epiphany: Security fix for CVE-2023-26081

Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/epiphany/-/commit/53363c3c8178bf9193dad9fa3516f4e10cff0ffd] (From OE-Core rev: d5390008c3747073e4dfcc120b335d14dd0a08c9) Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Siddharth Doshi <sdoshi@mvista.com> 2023-03-06 23:06:01 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-03-20 17:20:44 +0000
commit: 871137b98608ded9a249ce8e481d9dd8dc2d26f7 (patch)
tree: 7b8cfba93ce1bd5909a974bee4526be38cc6e60c
parent: 2a15bb1af32b0538ce9b63be4fbe0c46bcf25c2f (diff)
download: poky-871137b98608ded9a249ce8e481d9dd8dc2d26f7.tar.gz
2 files changed, 91 insertions, 0 deletions
diff --git a/meta/recipes-gnome/epiphany/epiphany_42.4.bb b/meta/recipes-gnome/epiphany/epiphany_42.4.bb
index 9efd2800da..98923a3bdc 100644
--- a/meta/recipes-gnome/epiphany/epiphany_42.4.bb
+++ b/meta/recipes-gnome/epiphany/epiphany_42.4.bb
@@ -27,6 +27,7 @@ SRC_URI = "${GNOME_MIRROR}/${GNOMEBN}/${@oe.utils.trim_version("${PV}", 1)}/${GN
           file://0002-help-meson.build-disable-the-use-of-yelp.patch \
           file://migrator.patch \
           file://distributor.patch \
+           file://CVE-2023-26081.patch \
           "
 SRC_URI[archive.sha256sum] = "370938ad2920eeb28bc2435944776b7ba55a0e2ede65836f79818cfb7e8f0860"
diff --git a/meta/recipes-gnome/epiphany/files/CVE-2023-26081.patch b/meta/recipes-gnome/epiphany/files/CVE-2023-26081.patch
new file mode 100644
index 0000000000..af1e20bd8f
--- /dev/null
+++ b/meta/recipes-gnome/epiphany/files/CVE-2023-26081.patch
@@ -0,0 +1,90 @@
+From 53363c3c8178bf9193dad9fa3516f4e10cff0ffd Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Fri, 3 Feb 2023 13:07:15 -0600
+Subject: [PATCH] Don't autofill passwords in sandboxed contexts
+If using the sandbox CSP or iframe tag, the web content is supposed to
+be not trusted by the main resource origin. Therefore, we'd better
+disable the password manager entirely so the untrusted web content
+cannot exfiltrate passwords.
+https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x
+Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1275>
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/epiphany/-/commit/53363c3c8178bf9193dad9fa3516f4e10cff0ffd]
+CVE: CVE-2023-26081
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ .../resources/js/ephy.js                      | 26 +++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+diff --git a/embed/web-process-extension/resources/js/ephy.js b/embed/web-process-extension/resources/js/ephy.js
+index 38b806f..44d1792 100644
+--- a/embed/web-process-extension/resources/js/ephy.js
+++ b/embed/web-process-extension/resources/js/ephy.js
+@@ -352,6 +352,12 @@ Ephy.hasModifiedForms = function()
+     }
+ };
+ 
+Ephy.isSandboxedWebContent = function()
+{
+    // https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x
+    return self.origin === null || self.origin === 'null';
+};
+
+ Ephy.PasswordManager = class PasswordManager
+ {
+     constructor(pageID, frameID)
+@@ -385,6 +391,11 @@ Ephy.PasswordManager = class PasswordManager
+ 
+     query(origin, targetOrigin, username, usernameField, passwordField)
+     {
+        if (Ephy.isSandboxedWebContent()) {
+            Ephy.log(`Not querying passwords for origin=${origin} because web content is sandboxed`);
+            return Promise.resolve(null);
+        }
+
+         Ephy.log(`Querying passwords for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}`);
+ 
+         return new Promise((resolver, reject) => {
+@@ -396,6 +407,11 @@ Ephy.PasswordManager = class PasswordManager
+ 
+     save(origin, targetOrigin, username, password, usernameField, passwordField, isNew)
+     {
+        if (Ephy.isSandboxedWebContent()) {
+            Ephy.log(`Not saving password for origin=${origin} because web content is sandboxed`);
+            return;
+        }
+
+         Ephy.log(`Saving password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`);
+ 
+         window.webkit.messageHandlers.passwordManagerSave.postMessage({
+@@ -407,6 +423,11 @@ Ephy.PasswordManager = class PasswordManager
+     // FIXME: Why is pageID a parameter here?
+     requestSave(origin, targetOrigin, username, password, usernameField, passwordField, isNew, pageID)
+     {
+        if (Ephy.isSandboxedWebContent()) {
+            Ephy.log(`Not requesting to save password for origin=${origin} because web content is sandboxed`);
+            return;
+        }
+
+         Ephy.log(`Requesting to save password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`);
+ 
+         window.webkit.messageHandlers.passwordManagerRequestSave.postMessage({
+@@ -426,6 +447,11 @@ Ephy.PasswordManager = class PasswordManager
+ 
+     queryUsernames(origin)
+     {
+        if (Ephy.isSandboxedWebContent()) {
+            Ephy.log(`Not querying usernames for origin=${origin} because web content is sandboxed`);
+            return Promise.resolve(null);
+        }
+
+         Ephy.log(`Requesting usernames for origin=${origin}`);
+ 
+         return new Promise((resolver, reject) => {
+-- 
+2.35.5
author	Siddharth Doshi <sdoshi@mvista.com>	2023-03-06 23:06:01 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-03-20 17:20:44 +0000
commit	871137b98608ded9a249ce8e481d9dd8dc2d26f7 (patch)
tree	7b8cfba93ce1bd5909a974bee4526be38cc6e60c
parent	2a15bb1af32b0538ce9b63be4fbe0c46bcf25c2f (diff)
download	poky-871137b98608ded9a249ce8e481d9dd8dc2d26f7.tar.gz

diff --git a/meta/recipes-gnome/epiphany/epiphany_42.4.bb b/meta/recipes-gnome/epiphany/epiphany_42.4.bb index 9efd2800da..98923a3bdc 100644 --- a/meta/recipes-gnome/epiphany/epiphany_42.4.bb +++ b/meta/recipes-gnome/epiphany/epiphany_42.4.bb
@@ -27,6 +27,7 @@ SRC_URI = "${GNOME_MIRROR}/${GNOMEBN}/${@oe.utils.trim_version("${PV}", 1)}/${GN
27	file://0002-help-meson.build-disable-the-use-of-yelp.patch \	27	file://0002-help-meson.build-disable-the-use-of-yelp.patch \
28	file://migrator.patch \	28	file://migrator.patch \
29	file://distributor.patch \	29	file://distributor.patch \
		30	file://CVE-2023-26081.patch \
30	"	31	"
31	SRC_URI[archive.sha256sum] = "370938ad2920eeb28bc2435944776b7ba55a0e2ede65836f79818cfb7e8f0860"	32	SRC_URI[archive.sha256sum] = "370938ad2920eeb28bc2435944776b7ba55a0e2ede65836f79818cfb7e8f0860"
32		33


diff --git a/meta/recipes-gnome/epiphany/files/CVE-2023-26081.patch b/meta/recipes-gnome/epiphany/files/CVE-2023-26081.patch new file mode 100644 index 0000000000..af1e20bd8f --- /dev/null +++ b/meta/recipes-gnome/epiphany/files/CVE-2023-26081.patch
@@ -0,0 +1,90 @@
		1	From 53363c3c8178bf9193dad9fa3516f4e10cff0ffd Mon Sep 17 00:00:00 2001
		2	From: Michael Catanzaro <mcatanzaro@redhat.com>
		3	Date: Fri, 3 Feb 2023 13:07:15 -0600
		4	Subject: [PATCH] Don't autofill passwords in sandboxed contexts
		5
		6	If using the sandbox CSP or iframe tag, the web content is supposed to
		7	be not trusted by the main resource origin. Therefore, we'd better
		8	disable the password manager entirely so the untrusted web content
		9	cannot exfiltrate passwords.
		10
		11	https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x
		12
		13	Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1275>
		14
		15	Upstream-Status: Backport
		16	[https://gitlab.gnome.org/GNOME/epiphany/-/commit/53363c3c8178bf9193dad9fa3516f4e10cff0ffd]
		17	CVE: CVE-2023-26081
		18	Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
		19	---
		20	.../resources/js/ephy.js \| 26 +++++++++++++++++++
		21	1 file changed, 26 insertions(+)
		22
		23	diff --git a/embed/web-process-extension/resources/js/ephy.js b/embed/web-process-extension/resources/js/ephy.js
		24	index 38b806f..44d1792 100644
		25	--- a/embed/web-process-extension/resources/js/ephy.js
		26	+++ b/embed/web-process-extension/resources/js/ephy.js
		27	@@ -352,6 +352,12 @@ Ephy.hasModifiedForms = function()
		28	}
		29	};
		30
		31	+Ephy.isSandboxedWebContent = function()
		32	+{
		33	+ // https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x
		34	+ return self.origin === null \|\| self.origin === 'null';
		35	+};
		36	+
		37	Ephy.PasswordManager = class PasswordManager
		38	{
		39	constructor(pageID, frameID)
		40	@@ -385,6 +391,11 @@ Ephy.PasswordManager = class PasswordManager
		41
		42	query(origin, targetOrigin, username, usernameField, passwordField)
		43	{
		44	+ if (Ephy.isSandboxedWebContent()) {
		45	+ Ephy.log(`Not querying passwords for origin=${origin} because web content is sandboxed`);
		46	+ return Promise.resolve(null);
		47	+ }
		48	+
		49	Ephy.log(`Querying passwords for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}`);
		50
		51	return new Promise((resolver, reject) => {
		52	@@ -396,6 +407,11 @@ Ephy.PasswordManager = class PasswordManager
		53
		54	save(origin, targetOrigin, username, password, usernameField, passwordField, isNew)
		55	{
		56	+ if (Ephy.isSandboxedWebContent()) {
		57	+ Ephy.log(`Not saving password for origin=${origin} because web content is sandboxed`);
		58	+ return;
		59	+ }
		60	+
		61	Ephy.log(`Saving password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`);
		62
		63	window.webkit.messageHandlers.passwordManagerSave.postMessage({
		64	@@ -407,6 +423,11 @@ Ephy.PasswordManager = class PasswordManager
		65	// FIXME: Why is pageID a parameter here?
		66	requestSave(origin, targetOrigin, username, password, usernameField, passwordField, isNew, pageID)
		67	{
		68	+ if (Ephy.isSandboxedWebContent()) {
		69	+ Ephy.log(`Not requesting to save password for origin=${origin} because web content is sandboxed`);
		70	+ return;
		71	+ }
		72	+
		73	Ephy.log(`Requesting to save password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`);
		74
		75	window.webkit.messageHandlers.passwordManagerRequestSave.postMessage({
		76	@@ -426,6 +447,11 @@ Ephy.PasswordManager = class PasswordManager
		77
		78	queryUsernames(origin)
		79	{
		80	+ if (Ephy.isSandboxedWebContent()) {
		81	+ Ephy.log(`Not querying usernames for origin=${origin} because web content is sandboxed`);
		82	+ return Promise.resolve(null);
		83	+ }
		84	+
		85	Ephy.log(`Requesting usernames for origin=${origin}`);
		86
		87	return new Promise((resolver, reject) => {
		88	--
		89	2.35.5
		90