[oe-core][kirkstone][PATCH 1/1] webkitgtk: fix CVE-2022-46691

[oe-core][kirkstone][PATCH 1/1] webkitgtk: fix CVE-2022-46691

[Yogita Urade]

A memory consumption issue was addressed with improved memory handling. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing maliciously crafted web content may lead to arbitrary code execution.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-46691
https://support.apple.com/en-us/HT213531

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
 .../webkit/webkitgtk/CVE-2022-46691.patch     | 43 +++++++++++++++++++
 meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |  1 +
 2 files changed, 44 insertions(+)
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch
new file mode 100644
index 0000000000..ff9df40433
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch
@@ -0,0 +1,43 @@
+From fd57a49d07c9c285780495344073350182fd7c7c Mon Sep 17 00:00:00 2001
+From: Yijia Huang <hyjorc1@gmail.com>
+Date: Mon, 10 Oct 2022 15:42:34 -0700
+Subject: [PATCH] [JSC] Should model BigInt with side effects
+ https://bugs.webkit.org/show_bug.cgi?id=246291 rdar://100494823
+
+Reviewed by Yusuke Suzuki.
+
+Operations with two BigInt operands have side effects,
+which should not be hoisted from loops.
+
+* Source/JavaScriptCore/dfg/DFGClobberize.cpp:
+(JSC::DFG::doesWrites):
+* Source/JavaScriptCore/dfg/DFGClobberize.h:
+(JSC::DFG::clobberize):
+
+Canonical link: https://commits.webkit.org/255368@main
+
+CVE: CVE-2022-46691
+
+Upstream-Status: Backport
+[https://github.com/WebKit/WebKit/commit/fd57a49d07c9c285780495344073350182fd7c7c]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ Source/JavaScriptCore/dfg/DFGClobberize.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/Source/JavaScriptCore/dfg/DFGClobberize.h b/Source/JavaScriptCore/dfg/DFGClobberize.h
+index 0363ab20dcd8..4b1bcfea1fd7 100644
+--- a/Source/JavaScriptCore/dfg/DFGClobberize.h
++++ b/Source/JavaScriptCore/dfg/DFGClobberize.h
+@@ -811,6 +811,8 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
+     case ValueBitRShift:
+         // FIXME: this use of single-argument isBinaryUseKind would prevent us from specializing (for example) for a HeapBigInt left-operand and a BigInt32 right-operand.
+         if (node->isBinaryUseKind(AnyBigIntUse) || node->isBinaryUseKind(BigInt32Use) || node->isBinaryUseKind(HeapBigIntUse)) {
++            read(World);
++            write(SideState);
+             def(PureValue(node));
+             return;
+         }
+--
+2.40.0
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
index 1dac4f5677..02258f84e4 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -17,6 +17,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
            file://0001-When-building-introspection-files-do-not-quote-CFLAG.patch \
            file://CVE-2022-32888.patch \
            file://CVE-2022-32923.patch \
+           file://CVE-2022-46691.patch \
            "
 SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
 
-- 
2.40.0

Re: [oe-core][kirkstone][PATCH 1/1] webkitgtk: fix CVE-2022-46691

[Steve Sakoman]

Hi Yogita,

Thanks for helping to fix CVEs!

Unfortunately I can't take this set of five patches in their current
state.  You have crafted each as an individual patch to the current
kirkstone head.  As a result, after I take the first patch the rest
will not apply.

In a case like this you should send a patch series, with each patch
taking into account the previous patch.

Regards,

Steve

On Tue, Jun 6, 2023 at 2:07 AM Urade, Yogita via
lists.openembedded.org
<Yogita.Urade=windriver.com@lists.openembedded.org> wrote:
>
> A memory consumption issue was addressed with improved memory handling. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing maliciously crafted web content may lead to arbitrary code execution.
>
> References:
> https://nvd.nist.gov/vuln/detail/CVE-2022-46691
> https://support.apple.com/en-us/HT213531
>
> Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
> ---
>  .../webkit/webkitgtk/CVE-2022-46691.patch     | 43 +++++++++++++++++++
>  meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |  1 +
>  2 files changed, 44 insertions(+)
>  create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch
>
> diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch
> new file mode 100644
> index 0000000000..ff9df40433
> --- /dev/null
> +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch
> @@ -0,0 +1,43 @@
> +From fd57a49d07c9c285780495344073350182fd7c7c Mon Sep 17 00:00:00 2001
> +From: Yijia Huang <hyjorc1@gmail.com>
> +Date: Mon, 10 Oct 2022 15:42:34 -0700
> +Subject: [PATCH] [JSC] Should model BigInt with side effects
> + https://bugs.webkit.org/show_bug.cgi?id=246291 rdar://100494823
> +
> +Reviewed by Yusuke Suzuki.
> +
> +Operations with two BigInt operands have side effects,
> +which should not be hoisted from loops.
> +
> +* Source/JavaScriptCore/dfg/DFGClobberize.cpp:
> +(JSC::DFG::doesWrites):
> +* Source/JavaScriptCore/dfg/DFGClobberize.h:
> +(JSC::DFG::clobberize):
> +
> +Canonical link: https://commits.webkit.org/255368@main
> +
> +CVE: CVE-2022-46691
> +
> +Upstream-Status: Backport
> +[https://github.com/WebKit/WebKit/commit/fd57a49d07c9c285780495344073350182fd7c7c]
> +
> +Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
> +---
> + Source/JavaScriptCore/dfg/DFGClobberize.h | 2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/Source/JavaScriptCore/dfg/DFGClobberize.h b/Source/JavaScriptCore/dfg/DFGClobberize.h
> +index 0363ab20dcd8..4b1bcfea1fd7 100644
> +--- a/Source/JavaScriptCore/dfg/DFGClobberize.h
> ++++ b/Source/JavaScriptCore/dfg/DFGClobberize.h
> +@@ -811,6 +811,8 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
> +     case ValueBitRShift:
> +         // FIXME: this use of single-argument isBinaryUseKind would prevent us from specializing (for example) for a HeapBigInt left-operand and a BigInt32 right-operand.
> +         if (node->isBinaryUseKind(AnyBigIntUse) || node->isBinaryUseKind(BigInt32Use) || node->isBinaryUseKind(HeapBigIntUse)) {
> ++            read(World);
> ++            write(SideState);
> +             def(PureValue(node));
> +             return;
> +         }
> +--
> +2.40.0
> diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
> index 1dac4f5677..02258f84e4 100644
> --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
> +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
> @@ -17,6 +17,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
>             file://0001-When-building-introspection-files-do-not-quote-CFLAG.patch \
>             file://CVE-2022-32888.patch \
>             file://CVE-2022-32923.patch \
> +           file://CVE-2022-46691.patch \
>             "
>  SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
>
> --
> 2.40.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#182428): https://lists.openembedded.org/g/openembedded-core/message/182428
> Mute This Topic: https://lists.openembedded.org/mt/99361658/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [oe-core][kirkstone][PATCH 1/1] webkitgtk: fix CVE-2022-46691

[Steve Sakoman]

On Tue, Jun 6, 2023 at 4:18 AM Steve Sakoman via
lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
wrote:
>
> Hi Yogita,
>
> Thanks for helping to fix CVEs!
>
> Unfortunately I can't take this set of five patches in their current

Seven, not five!  I can't count :-)

> state.  You have crafted each as an individual patch to the current
> kirkstone head.  As a result, after I take the first patch the rest
> will not apply.
>
> In a case like this you should send a patch series, with each patch
> taking into account the previous patch.
>
> Regards,
>
> Steve
>
> On Tue, Jun 6, 2023 at 2:07 AM Urade, Yogita via
> lists.openembedded.org
> <Yogita.Urade=windriver.com@lists.openembedded.org> wrote:
> >
> > A memory consumption issue was addressed with improved memory handling. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing maliciously crafted web content may lead to arbitrary code execution.
> >
> > References:
> > https://nvd.nist.gov/vuln/detail/CVE-2022-46691
> > https://support.apple.com/en-us/HT213531
> >
> > Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
> > ---
> >  .../webkit/webkitgtk/CVE-2022-46691.patch     | 43 +++++++++++++++++++
> >  meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |  1 +
> >  2 files changed, 44 insertions(+)
> >  create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch
> >
> > diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch
> > new file mode 100644
> > index 0000000000..ff9df40433
> > --- /dev/null
> > +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch
> > @@ -0,0 +1,43 @@
> > +From fd57a49d07c9c285780495344073350182fd7c7c Mon Sep 17 00:00:00 2001
> > +From: Yijia Huang <hyjorc1@gmail.com>
> > +Date: Mon, 10 Oct 2022 15:42:34 -0700
> > +Subject: [PATCH] [JSC] Should model BigInt with side effects
> > + https://bugs.webkit.org/show_bug.cgi?id=246291 rdar://100494823
> > +
> > +Reviewed by Yusuke Suzuki.
> > +
> > +Operations with two BigInt operands have side effects,
> > +which should not be hoisted from loops.
> > +
> > +* Source/JavaScriptCore/dfg/DFGClobberize.cpp:
> > +(JSC::DFG::doesWrites):
> > +* Source/JavaScriptCore/dfg/DFGClobberize.h:
> > +(JSC::DFG::clobberize):
> > +
> > +Canonical link: https://commits.webkit.org/255368@main
> > +
> > +CVE: CVE-2022-46691
> > +
> > +Upstream-Status: Backport
> > +[https://github.com/WebKit/WebKit/commit/fd57a49d07c9c285780495344073350182fd7c7c]
> > +
> > +Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
> > +---
> > + Source/JavaScriptCore/dfg/DFGClobberize.h | 2 ++
> > + 1 file changed, 2 insertions(+)
> > +
> > +diff --git a/Source/JavaScriptCore/dfg/DFGClobberize.h b/Source/JavaScriptCore/dfg/DFGClobberize.h
> > +index 0363ab20dcd8..4b1bcfea1fd7 100644
> > +--- a/Source/JavaScriptCore/dfg/DFGClobberize.h
> > ++++ b/Source/JavaScriptCore/dfg/DFGClobberize.h
> > +@@ -811,6 +811,8 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
> > +     case ValueBitRShift:
> > +         // FIXME: this use of single-argument isBinaryUseKind would prevent us from specializing (for example) for a HeapBigInt left-operand and a BigInt32 right-operand.
> > +         if (node->isBinaryUseKind(AnyBigIntUse) || node->isBinaryUseKind(BigInt32Use) || node->isBinaryUseKind(HeapBigIntUse)) {
> > ++            read(World);
> > ++            write(SideState);
> > +             def(PureValue(node));
> > +             return;
> > +         }
> > +--
> > +2.40.0
> > diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
> > index 1dac4f5677..02258f84e4 100644
> > --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
> > +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
> > @@ -17,6 +17,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
> >             file://0001-When-building-introspection-files-do-not-quote-CFLAG.patch \
> >             file://CVE-2022-32888.patch \
> >             file://CVE-2022-32923.patch \
> > +           file://CVE-2022-46691.patch \
> >             "
> >  SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
> >
> > --
> > 2.40.0
> >
> >
> >
> >
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#182440): https://lists.openembedded.org/g/openembedded-core/message/182440
> Mute This Topic: https://lists.openembedded.org/mt/99361658/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [oe-core][kirkstone][PATCH 1/1] webkitgtk: fix CVE-2022-46691

[Polampalli, Archana]

[-- Attachment #1: Type: text/plain, Size: 5299 bytes --]

Hi Steve,

As you suggested Yogita will send V2 for all seven patches

Regards,
Archana
________________________________
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> on behalf of Steve Sakoman via lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
Sent: Tuesday, June 6, 2023 7:52 PM
To: steve@sakoman.com <steve@sakoman.com>
Cc: Urade, Yogita <Yogita.Urade@windriver.com>; openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>; MacLeod, Randy <Randy.MacLeod@windriver.com>
Subject: Re: [oe-core][kirkstone][PATCH 1/1] webkitgtk: fix CVE-2022-46691

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know the content is safe.

On Tue, Jun 6, 2023 at 4:18 AM Steve Sakoman via
lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
wrote:
>
> Hi Yogita,
>
> Thanks for helping to fix CVEs!
>
> Unfortunately I can't take this set of five patches in their current

Seven, not five!  I can't count :-)

> state.  You have crafted each as an individual patch to the current
> kirkstone head.  As a result, after I take the first patch the rest
> will not apply.
>
> In a case like this you should send a patch series, with each patch
> taking into account the previous patch.
>
> Regards,
>
> Steve
>
> On Tue, Jun 6, 2023 at 2:07 AM Urade, Yogita via
> lists.openembedded.org
> <Yogita.Urade=windriver.com@lists.openembedded.org> wrote:
> >
> > A memory consumption issue was addressed with improved memory handling. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing maliciously crafted web content may lead to arbitrary code execution.
> >
> > References:
> > https://nvd.nist.gov/vuln/detail/CVE-2022-46691
> > https://support.apple.com/en-us/HT213531
> >
> > Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
> > ---
> >  .../webkit/webkitgtk/CVE-2022-46691.patch     | 43 +++++++++++++++++++
> >  meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |  1 +
> >  2 files changed, 44 insertions(+)
> >  create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch
> >
> > diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch
> > new file mode 100644
> > index 0000000000..ff9df40433
> > --- /dev/null
> > +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch
> > @@ -0,0 +1,43 @@
> > +From fd57a49d07c9c285780495344073350182fd7c7c Mon Sep 17 00:00:00 2001
> > +From: Yijia Huang <hyjorc1@gmail.com>
> > +Date: Mon, 10 Oct 2022 15:42:34 -0700
> > +Subject: [PATCH] [JSC] Should model BigInt with side effects
> > + https://bugs.webkit.org/show_bug.cgi?id=246291 rdar://100494823
> > +
> > +Reviewed by Yusuke Suzuki.
> > +
> > +Operations with two BigInt operands have side effects,
> > +which should not be hoisted from loops.
> > +
> > +* Source/JavaScriptCore/dfg/DFGClobberize.cpp:
> > +(JSC::DFG::doesWrites):
> > +* Source/JavaScriptCore/dfg/DFGClobberize.h:
> > +(JSC::DFG::clobberize):
> > +
> > +Canonical link: https://commits.webkit.org/255368@main
> > +
> > +CVE: CVE-2022-46691
> > +
> > +Upstream-Status: Backport
> > +[https://github.com/WebKit/WebKit/commit/fd57a49d07c9c285780495344073350182fd7c7c]
> > +
> > +Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
> > +---
> > + Source/JavaScriptCore/dfg/DFGClobberize.h | 2 ++
> > + 1 file changed, 2 insertions(+)
> > +
> > +diff --git a/Source/JavaScriptCore/dfg/DFGClobberize.h b/Source/JavaScriptCore/dfg/DFGClobberize.h
> > +index 0363ab20dcd8..4b1bcfea1fd7 100644
> > +--- a/Source/JavaScriptCore/dfg/DFGClobberize.h
> > ++++ b/Source/JavaScriptCore/dfg/DFGClobberize.h
> > +@@ -811,6 +811,8 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
> > +     case ValueBitRShift:
> > +         // FIXME: this use of single-argument isBinaryUseKind would prevent us from specializing (for example) for a HeapBigInt left-operand and a BigInt32 right-operand.
> > +         if (node->isBinaryUseKind(AnyBigIntUse) || node->isBinaryUseKind(BigInt32Use) || node->isBinaryUseKind(HeapBigIntUse)) {
> > ++            read(World);
> > ++            write(SideState);
> > +             def(PureValue(node));
> > +             return;
> > +         }
> > +--
> > +2.40.0
> > diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
> > index 1dac4f5677..02258f84e4 100644
> > --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
> > +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
> > @@ -17,6 +17,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
> >             file://0001-When-building-introspection-files-do-not-quote-CFLAG.patch \
> >             file://CVE-2022-32888.patch \
> >             file://CVE-2022-32923.patch \
> > +           file://CVE-2022-46691.patch \
> >             "
> >  SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
> >
> > --
> > 2.40.0
> >
> >
> >
> >
>
>
>

[-- Attachment #2: Type: text/html, Size: 9104 bytes --]