2 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-gnome/epiphany/epiphany_3.34.4.bb b/meta/recipes-gnome/epiphany/epiphany_3.34.4.bb
index ddb4c2794f..f43bfd6a67 100644
--- a/meta/recipes-gnome/epiphany/epiphany_3.34.4.bb
+++ b/meta/recipes-gnome/epiphany/epiphany_3.34.4.bb
@@ -1,4 +1,7 @@
 SUMMARY = "WebKit based web browser for GNOME"
+DESCRIPTION = "Epiphany is an open source web browser for the Linux desktop environment. \
+It provides a simple and easy-to-use internet browsing experience."
+HOMEPAGE = "https://wiki.gnome.org/Apps/Web"
 BUGTRACKER = "https://gitlab.gnome.org/GNOME/epiphany"
 LICENSE = "GPLv3+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
@@ -13,6 +16,7 @@ REQUIRED_DISTRO_FEATURES = "x11 opengl"
 SRC_URI = "${GNOME_MIRROR}/${GNOMEBN}/${@gnome_verdir("${PV}")}/${GNOMEBN}-${PV}.tar.${GNOME_COMPRESS_TYPE};name=archive \
           file://0002-help-meson.build-disable-the-use-of-yelp.patch \
+           file://CVE-2022-29536.patch \
           "
 SRC_URI[archive.md5sum] = "a559f164bb7d6cbeceb348648076830b"
 SRC_URI[archive.sha256sum] = "60e190fc07ec7e33472e60c7e633e04004f7e277a0ffc5e9cd413706881e598d"
diff --git a/meta/recipes-gnome/epiphany/files/CVE-2022-29536.patch b/meta/recipes-gnome/epiphany/files/CVE-2022-29536.patch
new file mode 100644
index 0000000000..71cfc1238a
--- /dev/null
+++ b/meta/recipes-gnome/epiphany/files/CVE-2022-29536.patch
@@ -0,0 +1,46 @@
+CVE: CVE-2022-29536
+Upstream-Status: Backport [ https://gitlab.gnome.org/GNOME/epiphany/-/commit/486da133569ebfc436c959a7419565ab102e8525 ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+From 486da133569ebfc436c959a7419565ab102e8525 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Fri, 15 Apr 2022 18:09:46 -0500
+Subject: [PATCH] Fix memory corruption in ephy_string_shorten()
+This fixes a regression that I introduced in 232c613472b38ff0d0d97338f366024ddb9cd228.
+I got my browser stuck in a crash loop today while visiting a website
+with a page title greater than ephy-embed.c's MAX_TITLE_LENGTH, the only
+condition in which ephy_string_shorten() is ever used. Turns out this
+commit is wrong: an ellipses is a multibyte character (three bytes in
+UTF-8) and so we're writing past the end of the buffer when calling
+strcat() here. Ooops.
+Shame it took nearly four years to notice and correct this.
+Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1106>
+---
+ lib/ephy-string.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+diff --git a/lib/ephy-string.c b/lib/ephy-string.c
+index 35a148ab32..8e524d52ca 100644
+--- a/lib/ephy-string.c
+++ b/lib/ephy-string.c
+@@ -114,11 +114,10 @@ ephy_string_shorten (char  *str,
+   /* create string */
+   bytes = GPOINTER_TO_UINT (g_utf8_offset_to_pointer (str, target_length - 1) - str);
+ 
+-  /* +1 for ellipsis, +1 for trailing NUL */
+-  new_str = g_new (gchar, bytes + 1 + 1);
+  new_str = g_new (gchar, bytes + strlen ("…") + 1);
+ 
+   strncpy (new_str, str, bytes);
+-  strcat (new_str, "…");
+  strncpy (new_str + bytes, "…", strlen ("…") + 1);
+ 
+   g_free (str);
+ 
+-- 
+GitLab

diff --git a/meta/recipes-gnome/epiphany/epiphany_3.34.4.bb b/meta/recipes-gnome/epiphany/epiphany_3.34.4.bb index ddb4c2794f..f43bfd6a67 100644 --- a/meta/recipes-gnome/epiphany/epiphany_3.34.4.bb +++ b/meta/recipes-gnome/epiphany/epiphany_3.34.4.bb
@@ -1,4 +1,7 @@
1	SUMMARY = "WebKit based web browser for GNOME"	1	SUMMARY = "WebKit based web browser for GNOME"
		2	DESCRIPTION = "Epiphany is an open source web browser for the Linux desktop environment. \
		3	It provides a simple and easy-to-use internet browsing experience."
		4	HOMEPAGE = "https://wiki.gnome.org/Apps/Web"
2	BUGTRACKER = "https://gitlab.gnome.org/GNOME/epiphany"	5	BUGTRACKER = "https://gitlab.gnome.org/GNOME/epiphany"
3	LICENSE = "GPLv3+"	6	LICENSE = "GPLv3+"
4	LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"	7	LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
@@ -13,6 +16,7 @@ REQUIRED_DISTRO_FEATURES = "x11 opengl"
13		16
14	SRC_URI = "${GNOME_MIRROR}/${GNOMEBN}/${@gnome_verdir("${PV}")}/${GNOMEBN}-${PV}.tar.${GNOME_COMPRESS_TYPE};name=archive \	17	SRC_URI = "${GNOME_MIRROR}/${GNOMEBN}/${@gnome_verdir("${PV}")}/${GNOMEBN}-${PV}.tar.${GNOME_COMPRESS_TYPE};name=archive \
15	file://0002-help-meson.build-disable-the-use-of-yelp.patch \	18	file://0002-help-meson.build-disable-the-use-of-yelp.patch \
		19	file://CVE-2022-29536.patch \
16	"	20	"
17	SRC_URI[archive.md5sum] = "a559f164bb7d6cbeceb348648076830b"	21	SRC_URI[archive.md5sum] = "a559f164bb7d6cbeceb348648076830b"
18	SRC_URI[archive.sha256sum] = "60e190fc07ec7e33472e60c7e633e04004f7e277a0ffc5e9cd413706881e598d"	22	SRC_URI[archive.sha256sum] = "60e190fc07ec7e33472e60c7e633e04004f7e277a0ffc5e9cd413706881e598d"


diff --git a/meta/recipes-gnome/epiphany/files/CVE-2022-29536.patch b/meta/recipes-gnome/epiphany/files/CVE-2022-29536.patch new file mode 100644 index 0000000000..71cfc1238a --- /dev/null +++ b/meta/recipes-gnome/epiphany/files/CVE-2022-29536.patch
@@ -0,0 +1,46 @@
		1	CVE: CVE-2022-29536
		2	Upstream-Status: Backport [ https://gitlab.gnome.org/GNOME/epiphany/-/commit/486da133569ebfc436c959a7419565ab102e8525 ]
		3	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		4
		5	From 486da133569ebfc436c959a7419565ab102e8525 Mon Sep 17 00:00:00 2001
		6	From: Michael Catanzaro <mcatanzaro@redhat.com>
		7	Date: Fri, 15 Apr 2022 18:09:46 -0500
		8	Subject: [PATCH] Fix memory corruption in ephy_string_shorten()
		9
		10	This fixes a regression that I introduced in 232c613472b38ff0d0d97338f366024ddb9cd228.
		11
		12	I got my browser stuck in a crash loop today while visiting a website
		13	with a page title greater than ephy-embed.c's MAX_TITLE_LENGTH, the only
		14	condition in which ephy_string_shorten() is ever used. Turns out this
		15	commit is wrong: an ellipses is a multibyte character (three bytes in
		16	UTF-8) and so we're writing past the end of the buffer when calling
		17	strcat() here. Ooops.
		18
		19	Shame it took nearly four years to notice and correct this.
		20
		21	Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1106>
		22	---
		23	lib/ephy-string.c \| 5 ++---
		24	1 file changed, 2 insertions(+), 3 deletions(-)
		25
		26	diff --git a/lib/ephy-string.c b/lib/ephy-string.c
		27	index 35a148ab32..8e524d52ca 100644
		28	--- a/lib/ephy-string.c
		29	+++ b/lib/ephy-string.c
		30	@@ -114,11 +114,10 @@ ephy_string_shorten (char *str,
		31	/* create string */
		32	bytes = GPOINTER_TO_UINT (g_utf8_offset_to_pointer (str, target_length - 1) - str);
		33
		34	- /* +1 for ellipsis, +1 for trailing NUL */
		35	- new_str = g_new (gchar, bytes + 1 + 1);
		36	+ new_str = g_new (gchar, bytes + strlen ("…") + 1);
		37
		38	strncpy (new_str, str, bytes);
		39	- strcat (new_str, "…");
		40	+ strncpy (new_str + bytes, "…", strlen ("…") + 1);
		41
		42	g_free (str);
		43
		44	--
		45	GitLab
		46