pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/pkgsrc-2018Q4]: pkgsrc/www/webkit-gtk Pullup ticket #5916 - requested...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/41c04f76cb33
branches:  pkgsrc-2018Q4
changeset: 408327:41c04f76cb33
user:      bsiegert <bsiegert%pkgsrc.org@localhost>
date:      Wed Mar 06 13:43:24 2019 +0000

description:
Pullup ticket #5916 - requested by maya
www/webkit-gtk: security fix (remote code execution)

Revisions pulled up:
- www/webkit-gtk/Makefile                                       1.156-1.157
- www/webkit-gtk/PLIST                                          1.46
- www/webkit-gtk/distinfo                                       1.115-1.116
- www/webkit-gtk/patches/patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp 1.1

---
   Module Name:    pkgsrc
   Committed By:   leot
   Date:           Sat Feb  9 11:29:45 UTC 2019

   Modified Files:
           pkgsrc/www/webkit-gtk: Makefile PLIST distinfo

   Log Message:
   webkit-gtk: Update to 2.22.6

   pkgsrc changes:
    - Set USE_GCC_RUNTIME to depends on gcc6-libs when pkgsrc gcc is used
      (XXX: Not tested and not clear if currently mk/compiler/gcc.mk DTRT
       XXX: regarding (if not, that's probably why firefox/mozilla-common.mk
       XXX: abuses USE_PKGSRC_GCC_RUNTIME!))

   Changes:
   WebKitGTK+ 2.22.6
   =================
    - Make kinetic scrolling slow down smoothly when reaching the ends of
      pages, instead of abruptly, to better match the GTK+ behaviour.
    - Fix Web inspector magnifier under Wayland.
    - Fix garbled rendering of some websites (e.g. YouTube) while scrolling
      under X11.
    - Fix several crashes, race conditions, and rendering issues.

---
   Module Name: pkgsrc
   Committed By:        maya
   Date:                Thu Feb 21 18:52:15 UTC 2019

   Modified Files:
        pkgsrc/www/webkit-gtk: Makefile distinfo
   Added Files:
        pkgsrc/www/webkit-gtk/patches:
            patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp

   Log Message:
   webkit-gtk: backport upstream patch. security fix.

   Subject: [PATCH] Fix DFG doesGC() for CompareEq/Less/LessEq/Greater/GreaterEq
    and CompareStrictEq nodes. https://bugs.webkit.org/show_bug.cgi?id=194800
    <rdar://problem/48183773>

   Reviewed by Yusuke Suzuki.

   Fix doesGC() for the following nodes:

       CompareEq:
       CompareLess:
       CompareLessEq:
       CompareGreater:
       CompareGreaterEq:
       CompareStrictEq:
           Only return false (i.e. does not GC) for child node use kinds that have
           been vetted to not do anything that can GC.  For all other use kinds
           (including StringUse and BigIntUse), we return true (i.e. does GC).

   * dfg/DFGDoesGC.cpp:
   (JSC::DFG::doesGC):

   This was published alongside with exploit code claiming it is remote
   code execution, but I don't understand what the exploit is doing.

   bump PKGREVISION

diffstat:

 www/webkit-gtk/Makefile                                              |   9 +-
 www/webkit-gtk/PLIST                                                 |   6 +-
 www/webkit-gtk/distinfo                                              |  11 +-
 www/webkit-gtk/patches/patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp |  96 ++++++++++
 4 files changed, 110 insertions(+), 12 deletions(-)

diffs (170 lines):

diff -r c51a225d271d -r 41c04f76cb33 www/webkit-gtk/Makefile
--- a/www/webkit-gtk/Makefile   Mon Mar 04 18:53:34 2019 +0000
+++ b/www/webkit-gtk/Makefile   Wed Mar 06 13:43:24 2019 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.155 2018/12/14 15:51:13 leot Exp $
+# $NetBSD: Makefile,v 1.155.2.1 2019/03/06 13:43:24 bsiegert Exp $
 
-DISTNAME=      webkitgtk-2.22.5
+DISTNAME=      webkitgtk-2.22.6
+PKGREVISION=   1
 PKGNAME=       ${DISTNAME:S/webkitgtk/webkit-gtk/}
-PKGREVISION=   1
 CATEGORIES=    www
 MASTER_SITES=  https://www.webkitgtk.org/releases/
 EXTRACT_SUFX=  .tar.xz
@@ -24,7 +24,8 @@
 # Enabling -gdwarf-2 hits GNU ar limits on file size.
 CTF_SUPPORTED= no
 
-GCC_REQD+=     6
+GCC_REQD+=             6
+USE_GCC_RUNTIME=       yes
 
 # Using ld.gold subverts Pkgsrc wrappers, and this package also crashes buggy
 # versions of ld.gold.
diff -r c51a225d271d -r 41c04f76cb33 www/webkit-gtk/PLIST
--- a/www/webkit-gtk/PLIST      Mon Mar 04 18:53:34 2019 +0000
+++ b/www/webkit-gtk/PLIST      Wed Mar 06 13:43:24 2019 +0000
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.45 2018/12/13 22:50:27 leot Exp $
+@comment $NetBSD: PLIST,v 1.45.2.1 2019/03/06 13:43:24 bsiegert Exp $
 bin/WebKitWebDriver
 include/webkitgtk-4.0/JavaScriptCore/JSBase.h
 include/webkitgtk-4.0/JavaScriptCore/JSContextRef.h
@@ -208,10 +208,10 @@
 ${PLIST.introspection}lib/girepository-1.0/WebKit2WebExtension-4.0.typelib
 lib/libjavascriptcoregtk-4.0.so
 lib/libjavascriptcoregtk-4.0.so.18
-lib/libjavascriptcoregtk-4.0.so.18.11.6
+lib/libjavascriptcoregtk-4.0.so.18.11.7
 lib/libwebkit2gtk-4.0.so
 lib/libwebkit2gtk-4.0.so.37
-lib/libwebkit2gtk-4.0.so.37.33.6
+lib/libwebkit2gtk-4.0.so.37.33.7
 lib/pkgconfig/javascriptcoregtk-4.0.pc
 lib/pkgconfig/webkit2gtk-4.0.pc
 lib/pkgconfig/webkit2gtk-web-extension-4.0.pc
diff -r c51a225d271d -r 41c04f76cb33 www/webkit-gtk/distinfo
--- a/www/webkit-gtk/distinfo   Mon Mar 04 18:53:34 2019 +0000
+++ b/www/webkit-gtk/distinfo   Wed Mar 06 13:43:24 2019 +0000
@@ -1,13 +1,14 @@
-$NetBSD: distinfo,v 1.114 2018/12/23 22:23:09 roy Exp $
+$NetBSD: distinfo,v 1.114.2.1 2019/03/06 13:43:24 bsiegert Exp $
 
-SHA1 (webkitgtk-2.22.5.tar.xz) = 809b067a1672a81a4ce31363a0872c668cc72953
-RMD160 (webkitgtk-2.22.5.tar.xz) = 6f251088424cfb2fc082a5625ba9f71fbc686759
-SHA512 (webkitgtk-2.22.5.tar.xz) = fcea9fab3d71869cc10e322b1b63864a9594624f6aa3e29efd8b47e5ca639145f8c2cdb299ecb51eadf3ac1238dac06b4b7ebe94969b2f61a21cea8b609007bc
-Size (webkitgtk-2.22.5.tar.xz) = 16774560 bytes
+SHA1 (webkitgtk-2.22.6.tar.xz) = 26a8f8951da03aa4dfc2c25257b6899ea3c2558f
+RMD160 (webkitgtk-2.22.6.tar.xz) = 4ddd00a0eed1e8122a71e070f1f6f5f49f59ca75
+SHA512 (webkitgtk-2.22.6.tar.xz) = 18f4a4c145b524bebf1eaae58057e1e6cb74ba5a162c5195f072ba25c4399e7749c74fe6f8e9351bb9f2630a2c43f59935943e5bb318a5c4977f727a68602709
+Size (webkitgtk-2.22.6.tar.xz) = 16773696 bytes
 SHA1 (patch-CMakeLists.txt) = 93466370f447c6be9008512aa1fc2dc0bd2b843b
 SHA1 (patch-Source_JavaScriptCore_assembler_ARM64Assembler.h) = a41e02c7a1f9bfb91a2af36ec0410e1bf2b9a745
 SHA1 (patch-Source_JavaScriptCore_assembler_ARMAssembler.h) = bae08310572c2e23c69cbf6aa9760a67345dcfe3
 SHA1 (patch-Source_JavaScriptCore_assembler_MacroAssemblerARM.cpp) = ab75ef8714e5071fcd094735717a2f5d0321c747
+SHA1 (patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp) = 802d83a69975d0754dfb6198488aacc7e3f04d83
 SHA1 (patch-Source_JavaScriptCore_heap_MarkedSpace.cpp) = e6a23d5ef22bddd0a9606fb0e472960e4cf5673e
 SHA1 (patch-Source_JavaScriptCore_jit_ExecutableAllocator.cpp) = 36d29a5db03c2413ae93224ac391f3ff248983e8
 SHA1 (patch-Source_JavaScriptCore_offlineasm_arm64.rb) = 784baf6f3baba2986fbcb7aa10e7abed8f8c6336
diff -r c51a225d271d -r 41c04f76cb33 www/webkit-gtk/patches/patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/webkit-gtk/patches/patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp      Wed Mar 06 13:43:24 2019 +0000
@@ -0,0 +1,96 @@
+$NetBSD: patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp,v 1.2.2.2 2019/03/06 13:43:24 bsiegert Exp $
+
+Fix remote code execution in JavaScript. From upstream commit:
+
+From d51ece4028133113e9e5d0f2576ad23489801ddc Mon Sep 17 00:00:00 2001
+From: "mark.lam%apple.com@localhost"
+ <mark.lam%apple.com@localhost@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
+Date: Tue, 19 Feb 2019 02:32:10 +0000
+Subject: [PATCH] Fix DFG doesGC() for CompareEq/Less/LessEq/Greater/GreaterEq
+ and CompareStrictEq nodes. https://bugs.webkit.org/show_bug.cgi?id=194800
+ <rdar://problem/48183773>
+
+Reviewed by Yusuke Suzuki.
+
+Fix doesGC() for the following nodes:
+
+    CompareEq:
+    CompareLess:
+    CompareLessEq:
+    CompareGreater:
+    CompareGreaterEq:
+    CompareStrictEq:
+        Only return false (i.e. does not GC) for child node use kinds that have
+        been vetted to not do anything that can GC.  For all other use kinds
+        (including StringUse and BigIntUse), we return true (i.e. does GC).
+
+* dfg/DFGDoesGC.cpp:
+(JSC::DFG::doesGC):
+
+
+git-svn-id: http://svn.webkit.org/repository/webkit/trunk@241753 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+--- Source/JavaScriptCore/dfg/DFGDoesGC.cpp.orig       2019-02-08 16:17:00.000000000 +0000
++++ Source/JavaScriptCore/dfg/DFGDoesGC.cpp
+@@ -146,14 +146,8 @@ bool doesGC(Graph& graph, Node* node)
+     case RegExpTest:
+     case RegExpMatchFast:
+     case RegExpMatchFastGlobal:
+-    case CompareLess:
+-    case CompareLessEq:
+-    case CompareGreater:
+-    case CompareGreaterEq:
+     case CompareBelow:
+     case CompareBelowEq:
+-    case CompareEq:
+-    case CompareStrictEq:
+     case CompareEqPtr:
+     case SameValue:
+     case Call:
+@@ -374,6 +368,46 @@ bool doesGC(Graph& graph, Node* node)
+     case MapSet:
+         return true;
+ 
++    case CompareEq:
++    case CompareLess:
++    case CompareLessEq:
++    case CompareGreater:
++    case CompareGreaterEq:
++        if (node->isBinaryUseKind(Int32Use)
++#if USE(JSVALUE64)
++            || node->isBinaryUseKind(Int52RepUse)
++#endif
++            || node->isBinaryUseKind(DoubleRepUse)
++            || node->isBinaryUseKind(StringIdentUse)
++            )
++            return false;
++        if (node->op() == CompareEq) {
++            if (node->isBinaryUseKind(BooleanUse)
++                || node->isBinaryUseKind(SymbolUse)
++                || node->isBinaryUseKind(ObjectUse)
++                || node->isBinaryUseKind(ObjectUse, ObjectOrOtherUse) || node->isBinaryUseKind(ObjectOrOtherUse, ObjectUse))
++                return false;
++        }
++        return true;
++
++    case CompareStrictEq:
++        if (node->isBinaryUseKind(BooleanUse)
++            || node->isBinaryUseKind(Int32Use)
++#if USE(JSVALUE64)
++            || node->isBinaryUseKind(Int52RepUse)
++#endif
++            || node->isBinaryUseKind(DoubleRepUse)
++            || node->isBinaryUseKind(SymbolUse)
++            || node->isBinaryUseKind(SymbolUse, UntypedUse)
++            || node->isBinaryUseKind(UntypedUse, SymbolUse)
++            || node->isBinaryUseKind(StringIdentUse)
++            || node->isBinaryUseKind(ObjectUse, UntypedUse) || node->isBinaryUseKind(UntypedUse, ObjectUse)
++            || node->isBinaryUseKind(ObjectUse)
++            || node->isBinaryUseKind(MiscUse, UntypedUse) || node->isBinaryUseKind(UntypedUse, MiscUse)
++            || node->isBinaryUseKind(StringIdentUse, NotStringVarUse) || node->isBinaryUseKind(NotStringVarUse, StringIdentUse))
++            return false;
++        return true;
++
+     case GetIndexedPropertyStorage:
+         if (node->arrayMode().type() == Array::String)
+             return true;



Home | Main Index | Thread Index | Old Index