webkitgtk: fix fix CVE-2021-42762

Backport and rebase patch to fix CVE-2021-42762 for webkitgtk 2.30.5. CVE: CVE-2021-42762 Ref: * https://bugs.webkit.org/show_bug.cgi?id=231479#c8 (From OE-Core rev: 64170871293745254e4287cabeb7ceff5cbf64f8) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Kai Kang <kai.kang@windriver.com> 2022-01-07 23:09:24 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-01-14 09:34:04 +0000
commit: 5f93a1c2ee139e49f21fe4b8a6bf47d4d02a547d (patch)
tree: 2ff937ebc087c37b27e3b95c39d5034823194bf3 /meta
parent: b5010071e6291b3f5431b371907064b63c1565df (diff)
download: poky-5f93a1c2ee139e49f21fe4b8a6bf47d4d02a547d.tar.gz
2 files changed, 469 insertions, 0 deletions
diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2021-42762.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2021-42762.patch
new file mode 100644
index 0000000000..1d012271cb
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2021-42762.patch
@@ -0,0 +1,468 @@
+Backport and rebase patch to fix CVE-2021-42762 for webkitgtk 2.30.5.
+CVE: CVE-2021-42762
+Upstream-Status: Backport [https://trac.webkit.org/changeset/284451/webkit]
+Ref:
+* https://bugs.webkit.org/show_bug.cgi?id=231479#c8
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+From 035ac439855c7bef0a4525897f783121e4a6055c Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@gnome.org>
+Date: Tue, 19 Oct 2021 14:27:17 +0000
+Subject: [PATCH] Update seccomp filters with latest changes from flatpak
+ https://bugs.webkit.org/show_bug.cgi?id=231479
+Patch by Michael Catanzaro <mcatanzaro@gnome.org> on 2021-10-19
+Reviewed by Adrian Perez de Castro.
+Additionally, let's fix a minor inconsistency in our error-handling code: all but one of
+our codepaths carefully free and close resources, but the process is about to crash so
+there's not really any reason to do so. The code is slightly simpler if we don't bother.
+The seemingly-extraneous include order changes are required to placate the style checker.
+* UIProcess/Launcher/glib/BubblewrapLauncher.cpp:
+(WebKit::seccompStrerror):
+(WebKit::setupSeccomp):
+* UIProcess/Launcher/glib/Syscalls.h: Added.
+Canonical link: https://commits.webkit.org/243211@main
+git-svn-id: https://svn.webkit.org/repository/webkit/trunk@284451 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+---
+ .../UIProcess/Launcher/glib/BubblewrapLauncher.cpp | 139 +++++++++-----
+ Source/WebKit/UIProcess/Launcher/glib/Syscalls.h   | 200 +++++++++++++++++++++
+ 2 files changed, 293 insertions(+), 46 deletions(-)
+diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
+index 889388ac..c2f7e502 100644
+--- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
+++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
+@@ -25,11 +25,18 @@
+ #include <glib.h>
+ #include <seccomp.h>
+ #include <sys/ioctl.h>
+#include <sys/mman.h>
+ #include <wtf/FileSystem.h>
+ #include <wtf/glib/GLibUtilities.h>
+ #include <wtf/glib/GRefPtr.h>
+ #include <wtf/glib/GUniquePtr.h>
+ 
+#if !defined(MFD_ALLOW_SEALING) && HAVE(LINUX_MEMFD_H)
+#include <linux/memfd.h>
+#endif
+
+#include "Syscalls.h"
+
+ #if PLATFORM(GTK)
+ #include "WaylandCompositor.h"
+ #endif
+@@ -40,13 +47,7 @@
+ #define BASE_DIRECTORY "wpe"
+ #endif
+ 
+-#include <sys/mman.h>
+-
+-#ifndef MFD_ALLOW_SEALING
+-
+-#if HAVE(LINUX_MEMFD_H)
+-
+-#include <linux/memfd.h>
+#if !defined(MFD_ALLOW_SEALING) && HAVE(LINUX_MEMFD_H)
+ 
+ // These defines were added in glibc 2.27, the same release that added memfd_create.
+ // But the kernel added all of this in Linux 3.17. So it's totally safe for us to
+@@ -65,9 +66,7 @@ static int memfd_create(const char* name, unsigned flags)
+ {
+     return syscall(__NR_memfd_create, name, flags);
+ }
+-#endif // #if HAVE(LINUX_MEMFD_H)
+-
+-#endif // #ifndef MFD_ALLOW_SEALING
+#endif // #if !defined(MFD_ALLOW_SEALING) && HAVE(LINUX_MEMFD_H)
+ 
+ namespace WebKit {
+ using namespace WebCore;
+@@ -573,6 +572,28 @@ static void bindSymlinksRealPath(Vector<CString>& args, const char* path)
+     }
+ }
+ 
+// Translate a libseccomp error code into an error message. libseccomp
+// mostly returns negative errno values such as -ENOMEM, but some
+// standard errno values are used for non-standard purposes where their
+// strerror() would be misleading.
+static const char* seccompStrerror(int negativeErrno)
+{
+    RELEASE_ASSERT_WITH_MESSAGE(negativeErrno < 0, "Non-negative error value from libseccomp?");
+    RELEASE_ASSERT_WITH_MESSAGE(negativeErrno > INT_MIN, "Out of range error value from libseccomp?");
+
+    switch (negativeErrno) {
+    case -EDOM:
+        return "Architecture-specific failure";
+    case -EFAULT:
+        return "Internal libseccomp failure (unknown syscall?)";
+    case -ECANCELED:
+        return "System failure beyond the control of libseccomp";
+    }
+
+    // e.g. -ENOMEM: the result of strerror() is good enough
+    return g_strerror(-negativeErrno);
+}
+
+ static int setupSeccomp()
+ {
+     // NOTE: This is shared code (flatpak-run.c - LGPLv2.1+)
+@@ -600,6 +621,10 @@ static int setupSeccomp()
+     //    in common/flatpak-run.c
+     //  https://git.gnome.org/browse/linux-user-chroot
+     //    in src/setup-seccomp.c
+    //
+    // Other useful resources:
+    // https://github.com/systemd/systemd/blob/HEAD/src/shared/seccomp-util.c
+    // https://github.com/moby/moby/blob/HEAD/profiles/seccomp/default.json
+ 
+ #if defined(__s390__) || defined(__s390x__) || defined(__CRIS__)
+     // Architectures with CONFIG_CLONE_BACKWARDS2: the child stack
+@@ -613,47 +638,70 @@ static int setupSeccomp()
+     struct scmp_arg_cmp ttyArg = SCMP_A1(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, TIOCSTI);
+     struct {
+         int scall;
+        int errnum;
+         struct scmp_arg_cmp* arg;
+     } syscallBlockList[] = {
+         // Block dmesg
+-        { SCMP_SYS(syslog), nullptr },
+        { SCMP_SYS(syslog), EPERM, nullptr },
+         // Useless old syscall.
+-        { SCMP_SYS(uselib), nullptr },
+        { SCMP_SYS(uselib), EPERM, nullptr },
+         // Don't allow disabling accounting.
+-        { SCMP_SYS(acct), nullptr },
+        { SCMP_SYS(acct), EPERM, nullptr },
+         // 16-bit code is unnecessary in the sandbox, and modify_ldt is a
+         // historic source of interesting information leaks.
+-        { SCMP_SYS(modify_ldt), nullptr },
+        { SCMP_SYS(modify_ldt), EPERM, nullptr },
+         // Don't allow reading current quota use.
+-        { SCMP_SYS(quotactl), nullptr },
+        { SCMP_SYS(quotactl), EPERM, nullptr },
+ 
+         // Don't allow access to the kernel keyring.
+-        { SCMP_SYS(add_key), nullptr },
+-        { SCMP_SYS(keyctl), nullptr },
+-        { SCMP_SYS(request_key), nullptr },
+        { SCMP_SYS(add_key), EPERM, nullptr },
+        { SCMP_SYS(keyctl), EPERM, nullptr },
+        { SCMP_SYS(request_key), EPERM, nullptr },
+ 
+         // Scary VM/NUMA ops 
+-        { SCMP_SYS(move_pages), nullptr },
+-        { SCMP_SYS(mbind), nullptr },
+-        { SCMP_SYS(get_mempolicy), nullptr },
+-        { SCMP_SYS(set_mempolicy), nullptr },
+-        { SCMP_SYS(migrate_pages), nullptr },
+        { SCMP_SYS(move_pages), EPERM, nullptr },
+        { SCMP_SYS(mbind), EPERM, nullptr },
+        { SCMP_SYS(get_mempolicy), EPERM, nullptr },
+        { SCMP_SYS(set_mempolicy), EPERM, nullptr },
+        { SCMP_SYS(migrate_pages), EPERM, nullptr },
+ 
+         // Don't allow subnamespace setups:
+-        { SCMP_SYS(unshare), nullptr },
+-        { SCMP_SYS(mount), nullptr },
+-        { SCMP_SYS(pivot_root), nullptr },
+-        { SCMP_SYS(clone), &cloneArg },
+        { SCMP_SYS(unshare), EPERM, nullptr },
+        { SCMP_SYS(setns), EPERM, nullptr },
+        { SCMP_SYS(mount), EPERM, nullptr },
+        { SCMP_SYS(umount), EPERM, nullptr },
+        { SCMP_SYS(umount2), EPERM, nullptr },
+        { SCMP_SYS(pivot_root), EPERM, nullptr },
+        { SCMP_SYS(chroot), EPERM, nullptr },
+        { SCMP_SYS(clone), EPERM, &cloneArg },
+ 
+         // Don't allow faking input to the controlling tty (CVE-2017-5226)
+-        { SCMP_SYS(ioctl), &ttyArg },
+        { SCMP_SYS(ioctl), EPERM, &ttyArg },
+
+        // seccomp can't look into clone3()'s struct clone_args to check whether
+        // the flags are OK, so we have no choice but to block clone3().
+        // Return ENOSYS so user-space will fall back to clone().
+        // (GHSA-67h7-w3jq-vh4q; see also https://github.com/moby/moby/commit/9f6b562d)
+        { SCMP_SYS(clone3), ENOSYS, nullptr },
+
+        // New mount manipulation APIs can also change our VFS. There's no
+        // legitimate reason to do these in the sandbox, so block all of them
+        // rather than thinking about which ones might be dangerous.
+        // (GHSA-67h7-w3jq-vh4q)
+        { SCMP_SYS(open_tree), ENOSYS, nullptr },
+        { SCMP_SYS(move_mount), ENOSYS, nullptr },
+        { SCMP_SYS(fsopen), ENOSYS, nullptr },
+        { SCMP_SYS(fsconfig), ENOSYS, nullptr },
+        { SCMP_SYS(fsmount), ENOSYS, nullptr },
+        { SCMP_SYS(fspick), ENOSYS, nullptr },
+        { SCMP_SYS(mount_setattr), ENOSYS, nullptr },
+ 
+         // Profiling operations; we expect these to be done by tools from outside
+         // the sandbox. In particular perf has been the source of many CVEs.
+-        { SCMP_SYS(perf_event_open), nullptr },
+        { SCMP_SYS(perf_event_open), EPERM, nullptr },
+         // Don't allow you to switch to bsd emulation or whatnot.
+-        { SCMP_SYS(personality), nullptr },
+-        { SCMP_SYS(ptrace), nullptr }
+        { SCMP_SYS(personality), EPERM, nullptr },
+        { SCMP_SYS(ptrace), EPERM, nullptr }
+     };
+ 
+     scmp_filter_ctx seccomp = seccomp_init(SCMP_ACT_ALLOW);
+@@ -661,29 +709,28 @@ static int setupSeccomp()
+         g_error("Failed to init seccomp");
+ 
+     for (auto& rule : syscallBlockList) {
+-        int scall = rule.scall;
+         int r;
+         if (rule.arg)
+-            r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), scall, 1, *rule.arg);
+            r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(rule.errnum), rule.scall, 1, *rule.arg);
+         else
+-            r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), scall, 0);
+-        if (r == -EFAULT) {
+-            seccomp_release(seccomp);
+-            g_error("Failed to add seccomp rule");
+-        }
+            r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(rule.errnum), rule.scall, 0);
+        // EFAULT means "internal libseccomp error", but in practice we get
+        // this for syscall numbers added via Syscalls.h (flatpak-syscalls-private.h)
+        // when trying to filter them on a non-native architecture, because
+        // libseccomp cannot map the syscall number to a name and back to a
+        // number for the non-native architecture.
+        if (r == -EFAULT)
+            g_info("Unable to block syscall %d: syscall not known to libseccomp?", rule.scall);
+        else if (r < 0)
+            g_error("Failed to block syscall %d: %s", rule.scall, seccompStrerror(r));
+     }
+ 
+     int tmpfd = memfd_create("seccomp-bpf", 0);
+-    if (tmpfd == -1) {
+-        seccomp_release(seccomp);
+    if (tmpfd == -1)
+         g_error("Failed to create memfd: %s", g_strerror(errno));
+-    }
+ 
+-    if (seccomp_export_bpf(seccomp, tmpfd)) {
+-        seccomp_release(seccomp);
+-        close(tmpfd);
+-        g_error("Failed to export seccomp bpf");
+-    }
+    if (int r = seccomp_export_bpf(seccomp, tmpfd))
+        g_error("Failed to export seccomp bpf: %s", seccompStrerror(r));
+ 
+     if (lseek(tmpfd, 0, SEEK_SET) < 0)
+         g_error("lseek failed: %s", g_strerror(errno));
+diff --git a/Source/WebKit/UIProcess/Launcher/glib/Syscalls.h b/Source/WebKit/UIProcess/Launcher/glib/Syscalls.h
+new file mode 100644
+index 00000000..18dea9a9
+--- /dev/null
+++ b/Source/WebKit/UIProcess/Launcher/glib/Syscalls.h
+@@ -0,0 +1,200 @@
+/*
+ * Copyright 2021 Collabora Ltd.
+ * SPDX-License-Identifier: LGPL-2.1-or-later
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+// This file is a copy of flatpak-syscalls-private.h, reformatted a bit to placate WebKit's style checker.
+//
+// Upstream is here:
+// https://github.com/flatpak/flatpak/blob/26b12484eb8a6219b9e7aa287b298a894b2f34ca/common/flatpak-syscalls-private.h
+
+#pragma once
+
+#include <sys/syscall.h>
+
+#if defined(_MIPS_SIM)
+# if _MIPS_SIM == _MIPS_SIM_ABI32
+#   define FLATPAK_MISSING_SYSCALL_BASE 4000
+# elif _MIPS_SIM == _MIPS_SIM_ABI64
+#   define FLATPAK_MISSING_SYSCALL_BASE 5000
+# elif _MIPS_SIM == _MIPS_SIM_NABI32
+#   define FLATPAK_MISSING_SYSCALL_BASE 6000
+# else
+#   error "Unknown MIPS ABI"
+# endif
+#endif
+
+#if defined(__ia64__)
+# define FLATPAK_MISSING_SYSCALL_BASE 1024
+#endif
+
+#if defined(__alpha__)
+# define FLATPAK_MISSING_SYSCALL_BASE 110
+#endif
+
+#if defined(__x86_64__) && defined(__ILP32__)
+# define FLATPAK_MISSING_SYSCALL_BASE 0x40000000
+#endif
+
+// FLATPAK_MISSING_SYSCALL_BASE:
+//
+// Number to add to the syscall numbers of recently-added syscalls
+// to get the appropriate syscall for the current ABI.
+#ifndef FLATPAK_MISSING_SYSCALL_BASE
+# define FLATPAK_MISSING_SYSCALL_BASE 0
+#endif
+
+#ifndef __NR_open_tree
+# define __NR_open_tree (FLATPAK_MISSING_SYSCALL_BASE + 428)
+#endif
+#ifndef __SNR_open_tree
+# define __SNR_open_tree __NR_open_tree
+#endif
+
+#ifndef __NR_move_mount
+# define __NR_move_mount (FLATPAK_MISSING_SYSCALL_BASE + 429)
+#endif
+#ifndef __SNR_move_mount
+# define __SNR_move_mount __NR_move_mount
+#endif
+
+#ifndef __NR_fsopen
+# define __NR_fsopen (FLATPAK_MISSING_SYSCALL_BASE + 430)
+#endif
+#ifndef __SNR_fsopen
+# define __SNR_fsopen __NR_fsopen
+#endif
+
+#ifndef __NR_fsconfig
+# define __NR_fsconfig (FLATPAK_MISSING_SYSCALL_BASE + 431)
+#endif
+#ifndef __SNR_fsconfig
+# define __SNR_fsconfig __NR_fsconfig
+#endif
+
+#ifndef __NR_fsmount
+# define __NR_fsmount (FLATPAK_MISSING_SYSCALL_BASE + 432)
+#endif
+#ifndef __SNR_fsmount
+# define __SNR_fsmount __NR_fsmount
+#endif
+
+#ifndef __NR_fspick
+# define __NR_fspick (FLATPAK_MISSING_SYSCALL_BASE + 433)
+#endif
+#ifndef __SNR_fspick
+# define __SNR_fspick __NR_fspick
+#endif
+
+#ifndef __NR_pidfd_open
+# define __NR_pidfd_open (FLATPAK_MISSING_SYSCALL_BASE + 434)
+#endif
+#ifndef __SNR_pidfd_open
+# define __SNR_pidfd_open __NR_pidfd_open
+#endif
+
+#ifndef __NR_clone3
+# define __NR_clone3 (FLATPAK_MISSING_SYSCALL_BASE + 435)
+#endif
+#ifndef __SNR_clone3
+# define __SNR_clone3 __NR_clone3
+#endif
+
+#ifndef __NR_close_range
+# define __NR_close_range (FLATPAK_MISSING_SYSCALL_BASE + 436)
+#endif
+#ifndef __SNR_close_range
+# define __SNR_close_range __NR_close_range
+#endif
+
+#ifndef __NR_openat2
+# define __NR_openat2 (FLATPAK_MISSING_SYSCALL_BASE + 437)
+#endif
+#ifndef __SNR_openat2
+# define __SNR_openat2 __NR_openat2
+#endif
+
+#ifndef __NR_pidfd_getfd
+# define __NR_pidfd_getfd (FLATPAK_MISSING_SYSCALL_BASE + 438)
+#endif
+#ifndef __SNR_pidfd_getfd
+# define __SNR_pidfd_getfd __NR_pidfd_getfd
+#endif
+
+#ifndef __NR_faccessat2
+# define __NR_faccessat2 (FLATPAK_MISSING_SYSCALL_BASE + 439)
+#endif
+#ifndef __SNR_faccessat2
+# define __SNR_faccessat2 __NR_faccessat2
+#endif
+
+#ifndef __NR_process_madvise
+# define __NR_process_madvise (FLATPAK_MISSING_SYSCALL_BASE + 440)
+#endif
+#ifndef __SNR_process_madvise
+# define __SNR_process_madvise __NR_process_madvise
+#endif
+
+#ifndef __NR_epoll_pwait2
+# define __NR_epoll_pwait2 (FLATPAK_MISSING_SYSCALL_BASE + 441)
+#endif
+#ifndef __SNR_epoll_pwait2
+# define __SNR_epoll_pwait2 __NR_epoll_pwait2
+#endif
+
+#ifndef __NR_mount_setattr
+# define __NR_mount_setattr (FLATPAK_MISSING_SYSCALL_BASE + 442)
+#endif
+#ifndef __SNR_mount_setattr
+# define __SNR_mount_setattr __NR_mount_setattr
+#endif
+
+#ifndef __NR_quotactl_fd
+# define __NR_quotactl_fd (FLATPAK_MISSING_SYSCALL_BASE + 443)
+#endif
+#ifndef __SNR_quotactl_fd
+# define __SNR_quotactl_fd __NR_quotactl_fd
+#endif
+
+#ifndef __NR_landlock_create_ruleset
+# define __NR_landlock_create_ruleset (FLATPAK_MISSING_SYSCALL_BASE + 444)
+#endif
+#ifndef __SNR_landlock_create_ruleset
+# define __SNR_landlock_create_ruleset __NR_landlock_create_ruleset
+#endif
+
+#ifndef __NR_landlock_add_rule
+# define __NR_landlock_add_rule (FLATPAK_MISSING_SYSCALL_BASE + 445)
+#endif
+#ifndef __SNR_landlock_add_rule
+# define __SNR_landlock_add_rule __NR_landlock_add_rule
+#endif
+
+#ifndef __NR_landlock_restrict_self
+# define __NR_landlock_restrict_self (FLATPAK_MISSING_SYSCALL_BASE + 446)
+#endif
+#ifndef __SNR_landlock_restrict_self
+# define __SNR_landlock_restrict_self __NR_landlock_restrict_self
+#endif
+
+#ifndef __NR_memfd_secret
+# define __NR_memfd_secret (FLATPAK_MISSING_SYSCALL_BASE + 447)
+#endif
+#ifndef __SNR_memfd_secret
+# define __SNR_memfd_secret __NR_memfd_secret
+#endif
+
+// Last updated: Linux 5.14, syscall numbers < 448
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.30.5.bb b/meta/recipes-sato/webkit/webkitgtk_2.30.5.bb
index 88b5056165..93cca20d01 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.30.5.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.30.5.bb
@@ -22,6 +22,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BPN}-${PV}.tar.xz \
           file://musl-lower-stack-usage.patch \
           file://0001-MiniBrowser-Fix-reproduciblity.patch \
           file://reproducibility.patch \
+           file://CVE-2021-42762.patch \
           "
 SRC_URI[sha256sum] = "7d0dab08e3c5ae07bec80b2822ef42e952765d5724cac86eb23999bfed5a7f1f"
author	Kai Kang <kai.kang@windriver.com>	2022-01-07 23:09:24 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-01-14 09:34:04 +0000
commit	5f93a1c2ee139e49f21fe4b8a6bf47d4d02a547d (patch)
tree	2ff937ebc087c37b27e3b95c39d5034823194bf3 /meta
parent	b5010071e6291b3f5431b371907064b63c1565df (diff)
download	poky-5f93a1c2ee139e49f21fe4b8a6bf47d4d02a547d.tar.gz

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2021-42762.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2021-42762.patch new file mode 100644 index 0000000000..1d012271cb --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2021-42762.patch
@@ -0,0 +1,468 @@
		1	Backport and rebase patch to fix CVE-2021-42762 for webkitgtk 2.30.5.
		2
		3	CVE: CVE-2021-42762
		4	Upstream-Status: Backport [https://trac.webkit.org/changeset/284451/webkit]
		5
		6	Ref:
		7	* https://bugs.webkit.org/show_bug.cgi?id=231479#c8
		8
		9	Signed-off-by: Kai Kang <kai.kang@windriver.com>
		10
		11	From 035ac439855c7bef0a4525897f783121e4a6055c Mon Sep 17 00:00:00 2001
		12	From: Michael Catanzaro <mcatanzaro@gnome.org>
		13	Date: Tue, 19 Oct 2021 14:27:17 +0000
		14	Subject: [PATCH] Update seccomp filters with latest changes from flatpak
		15	https://bugs.webkit.org/show_bug.cgi?id=231479
		16
		17	Patch by Michael Catanzaro <mcatanzaro@gnome.org> on 2021-10-19
		18	Reviewed by Adrian Perez de Castro.
		19
		20	Additionally, let's fix a minor inconsistency in our error-handling code: all but one of
		21	our codepaths carefully free and close resources, but the process is about to crash so
		22	there's not really any reason to do so. The code is slightly simpler if we don't bother.
		23
		24	The seemingly-extraneous include order changes are required to placate the style checker.
		25
		26	* UIProcess/Launcher/glib/BubblewrapLauncher.cpp:
		27	(WebKit::seccompStrerror):
		28	(WebKit::setupSeccomp):
		29	* UIProcess/Launcher/glib/Syscalls.h: Added.
		30
		31	Canonical link: https://commits.webkit.org/243211@main
		32	git-svn-id: https://svn.webkit.org/repository/webkit/trunk@284451 268f45cc-cd09-0410-ab3c-d52691b4dbfc
		33	---
		34	.../UIProcess/Launcher/glib/BubblewrapLauncher.cpp \| 139 +++++++++-----
		35	Source/WebKit/UIProcess/Launcher/glib/Syscalls.h \| 200 +++++++++++++++++++++
		36	2 files changed, 293 insertions(+), 46 deletions(-)
		37
		38	diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
		39	index 889388ac..c2f7e502 100644
		40	--- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
		41	+++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
		42	@@ -25,11 +25,18 @@
		43	#include <glib.h>
		44	#include <seccomp.h>
		45	#include <sys/ioctl.h>
		46	+#include <sys/mman.h>
		47	#include <wtf/FileSystem.h>
		48	#include <wtf/glib/GLibUtilities.h>
		49	#include <wtf/glib/GRefPtr.h>
		50	#include <wtf/glib/GUniquePtr.h>
		51
		52	+#if !defined(MFD_ALLOW_SEALING) && HAVE(LINUX_MEMFD_H)
		53	+#include <linux/memfd.h>
		54	+#endif
		55	+
		56	+#include "Syscalls.h"
		57	+
		58	#if PLATFORM(GTK)
		59	#include "WaylandCompositor.h"
		60	#endif
		61	@@ -40,13 +47,7 @@
		62	#define BASE_DIRECTORY "wpe"
		63	#endif
		64
		65	-#include <sys/mman.h>
		66	-
		67	-#ifndef MFD_ALLOW_SEALING
		68	-
		69	-#if HAVE(LINUX_MEMFD_H)
		70	-
		71	-#include <linux/memfd.h>
		72	+#if !defined(MFD_ALLOW_SEALING) && HAVE(LINUX_MEMFD_H)
		73
		74	// These defines were added in glibc 2.27, the same release that added memfd_create.
		75	// But the kernel added all of this in Linux 3.17. So it's totally safe for us to
		76	@@ -65,9 +66,7 @@ static int memfd_create(const char* name, unsigned flags)
		77	{
		78	return syscall(__NR_memfd_create, name, flags);
		79	}
		80	-#endif // #if HAVE(LINUX_MEMFD_H)
		81	-
		82	-#endif // #ifndef MFD_ALLOW_SEALING
		83	+#endif // #if !defined(MFD_ALLOW_SEALING) && HAVE(LINUX_MEMFD_H)
		84
		85	namespace WebKit {
		86	using namespace WebCore;
		87	@@ -573,6 +572,28 @@ static void bindSymlinksRealPath(Vector<CString>& args, const char* path)
		88	}
		89	}
		90
		91	+// Translate a libseccomp error code into an error message. libseccomp
		92	+// mostly returns negative errno values such as -ENOMEM, but some
		93	+// standard errno values are used for non-standard purposes where their
		94	+// strerror() would be misleading.
		95	+static const char* seccompStrerror(int negativeErrno)
		96	+{
		97	+ RELEASE_ASSERT_WITH_MESSAGE(negativeErrno < 0, "Non-negative error value from libseccomp?");
		98	+ RELEASE_ASSERT_WITH_MESSAGE(negativeErrno > INT_MIN, "Out of range error value from libseccomp?");
		99	+
		100	+ switch (negativeErrno) {
		101	+ case -EDOM:
		102	+ return "Architecture-specific failure";
		103	+ case -EFAULT:
		104	+ return "Internal libseccomp failure (unknown syscall?)";
		105	+ case -ECANCELED:
		106	+ return "System failure beyond the control of libseccomp";
		107	+ }
		108	+
		109	+ // e.g. -ENOMEM: the result of strerror() is good enough
		110	+ return g_strerror(-negativeErrno);
		111	+}
		112	+
		113	static int setupSeccomp()
		114	{
		115	// NOTE: This is shared code (flatpak-run.c - LGPLv2.1+)
		116	@@ -600,6 +621,10 @@ static int setupSeccomp()
		117	// in common/flatpak-run.c
		118	// https://git.gnome.org/browse/linux-user-chroot
		119	// in src/setup-seccomp.c
		120	+ //
		121	+ // Other useful resources:
		122	+ // https://github.com/systemd/systemd/blob/HEAD/src/shared/seccomp-util.c
		123	+ // https://github.com/moby/moby/blob/HEAD/profiles/seccomp/default.json
		124
		125	#if defined(__s390__) \|\| defined(__s390x__) \|\| defined(__CRIS__)
		126	// Architectures with CONFIG_CLONE_BACKWARDS2: the child stack
		127	@@ -613,47 +638,70 @@ static int setupSeccomp()
		128	struct scmp_arg_cmp ttyArg = SCMP_A1(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, TIOCSTI);
		129	struct {
		130	int scall;
		131	+ int errnum;
		132	struct scmp_arg_cmp* arg;
		133	} syscallBlockList[] = {
		134	// Block dmesg
		135	- { SCMP_SYS(syslog), nullptr },
		136	+ { SCMP_SYS(syslog), EPERM, nullptr },
		137	// Useless old syscall.
		138	- { SCMP_SYS(uselib), nullptr },
		139	+ { SCMP_SYS(uselib), EPERM, nullptr },
		140	// Don't allow disabling accounting.
		141	- { SCMP_SYS(acct), nullptr },
		142	+ { SCMP_SYS(acct), EPERM, nullptr },
		143	// 16-bit code is unnecessary in the sandbox, and modify_ldt is a
		144	// historic source of interesting information leaks.
		145	- { SCMP_SYS(modify_ldt), nullptr },
		146	+ { SCMP_SYS(modify_ldt), EPERM, nullptr },
		147	// Don't allow reading current quota use.
		148	- { SCMP_SYS(quotactl), nullptr },
		149	+ { SCMP_SYS(quotactl), EPERM, nullptr },
		150
		151	// Don't allow access to the kernel keyring.
		152	- { SCMP_SYS(add_key), nullptr },
		153	- { SCMP_SYS(keyctl), nullptr },
		154	- { SCMP_SYS(request_key), nullptr },
		155	+ { SCMP_SYS(add_key), EPERM, nullptr },
		156	+ { SCMP_SYS(keyctl), EPERM, nullptr },
		157	+ { SCMP_SYS(request_key), EPERM, nullptr },
		158
		159	// Scary VM/NUMA ops
		160	- { SCMP_SYS(move_pages), nullptr },
		161	- { SCMP_SYS(mbind), nullptr },
		162	- { SCMP_SYS(get_mempolicy), nullptr },
		163	- { SCMP_SYS(set_mempolicy), nullptr },
		164	- { SCMP_SYS(migrate_pages), nullptr },
		165	+ { SCMP_SYS(move_pages), EPERM, nullptr },
		166	+ { SCMP_SYS(mbind), EPERM, nullptr },
		167	+ { SCMP_SYS(get_mempolicy), EPERM, nullptr },
		168	+ { SCMP_SYS(set_mempolicy), EPERM, nullptr },
		169	+ { SCMP_SYS(migrate_pages), EPERM, nullptr },
		170
		171	// Don't allow subnamespace setups:
		172	- { SCMP_SYS(unshare), nullptr },
		173	- { SCMP_SYS(mount), nullptr },
		174	- { SCMP_SYS(pivot_root), nullptr },
		175	- { SCMP_SYS(clone), &cloneArg },
		176	+ { SCMP_SYS(unshare), EPERM, nullptr },
		177	+ { SCMP_SYS(setns), EPERM, nullptr },
		178	+ { SCMP_SYS(mount), EPERM, nullptr },
		179	+ { SCMP_SYS(umount), EPERM, nullptr },
		180	+ { SCMP_SYS(umount2), EPERM, nullptr },
		181	+ { SCMP_SYS(pivot_root), EPERM, nullptr },
		182	+ { SCMP_SYS(chroot), EPERM, nullptr },
		183	+ { SCMP_SYS(clone), EPERM, &cloneArg },
		184
		185	// Don't allow faking input to the controlling tty (CVE-2017-5226)
		186	- { SCMP_SYS(ioctl), &ttyArg },
		187	+ { SCMP_SYS(ioctl), EPERM, &ttyArg },
		188	+
		189	+ // seccomp can't look into clone3()'s struct clone_args to check whether
		190	+ // the flags are OK, so we have no choice but to block clone3().
		191	+ // Return ENOSYS so user-space will fall back to clone().
		192	+ // (GHSA-67h7-w3jq-vh4q; see also https://github.com/moby/moby/commit/9f6b562d)
		193	+ { SCMP_SYS(clone3), ENOSYS, nullptr },
		194	+
		195	+ // New mount manipulation APIs can also change our VFS. There's no
		196	+ // legitimate reason to do these in the sandbox, so block all of them
		197	+ // rather than thinking about which ones might be dangerous.
		198	+ // (GHSA-67h7-w3jq-vh4q)
		199	+ { SCMP_SYS(open_tree), ENOSYS, nullptr },
		200	+ { SCMP_SYS(move_mount), ENOSYS, nullptr },
		201	+ { SCMP_SYS(fsopen), ENOSYS, nullptr },
		202	+ { SCMP_SYS(fsconfig), ENOSYS, nullptr },
		203	+ { SCMP_SYS(fsmount), ENOSYS, nullptr },
		204	+ { SCMP_SYS(fspick), ENOSYS, nullptr },
		205	+ { SCMP_SYS(mount_setattr), ENOSYS, nullptr },
		206
		207	// Profiling operations; we expect these to be done by tools from outside
		208	// the sandbox. In particular perf has been the source of many CVEs.
		209	- { SCMP_SYS(perf_event_open), nullptr },
		210	+ { SCMP_SYS(perf_event_open), EPERM, nullptr },
		211	// Don't allow you to switch to bsd emulation or whatnot.
		212	- { SCMP_SYS(personality), nullptr },
		213	- { SCMP_SYS(ptrace), nullptr }
		214	+ { SCMP_SYS(personality), EPERM, nullptr },
		215	+ { SCMP_SYS(ptrace), EPERM, nullptr }
		216	};
		217
		218	scmp_filter_ctx seccomp = seccomp_init(SCMP_ACT_ALLOW);
		219	@@ -661,29 +709,28 @@ static int setupSeccomp()
		220	g_error("Failed to init seccomp");
		221
		222	for (auto& rule : syscallBlockList) {
		223	- int scall = rule.scall;
		224	int r;
		225	if (rule.arg)
		226	- r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), scall, 1, *rule.arg);
		227	+ r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(rule.errnum), rule.scall, 1, *rule.arg);
		228	else
		229	- r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), scall, 0);
		230	- if (r == -EFAULT) {
		231	- seccomp_release(seccomp);
		232	- g_error("Failed to add seccomp rule");
		233	- }
		234	+ r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(rule.errnum), rule.scall, 0);
		235	+ // EFAULT means "internal libseccomp error", but in practice we get
		236	+ // this for syscall numbers added via Syscalls.h (flatpak-syscalls-private.h)
		237	+ // when trying to filter them on a non-native architecture, because
		238	+ // libseccomp cannot map the syscall number to a name and back to a
		239	+ // number for the non-native architecture.
		240	+ if (r == -EFAULT)
		241	+ g_info("Unable to block syscall %d: syscall not known to libseccomp?", rule.scall);
		242	+ else if (r < 0)
		243	+ g_error("Failed to block syscall %d: %s", rule.scall, seccompStrerror(r));
		244	}
		245
		246	int tmpfd = memfd_create("seccomp-bpf", 0);
		247	- if (tmpfd == -1) {
		248	- seccomp_release(seccomp);
		249	+ if (tmpfd == -1)
		250	g_error("Failed to create memfd: %s", g_strerror(errno));
		251	- }
		252
		253	- if (seccomp_export_bpf(seccomp, tmpfd)) {
		254	- seccomp_release(seccomp);
		255	- close(tmpfd);
		256	- g_error("Failed to export seccomp bpf");
		257	- }
		258	+ if (int r = seccomp_export_bpf(seccomp, tmpfd))
		259	+ g_error("Failed to export seccomp bpf: %s", seccompStrerror(r));
		260
		261	if (lseek(tmpfd, 0, SEEK_SET) < 0)
		262	g_error("lseek failed: %s", g_strerror(errno));
		263	diff --git a/Source/WebKit/UIProcess/Launcher/glib/Syscalls.h b/Source/WebKit/UIProcess/Launcher/glib/Syscalls.h
		264	new file mode 100644
		265	index 00000000..18dea9a9
		266	--- /dev/null
		267	+++ b/Source/WebKit/UIProcess/Launcher/glib/Syscalls.h
		268	@@ -0,0 +1,200 @@
		269	+/*
		270	+ * Copyright 2021 Collabora Ltd.
		271	+ * SPDX-License-Identifier: LGPL-2.1-or-later
		272	+ *
		273	+ * This program is free software; you can redistribute it and/or
		274	+ * modify it under the terms of the GNU Lesser General Public
		275	+ * License as published by the Free Software Foundation; either
		276	+ * version 2.1 of the License, or (at your option) any later version.
		277	+ *
		278	+ * This library is distributed in the hope that it will be useful,
		279	+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
		280	+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
		281	+ * Lesser General Public License for more details.
		282	+ *
		283	+ * You should have received a copy of the GNU Lesser General Public
		284	+ * License along with this library. If not, see <http://www.gnu.org/licenses/>.
		285	+ */
		286	+
		287	+// This file is a copy of flatpak-syscalls-private.h, reformatted a bit to placate WebKit's style checker.
		288	+//
		289	+// Upstream is here:
		290	+// https://github.com/flatpak/flatpak/blob/26b12484eb8a6219b9e7aa287b298a894b2f34ca/common/flatpak-syscalls-private.h
		291	+
		292	+#pragma once
		293	+
		294	+#include <sys/syscall.h>
		295	+
		296	+#if defined(_MIPS_SIM)
		297	+# if _MIPS_SIM == _MIPS_SIM_ABI32
		298	+# define FLATPAK_MISSING_SYSCALL_BASE 4000
		299	+# elif _MIPS_SIM == _MIPS_SIM_ABI64
		300	+# define FLATPAK_MISSING_SYSCALL_BASE 5000
		301	+# elif _MIPS_SIM == _MIPS_SIM_NABI32
		302	+# define FLATPAK_MISSING_SYSCALL_BASE 6000
		303	+# else
		304	+# error "Unknown MIPS ABI"
		305	+# endif
		306	+#endif
		307	+
		308	+#if defined(__ia64__)
		309	+# define FLATPAK_MISSING_SYSCALL_BASE 1024
		310	+#endif
		311	+
		312	+#if defined(__alpha__)
		313	+# define FLATPAK_MISSING_SYSCALL_BASE 110
		314	+#endif
		315	+
		316	+#if defined(__x86_64__) && defined(__ILP32__)
		317	+# define FLATPAK_MISSING_SYSCALL_BASE 0x40000000
		318	+#endif
		319	+
		320	+// FLATPAK_MISSING_SYSCALL_BASE:
		321	+//
		322	+// Number to add to the syscall numbers of recently-added syscalls
		323	+// to get the appropriate syscall for the current ABI.
		324	+#ifndef FLATPAK_MISSING_SYSCALL_BASE
		325	+# define FLATPAK_MISSING_SYSCALL_BASE 0
		326	+#endif
		327	+
		328	+#ifndef __NR_open_tree
		329	+# define __NR_open_tree (FLATPAK_MISSING_SYSCALL_BASE + 428)
		330	+#endif
		331	+#ifndef __SNR_open_tree
		332	+# define __SNR_open_tree __NR_open_tree
		333	+#endif
		334	+
		335	+#ifndef __NR_move_mount
		336	+# define __NR_move_mount (FLATPAK_MISSING_SYSCALL_BASE + 429)
		337	+#endif
		338	+#ifndef __SNR_move_mount
		339	+# define __SNR_move_mount __NR_move_mount
		340	+#endif
		341	+
		342	+#ifndef __NR_fsopen
		343	+# define __NR_fsopen (FLATPAK_MISSING_SYSCALL_BASE + 430)
		344	+#endif
		345	+#ifndef __SNR_fsopen
		346	+# define __SNR_fsopen __NR_fsopen
		347	+#endif
		348	+
		349	+#ifndef __NR_fsconfig
		350	+# define __NR_fsconfig (FLATPAK_MISSING_SYSCALL_BASE + 431)
		351	+#endif
		352	+#ifndef __SNR_fsconfig
		353	+# define __SNR_fsconfig __NR_fsconfig
		354	+#endif
		355	+
		356	+#ifndef __NR_fsmount
		357	+# define __NR_fsmount (FLATPAK_MISSING_SYSCALL_BASE + 432)
		358	+#endif
		359	+#ifndef __SNR_fsmount
		360	+# define __SNR_fsmount __NR_fsmount
		361	+#endif
		362	+
		363	+#ifndef __NR_fspick
		364	+# define __NR_fspick (FLATPAK_MISSING_SYSCALL_BASE + 433)
		365	+#endif
		366	+#ifndef __SNR_fspick
		367	+# define __SNR_fspick __NR_fspick
		368	+#endif
		369	+
		370	+#ifndef __NR_pidfd_open
		371	+# define __NR_pidfd_open (FLATPAK_MISSING_SYSCALL_BASE + 434)
		372	+#endif
		373	+#ifndef __SNR_pidfd_open
		374	+# define __SNR_pidfd_open __NR_pidfd_open
		375	+#endif
		376	+
		377	+#ifndef __NR_clone3
		378	+# define __NR_clone3 (FLATPAK_MISSING_SYSCALL_BASE + 435)
		379	+#endif
		380	+#ifndef __SNR_clone3
		381	+# define __SNR_clone3 __NR_clone3
		382	+#endif
		383	+
		384	+#ifndef __NR_close_range
		385	+# define __NR_close_range (FLATPAK_MISSING_SYSCALL_BASE + 436)
		386	+#endif
		387	+#ifndef __SNR_close_range
		388	+# define __SNR_close_range __NR_close_range
		389	+#endif
		390	+
		391	+#ifndef __NR_openat2
		392	+# define __NR_openat2 (FLATPAK_MISSING_SYSCALL_BASE + 437)
		393	+#endif
		394	+#ifndef __SNR_openat2
		395	+# define __SNR_openat2 __NR_openat2
		396	+#endif
		397	+
		398	+#ifndef __NR_pidfd_getfd
		399	+# define __NR_pidfd_getfd (FLATPAK_MISSING_SYSCALL_BASE + 438)
		400	+#endif
		401	+#ifndef __SNR_pidfd_getfd
		402	+# define __SNR_pidfd_getfd __NR_pidfd_getfd
		403	+#endif
		404	+
		405	+#ifndef __NR_faccessat2
		406	+# define __NR_faccessat2 (FLATPAK_MISSING_SYSCALL_BASE + 439)
		407	+#endif
		408	+#ifndef __SNR_faccessat2
		409	+# define __SNR_faccessat2 __NR_faccessat2
		410	+#endif
		411	+
		412	+#ifndef __NR_process_madvise
		413	+# define __NR_process_madvise (FLATPAK_MISSING_SYSCALL_BASE + 440)
		414	+#endif
		415	+#ifndef __SNR_process_madvise
		416	+# define __SNR_process_madvise __NR_process_madvise
		417	+#endif
		418	+
		419	+#ifndef __NR_epoll_pwait2
		420	+# define __NR_epoll_pwait2 (FLATPAK_MISSING_SYSCALL_BASE + 441)
		421	+#endif
		422	+#ifndef __SNR_epoll_pwait2
		423	+# define __SNR_epoll_pwait2 __NR_epoll_pwait2
		424	+#endif
		425	+
		426	+#ifndef __NR_mount_setattr
		427	+# define __NR_mount_setattr (FLATPAK_MISSING_SYSCALL_BASE + 442)
		428	+#endif
		429	+#ifndef __SNR_mount_setattr
		430	+# define __SNR_mount_setattr __NR_mount_setattr
		431	+#endif
		432	+
		433	+#ifndef __NR_quotactl_fd
		434	+# define __NR_quotactl_fd (FLATPAK_MISSING_SYSCALL_BASE + 443)
		435	+#endif
		436	+#ifndef __SNR_quotactl_fd
		437	+# define __SNR_quotactl_fd __NR_quotactl_fd
		438	+#endif
		439	+
		440	+#ifndef __NR_landlock_create_ruleset
		441	+# define __NR_landlock_create_ruleset (FLATPAK_MISSING_SYSCALL_BASE + 444)
		442	+#endif
		443	+#ifndef __SNR_landlock_create_ruleset
		444	+# define __SNR_landlock_create_ruleset __NR_landlock_create_ruleset
		445	+#endif
		446	+
		447	+#ifndef __NR_landlock_add_rule
		448	+# define __NR_landlock_add_rule (FLATPAK_MISSING_SYSCALL_BASE + 445)
		449	+#endif
		450	+#ifndef __SNR_landlock_add_rule
		451	+# define __SNR_landlock_add_rule __NR_landlock_add_rule
		452	+#endif
		453	+
		454	+#ifndef __NR_landlock_restrict_self
		455	+# define __NR_landlock_restrict_self (FLATPAK_MISSING_SYSCALL_BASE + 446)
		456	+#endif
		457	+#ifndef __SNR_landlock_restrict_self
		458	+# define __SNR_landlock_restrict_self __NR_landlock_restrict_self
		459	+#endif
		460	+
		461	+#ifndef __NR_memfd_secret
		462	+# define __NR_memfd_secret (FLATPAK_MISSING_SYSCALL_BASE + 447)
		463	+#endif
		464	+#ifndef __SNR_memfd_secret
		465	+# define __SNR_memfd_secret __NR_memfd_secret
		466	+#endif
		467	+
		468	+// Last updated: Linux 5.14, syscall numbers < 448


diff --git a/meta/recipes-sato/webkit/webkitgtk_2.30.5.bb b/meta/recipes-sato/webkit/webkitgtk_2.30.5.bb index 88b5056165..93cca20d01 100644 --- a/meta/recipes-sato/webkit/webkitgtk_2.30.5.bb +++ b/meta/recipes-sato/webkit/webkitgtk_2.30.5.bb
@@ -22,6 +22,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BPN}-${PV}.tar.xz \
22	file://musl-lower-stack-usage.patch \	22	file://musl-lower-stack-usage.patch \
23	file://0001-MiniBrowser-Fix-reproduciblity.patch \	23	file://0001-MiniBrowser-Fix-reproduciblity.patch \
24	file://reproducibility.patch \	24	file://reproducibility.patch \
		25	file://CVE-2021-42762.patch \
25	"	26	"
26		27
27	SRC_URI[sha256sum] = "7d0dab08e3c5ae07bec80b2822ef42e952765d5724cac86eb23999bfed5a7f1f"	28	SRC_URI[sha256sum] = "7d0dab08e3c5ae07bec80b2822ef42e952765d5724cac86eb23999bfed5a7f1f"