webkitgtk: fix CVE-2022-46700

A memory corruption issue was addressed with improved input validation. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing maliciously crafted web content may lead to arbitrary code execution. References: https://support.apple.com/en-us/HT213531 https://bugs.webkit.org/show_bug.cgi?id=247562 https://github.com/WebKit/WebKit/pull/6266 (From OE-Core rev: da1e7adf33b86cd818a39091043817e21ff8bbbd) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Yogita Urade <yogita.urade@windriver.com> 2023-06-09 14:09:08 +0000
committer: Steve Sakoman <steve@sakoman.com> 2023-06-21 04:00:58 -1000
commit: 1a63c9703f76c30c6c0c2b15ccefd3730bc707be (patch)
tree: d7baa2875f933639895c82bb8edb072adf12d738
parent: b4a7ec6e0e41c442024da3d5d4e20c3c807f55dd (diff)
download: poky-1a63c9703f76c30c6c0c2b15ccefd3730bc707be.tar.gz
2 files changed, 68 insertions, 0 deletions
diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch
new file mode 100644
index 0000000000..242b8337fa
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch
@@ -0,0 +1,67 @@
+From 86fbeb6fcd638e2350b09a43dde355f9830e75da Mon Sep 17 00:00:00 2001
+From: David Degazio <d_degazio@apple.com>
+Date: Tue, 8 Nov 2022 19:54:33 -0800
+Subject: [PATCH] Intl.Locale.prototype.hourCycles leaks empty JSValue to
+ script https://bugs.webkit.org/show_bug.cgi?id=247562 rdar://102031379
+Reviewed by Mark Lam.
+We currently don't check if IntlLocale::hourCycles returns a null JSArray, which allows it
+to be encoded as an empty JSValue and exposed to user code. This patch throws a TypeError
+when udatpg_open returns a failed status.
+* JSTests/stress/intl-locale-invalid-hourCycles.js: Added.
+(main):
+* Source/JavaScriptCore/runtime/IntlLocale.cpp:
+(JSC::IntlLocale::hourCycles):
+Canonical link: https://commits.webkit.org/256473@main
+CVE:CVE-2022-46700
+Upstream-Status: Backport
+[https://github.com/WebKit/WebKit/commit/86fbeb6fcd638e2350b09a43dde355f9830e75da]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ JSTests/stress/intl-locale-invalid-hourCycles.js | 12 ++++++++++++
+ Source/JavaScriptCore/runtime/IntlLocale.cpp     |  4 +++-
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+ create mode 100644 JSTests/stress/intl-locale-invalid-hourCycles.js
+diff --git a/JSTests/stress/intl-locale-invalid-hourCycles.js b/JSTests/stress/intl-locale-invalid-hourCycles.js
+new file mode 100644
+index 000000000000..7b94eb844764
+--- /dev/null
+++ b/JSTests/stress/intl-locale-invalid-hourCycles.js
+@@ -0,0 +1,12 @@
+function main() {
+    const v24 = new Intl.Locale("trimEnd", { 'numberingSystem': "foobar" });
+    let empty = v24.hourCycles;
+    print(empty);
+}
+
+try {
+    main();
+} catch (e) {
+    if (!(e instanceof TypeError))
+        throw e;
+}
+diff --git a/Source/JavaScriptCore/runtime/IntlLocale.cpp b/Source/JavaScriptCore/runtime/IntlLocale.cpp
+index c3c346163a18..bef424727a8a 100644
+--- a/Source/JavaScriptCore/runtime/IntlLocale.cpp
+++ b/Source/JavaScriptCore/runtime/IntlLocale.cpp
+@@ -632,8 +632,10 @@ JSArray* IntlLocale::hourCycles(JSGlobalObject* globalObject)
+     UErrorCode status = U_ZERO_ERROR;
+     auto generator = std::unique_ptr<UDateTimePatternGenerator, ICUDeleter<udatpg_close>>(udatpg_open(m_localeID.data(), &status));
+-    if (U_FAILURE(status))
+    if (U_FAILURE(status)) {
+        throwTypeError(globalObject, scope, "invalid locale"_s);
+         return nullptr;
+    }
+     // Use "j" skeleton and parse pattern to retrieve the configured hour-cycle information.
+     constexpr const UChar skeleton[] = { 'j', 0 };
+--
+2.40.0
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
index 062f209932..edd64b7b11 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -20,6 +20,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
           file://CVE-2022-46691.patch \
           file://CVE-2022-46699.patch \
           file://CVE-2022-42867.patch \
+           file://CVE-2022-46700.patch \
           "
 SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
author	Yogita Urade <yogita.urade@windriver.com>	2023-06-09 14:09:08 +0000
committer	Steve Sakoman <steve@sakoman.com>	2023-06-21 04:00:58 -1000
commit	1a63c9703f76c30c6c0c2b15ccefd3730bc707be (patch)
tree	d7baa2875f933639895c82bb8edb072adf12d738
parent	b4a7ec6e0e41c442024da3d5d4e20c3c807f55dd (diff)
download	poky-1a63c9703f76c30c6c0c2b15ccefd3730bc707be.tar.gz

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch new file mode 100644 index 0000000000..242b8337fa --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch
@@ -0,0 +1,67 @@
		1	From 86fbeb6fcd638e2350b09a43dde355f9830e75da Mon Sep 17 00:00:00 2001
		2	From: David Degazio <d_degazio@apple.com>
		3	Date: Tue, 8 Nov 2022 19:54:33 -0800
		4	Subject: [PATCH] Intl.Locale.prototype.hourCycles leaks empty JSValue to
		5	script https://bugs.webkit.org/show_bug.cgi?id=247562 rdar://102031379
		6
		7	Reviewed by Mark Lam.
		8
		9	We currently don't check if IntlLocale::hourCycles returns a null JSArray, which allows it
		10	to be encoded as an empty JSValue and exposed to user code. This patch throws a TypeError
		11	when udatpg_open returns a failed status.
		12
		13	* JSTests/stress/intl-locale-invalid-hourCycles.js: Added.
		14	(main):
		15	* Source/JavaScriptCore/runtime/IntlLocale.cpp:
		16	(JSC::IntlLocale::hourCycles):
		17
		18	Canonical link: https://commits.webkit.org/256473@main
		19
		20	CVE:CVE-2022-46700
		21
		22	Upstream-Status: Backport
		23	[https://github.com/WebKit/WebKit/commit/86fbeb6fcd638e2350b09a43dde355f9830e75da]
		24
		25	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		26	---
		27	JSTests/stress/intl-locale-invalid-hourCycles.js \| 12 ++++++++++++
		28	Source/JavaScriptCore/runtime/IntlLocale.cpp \| 4 +++-
		29	2 files changed, 15 insertions(+), 1 deletion(-)
		30	create mode 100644 JSTests/stress/intl-locale-invalid-hourCycles.js
		31
		32	diff --git a/JSTests/stress/intl-locale-invalid-hourCycles.js b/JSTests/stress/intl-locale-invalid-hourCycles.js
		33	new file mode 100644
		34	index 000000000000..7b94eb844764
		35	--- /dev/null
		36	+++ b/JSTests/stress/intl-locale-invalid-hourCycles.js
		37	@@ -0,0 +1,12 @@
		38	+function main() {
		39	+ const v24 = new Intl.Locale("trimEnd", { 'numberingSystem': "foobar" });
		40	+ let empty = v24.hourCycles;
		41	+ print(empty);
		42	+}
		43	+
		44	+try {
		45	+ main();
		46	+} catch (e) {
		47	+ if (!(e instanceof TypeError))
		48	+ throw e;
		49	+}
		50	diff --git a/Source/JavaScriptCore/runtime/IntlLocale.cpp b/Source/JavaScriptCore/runtime/IntlLocale.cpp
		51	index c3c346163a18..bef424727a8a 100644
		52	--- a/Source/JavaScriptCore/runtime/IntlLocale.cpp
		53	+++ b/Source/JavaScriptCore/runtime/IntlLocale.cpp
		54	@@ -632,8 +632,10 @@ JSArray* IntlLocale::hourCycles(JSGlobalObject* globalObject)
		55
		56	UErrorCode status = U_ZERO_ERROR;
		57	auto generator = std::unique_ptr<UDateTimePatternGenerator, ICUDeleter<udatpg_close>>(udatpg_open(m_localeID.data(), &status));
		58	- if (U_FAILURE(status))
		59	+ if (U_FAILURE(status)) {
		60	+ throwTypeError(globalObject, scope, "invalid locale"_s);
		61	return nullptr;
		62	+ }
		63
		64	// Use "j" skeleton and parse pattern to retrieve the configured hour-cycle information.
		65	constexpr const UChar skeleton[] = { 'j', 0 };
		66	--
		67	2.40.0


diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb index 062f209932..edd64b7b11 100644 --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -20,6 +20,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
20	file://CVE-2022-46691.patch \	20	file://CVE-2022-46691.patch \
21	file://CVE-2022-46699.patch \	21	file://CVE-2022-46699.patch \
22	file://CVE-2022-42867.patch \	22	file://CVE-2022-42867.patch \
		23	file://CVE-2022-46700.patch \
23	"	24	"
24	SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"	25	SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
25		26