pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/lang/spidermonkey52 spidermonkey52: backport patch for...
details: https://anonhg.NetBSD.org/pkgsrc/rev/02a8ec04a631
branches: trunk
changeset: 385968:02a8ec04a631
user: maya <maya%pkgsrc.org@localhost>
date: Wed Oct 03 18:58:22 2018 +0000
description:
spidermonkey52: backport patch for CVE-2018-12387
Don't inline push with more than 1 argument
A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push with multiple arguments that results in the stack pointer being off by 8 bytes after a bailout. This leaks a memory
address to the calling function which can be used as part of an exploit inside the sandboxed content process.
Bump PKGREVISION
diffstat:
lang/spidermonkey52/Makefile | 4 +-
lang/spidermonkey52/distinfo | 3 +-
lang/spidermonkey52/patches/patch-CVE-2018-12387 | 25 ++++++++++++++++++++++++
3 files changed, 29 insertions(+), 3 deletions(-)
diffs (57 lines):
diff -r 53a512e8a17a -r 02a8ec04a631 lang/spidermonkey52/Makefile
--- a/lang/spidermonkey52/Makefile Wed Oct 03 17:31:07 2018 +0000
+++ b/lang/spidermonkey52/Makefile Wed Oct 03 18:58:22 2018 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.9 2018/08/22 09:45:22 wiz Exp $
+# $NetBSD: Makefile,v 1.10 2018/10/03 18:58:22 maya Exp $
DISTNAME= mozjs-52.7.4
-PKGREVISION= 4
+PKGREVISION= 5
PKGNAME= ${DISTNAME:S/mozjs/spidermonkey52/}
CATEGORIES= lang
MASTER_SITES= https://queue.taskcluster.net/v1/task/YqG2fjJJSTGzGX090FjDYg/runs/0/artifacts/public/build/
diff -r 53a512e8a17a -r 02a8ec04a631 lang/spidermonkey52/distinfo
--- a/lang/spidermonkey52/distinfo Wed Oct 03 17:31:07 2018 +0000
+++ b/lang/spidermonkey52/distinfo Wed Oct 03 18:58:22 2018 +0000
@@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.4 2018/05/19 12:38:28 youri Exp $
+$NetBSD: distinfo,v 1.5 2018/10/03 18:58:22 maya Exp $
SHA1 (mozjs-52.7.4.tar.bz2) = ff009853040bb46017204fda4ed69a79484fd321
RMD160 (mozjs-52.7.4.tar.bz2) = 71ee71c2444d8b6a1b2b3c744c9f52a2b7129879
SHA512 (mozjs-52.7.4.tar.bz2) = 7381f251ca9a4983d181eee2198f89b30505a0de636020e52c0c5b174f4d5cd19ca851222b6d8013bb657f2f1ce1ffcb54816eb928e481be2c9242f918d0125e
Size (mozjs-52.7.4.tar.bz2) = 30494311 bytes
+SHA1 (patch-CVE-2018-12387) = a0e3198e1009db01bb5a39220764e7dcdfd52591
SHA1 (patch-build_moz.configure_init.configure) = 63ed71d4269e8fbf990f44eecadca796991d5c1f
SHA1 (patch-config_gcc__hidden.h) = c2042035288e01601b6c240fb08c8a1f598b9dfd
SHA1 (patch-intl_icu_source_configure) = 1ff1be8ca68566e153219e15b8db696afd08b746
diff -r 53a512e8a17a -r 02a8ec04a631 lang/spidermonkey52/patches/patch-CVE-2018-12387
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/spidermonkey52/patches/patch-CVE-2018-12387 Wed Oct 03 18:58:22 2018 +0000
@@ -0,0 +1,25 @@
+$NetBSD: patch-CVE-2018-12387,v 1.1 2018/10/03 18:58:22 maya Exp $
+
+From 64de926d460164d41269812742a1376ba7bafda6 Mon Sep 17 00:00:00 2001
+From: Jan de Mooij <jdemooij%mozilla.com@localhost>
+Date: Tue, 25 Sep 2018 12:33:42 +0200
+Subject: [PATCH] Bug 1493903 - Don't inline push with more than 1 argument.
+ r=tcampbell
+
+CVE-2018-12387
+
+--- js/src/jit/MCallOptimize.cpp.orig 2018-04-28 01:04:03.000000000 +0000
++++ js/src/jit/MCallOptimize.cpp
+@@ -818,6 +818,12 @@ IonBuilder::inlineArraySlice(CallInfo& c
+ return InliningStatus_NotInlined;
+ }
+
++ // XXX bug 1493903.
++ if (callInfo.argc() != 1) {
++ trackOptimizationOutcome(TrackedOutcome::CantInlineNativeBadForm);
++ return InliningStatus_NotInlined;
++ }
++
+ MDefinition* obj = convertUnboxedObjects(callInfo.thisArg());
+
+ // Ensure |this| and result are objects.
Home |
Main Index |
Thread Index |
Old Index