pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2018Q4]: pkgsrc/www/webkit-gtk Pullup ticket #5916 - requested...
details: https://anonhg.NetBSD.org/pkgsrc/rev/41c04f76cb33
branches: pkgsrc-2018Q4
changeset: 408327:41c04f76cb33
user: bsiegert <bsiegert%pkgsrc.org@localhost>
date: Wed Mar 06 13:43:24 2019 +0000
description:
Pullup ticket #5916 - requested by maya
www/webkit-gtk: security fix (remote code execution)
Revisions pulled up:
- www/webkit-gtk/Makefile 1.156-1.157
- www/webkit-gtk/PLIST 1.46
- www/webkit-gtk/distinfo 1.115-1.116
- www/webkit-gtk/patches/patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp 1.1
---
Module Name: pkgsrc
Committed By: leot
Date: Sat Feb 9 11:29:45 UTC 2019
Modified Files:
pkgsrc/www/webkit-gtk: Makefile PLIST distinfo
Log Message:
webkit-gtk: Update to 2.22.6
pkgsrc changes:
- Set USE_GCC_RUNTIME to depends on gcc6-libs when pkgsrc gcc is used
(XXX: Not tested and not clear if currently mk/compiler/gcc.mk DTRT
XXX: regarding (if not, that's probably why firefox/mozilla-common.mk
XXX: abuses USE_PKGSRC_GCC_RUNTIME!))
Changes:
WebKitGTK+ 2.22.6
=================
- Make kinetic scrolling slow down smoothly when reaching the ends of
pages, instead of abruptly, to better match the GTK+ behaviour.
- Fix Web inspector magnifier under Wayland.
- Fix garbled rendering of some websites (e.g. YouTube) while scrolling
under X11.
- Fix several crashes, race conditions, and rendering issues.
---
Module Name: pkgsrc
Committed By: maya
Date: Thu Feb 21 18:52:15 UTC 2019
Modified Files:
pkgsrc/www/webkit-gtk: Makefile distinfo
Added Files:
pkgsrc/www/webkit-gtk/patches:
patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp
Log Message:
webkit-gtk: backport upstream patch. security fix.
Subject: [PATCH] Fix DFG doesGC() for CompareEq/Less/LessEq/Greater/GreaterEq
and CompareStrictEq nodes. https://bugs.webkit.org/show_bug.cgi?id=194800
<rdar://problem/48183773>
Reviewed by Yusuke Suzuki.
Fix doesGC() for the following nodes:
CompareEq:
CompareLess:
CompareLessEq:
CompareGreater:
CompareGreaterEq:
CompareStrictEq:
Only return false (i.e. does not GC) for child node use kinds that have
been vetted to not do anything that can GC. For all other use kinds
(including StringUse and BigIntUse), we return true (i.e. does GC).
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
This was published alongside with exploit code claiming it is remote
code execution, but I don't understand what the exploit is doing.
bump PKGREVISION
diffstat:
www/webkit-gtk/Makefile | 9 +-
www/webkit-gtk/PLIST | 6 +-
www/webkit-gtk/distinfo | 11 +-
www/webkit-gtk/patches/patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp | 96 ++++++++++
4 files changed, 110 insertions(+), 12 deletions(-)
diffs (170 lines):
diff -r c51a225d271d -r 41c04f76cb33 www/webkit-gtk/Makefile
--- a/www/webkit-gtk/Makefile Mon Mar 04 18:53:34 2019 +0000
+++ b/www/webkit-gtk/Makefile Wed Mar 06 13:43:24 2019 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.155 2018/12/14 15:51:13 leot Exp $
+# $NetBSD: Makefile,v 1.155.2.1 2019/03/06 13:43:24 bsiegert Exp $
-DISTNAME= webkitgtk-2.22.5
+DISTNAME= webkitgtk-2.22.6
+PKGREVISION= 1
PKGNAME= ${DISTNAME:S/webkitgtk/webkit-gtk/}
-PKGREVISION= 1
CATEGORIES= www
MASTER_SITES= https://www.webkitgtk.org/releases/
EXTRACT_SUFX= .tar.xz
@@ -24,7 +24,8 @@
# Enabling -gdwarf-2 hits GNU ar limits on file size.
CTF_SUPPORTED= no
-GCC_REQD+= 6
+GCC_REQD+= 6
+USE_GCC_RUNTIME= yes
# Using ld.gold subverts Pkgsrc wrappers, and this package also crashes buggy
# versions of ld.gold.
diff -r c51a225d271d -r 41c04f76cb33 www/webkit-gtk/PLIST
--- a/www/webkit-gtk/PLIST Mon Mar 04 18:53:34 2019 +0000
+++ b/www/webkit-gtk/PLIST Wed Mar 06 13:43:24 2019 +0000
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.45 2018/12/13 22:50:27 leot Exp $
+@comment $NetBSD: PLIST,v 1.45.2.1 2019/03/06 13:43:24 bsiegert Exp $
bin/WebKitWebDriver
include/webkitgtk-4.0/JavaScriptCore/JSBase.h
include/webkitgtk-4.0/JavaScriptCore/JSContextRef.h
@@ -208,10 +208,10 @@
${PLIST.introspection}lib/girepository-1.0/WebKit2WebExtension-4.0.typelib
lib/libjavascriptcoregtk-4.0.so
lib/libjavascriptcoregtk-4.0.so.18
-lib/libjavascriptcoregtk-4.0.so.18.11.6
+lib/libjavascriptcoregtk-4.0.so.18.11.7
lib/libwebkit2gtk-4.0.so
lib/libwebkit2gtk-4.0.so.37
-lib/libwebkit2gtk-4.0.so.37.33.6
+lib/libwebkit2gtk-4.0.so.37.33.7
lib/pkgconfig/javascriptcoregtk-4.0.pc
lib/pkgconfig/webkit2gtk-4.0.pc
lib/pkgconfig/webkit2gtk-web-extension-4.0.pc
diff -r c51a225d271d -r 41c04f76cb33 www/webkit-gtk/distinfo
--- a/www/webkit-gtk/distinfo Mon Mar 04 18:53:34 2019 +0000
+++ b/www/webkit-gtk/distinfo Wed Mar 06 13:43:24 2019 +0000
@@ -1,13 +1,14 @@
-$NetBSD: distinfo,v 1.114 2018/12/23 22:23:09 roy Exp $
+$NetBSD: distinfo,v 1.114.2.1 2019/03/06 13:43:24 bsiegert Exp $
-SHA1 (webkitgtk-2.22.5.tar.xz) = 809b067a1672a81a4ce31363a0872c668cc72953
-RMD160 (webkitgtk-2.22.5.tar.xz) = 6f251088424cfb2fc082a5625ba9f71fbc686759
-SHA512 (webkitgtk-2.22.5.tar.xz) = fcea9fab3d71869cc10e322b1b63864a9594624f6aa3e29efd8b47e5ca639145f8c2cdb299ecb51eadf3ac1238dac06b4b7ebe94969b2f61a21cea8b609007bc
-Size (webkitgtk-2.22.5.tar.xz) = 16774560 bytes
+SHA1 (webkitgtk-2.22.6.tar.xz) = 26a8f8951da03aa4dfc2c25257b6899ea3c2558f
+RMD160 (webkitgtk-2.22.6.tar.xz) = 4ddd00a0eed1e8122a71e070f1f6f5f49f59ca75
+SHA512 (webkitgtk-2.22.6.tar.xz) = 18f4a4c145b524bebf1eaae58057e1e6cb74ba5a162c5195f072ba25c4399e7749c74fe6f8e9351bb9f2630a2c43f59935943e5bb318a5c4977f727a68602709
+Size (webkitgtk-2.22.6.tar.xz) = 16773696 bytes
SHA1 (patch-CMakeLists.txt) = 93466370f447c6be9008512aa1fc2dc0bd2b843b
SHA1 (patch-Source_JavaScriptCore_assembler_ARM64Assembler.h) = a41e02c7a1f9bfb91a2af36ec0410e1bf2b9a745
SHA1 (patch-Source_JavaScriptCore_assembler_ARMAssembler.h) = bae08310572c2e23c69cbf6aa9760a67345dcfe3
SHA1 (patch-Source_JavaScriptCore_assembler_MacroAssemblerARM.cpp) = ab75ef8714e5071fcd094735717a2f5d0321c747
+SHA1 (patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp) = 802d83a69975d0754dfb6198488aacc7e3f04d83
SHA1 (patch-Source_JavaScriptCore_heap_MarkedSpace.cpp) = e6a23d5ef22bddd0a9606fb0e472960e4cf5673e
SHA1 (patch-Source_JavaScriptCore_jit_ExecutableAllocator.cpp) = 36d29a5db03c2413ae93224ac391f3ff248983e8
SHA1 (patch-Source_JavaScriptCore_offlineasm_arm64.rb) = 784baf6f3baba2986fbcb7aa10e7abed8f8c6336
diff -r c51a225d271d -r 41c04f76cb33 www/webkit-gtk/patches/patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/www/webkit-gtk/patches/patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp Wed Mar 06 13:43:24 2019 +0000
@@ -0,0 +1,96 @@
+$NetBSD: patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp,v 1.2.2.2 2019/03/06 13:43:24 bsiegert Exp $
+
+Fix remote code execution in JavaScript. From upstream commit:
+
+From d51ece4028133113e9e5d0f2576ad23489801ddc Mon Sep 17 00:00:00 2001
+From: "mark.lam%apple.com@localhost"
+ <mark.lam%apple.com@localhost@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
+Date: Tue, 19 Feb 2019 02:32:10 +0000
+Subject: [PATCH] Fix DFG doesGC() for CompareEq/Less/LessEq/Greater/GreaterEq
+ and CompareStrictEq nodes. https://bugs.webkit.org/show_bug.cgi?id=194800
+ <rdar://problem/48183773>
+
+Reviewed by Yusuke Suzuki.
+
+Fix doesGC() for the following nodes:
+
+ CompareEq:
+ CompareLess:
+ CompareLessEq:
+ CompareGreater:
+ CompareGreaterEq:
+ CompareStrictEq:
+ Only return false (i.e. does not GC) for child node use kinds that have
+ been vetted to not do anything that can GC. For all other use kinds
+ (including StringUse and BigIntUse), we return true (i.e. does GC).
+
+* dfg/DFGDoesGC.cpp:
+(JSC::DFG::doesGC):
+
+
+git-svn-id: http://svn.webkit.org/repository/webkit/trunk@241753 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+--- Source/JavaScriptCore/dfg/DFGDoesGC.cpp.orig 2019-02-08 16:17:00.000000000 +0000
++++ Source/JavaScriptCore/dfg/DFGDoesGC.cpp
+@@ -146,14 +146,8 @@ bool doesGC(Graph& graph, Node* node)
+ case RegExpTest:
+ case RegExpMatchFast:
+ case RegExpMatchFastGlobal:
+- case CompareLess:
+- case CompareLessEq:
+- case CompareGreater:
+- case CompareGreaterEq:
+ case CompareBelow:
+ case CompareBelowEq:
+- case CompareEq:
+- case CompareStrictEq:
+ case CompareEqPtr:
+ case SameValue:
+ case Call:
+@@ -374,6 +368,46 @@ bool doesGC(Graph& graph, Node* node)
+ case MapSet:
+ return true;
+
++ case CompareEq:
++ case CompareLess:
++ case CompareLessEq:
++ case CompareGreater:
++ case CompareGreaterEq:
++ if (node->isBinaryUseKind(Int32Use)
++#if USE(JSVALUE64)
++ || node->isBinaryUseKind(Int52RepUse)
++#endif
++ || node->isBinaryUseKind(DoubleRepUse)
++ || node->isBinaryUseKind(StringIdentUse)
++ )
++ return false;
++ if (node->op() == CompareEq) {
++ if (node->isBinaryUseKind(BooleanUse)
++ || node->isBinaryUseKind(SymbolUse)
++ || node->isBinaryUseKind(ObjectUse)
++ || node->isBinaryUseKind(ObjectUse, ObjectOrOtherUse) || node->isBinaryUseKind(ObjectOrOtherUse, ObjectUse))
++ return false;
++ }
++ return true;
++
++ case CompareStrictEq:
++ if (node->isBinaryUseKind(BooleanUse)
++ || node->isBinaryUseKind(Int32Use)
++#if USE(JSVALUE64)
++ || node->isBinaryUseKind(Int52RepUse)
++#endif
++ || node->isBinaryUseKind(DoubleRepUse)
++ || node->isBinaryUseKind(SymbolUse)
++ || node->isBinaryUseKind(SymbolUse, UntypedUse)
++ || node->isBinaryUseKind(UntypedUse, SymbolUse)
++ || node->isBinaryUseKind(StringIdentUse)
++ || node->isBinaryUseKind(ObjectUse, UntypedUse) || node->isBinaryUseKind(UntypedUse, ObjectUse)
++ || node->isBinaryUseKind(ObjectUse)
++ || node->isBinaryUseKind(MiscUse, UntypedUse) || node->isBinaryUseKind(UntypedUse, MiscUse)
++ || node->isBinaryUseKind(StringIdentUse, NotStringVarUse) || node->isBinaryUseKind(NotStringVarUse, StringIdentUse))
++ return false;
++ return true;
++
+ case GetIndexedPropertyStorage:
+ if (node->arrayMode().type() == Array::String)
+ return true;
Home |
Main Index |
Thread Index |
Old Index