@@ -0,0 +1,25 @@
+$NetBSD: patch-CVE-2018-12387,v 1.1 2018/10/03 18:58:22 maya Exp $
+
+From 64de926d460164d41269812742a1376ba7bafda6 Mon Sep 17 00:00:00 2001
+From: Jan de Mooij <jdemooij%mozilla.com@localhost>
+Date: Tue, 25 Sep 2018 12:33:42 +0200
+Subject: [PATCH] Bug 1493903 - Don't inline push with more than 1 argument.
+ r=tcampbell
+
+CVE-2018-12387
+
+--- js/src/jit/MCallOptimize.cpp.orig  2018-04-28 01:04:03.000000000 +0000
++++ js/src/jit/MCallOptimize.cpp
+@@ -818,6 +818,12 @@ IonBuilder::inlineArraySlice(CallInfo& c
+         return InliningStatus_NotInlined;
+     }
+ 
++    // XXX bug 1493903.
++    if (callInfo.argc() != 1) {
++        trackOptimizationOutcome(TrackedOutcome::CantInlineNativeBadForm);
++        return InliningStatus_NotInlined;
++    }
++
+     MDefinition* obj = convertUnboxedObjects(callInfo.thisArg());
+ 
+     // Ensure |this| and result are objects.