2 files changed, 68 insertions, 0 deletions
diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch
new file mode 100644
index 0000000000..242b8337fa
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch
@@ -0,0 +1,67 @@
+From 86fbeb6fcd638e2350b09a43dde355f9830e75da Mon Sep 17 00:00:00 2001
+From: David Degazio <d_degazio@apple.com>
+Date: Tue, 8 Nov 2022 19:54:33 -0800
+Subject: [PATCH] Intl.Locale.prototype.hourCycles leaks empty JSValue to
+ script https://bugs.webkit.org/show_bug.cgi?id=247562 rdar://102031379
+Reviewed by Mark Lam.
+We currently don't check if IntlLocale::hourCycles returns a null JSArray, which allows it
+to be encoded as an empty JSValue and exposed to user code. This patch throws a TypeError
+when udatpg_open returns a failed status.
+* JSTests/stress/intl-locale-invalid-hourCycles.js: Added.
+(main):
+* Source/JavaScriptCore/runtime/IntlLocale.cpp:
+(JSC::IntlLocale::hourCycles):
+Canonical link: https://commits.webkit.org/256473@main
+CVE:CVE-2022-46700
+Upstream-Status: Backport
+[https://github.com/WebKit/WebKit/commit/86fbeb6fcd638e2350b09a43dde355f9830e75da]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ JSTests/stress/intl-locale-invalid-hourCycles.js | 12 ++++++++++++
+ Source/JavaScriptCore/runtime/IntlLocale.cpp     |  4 +++-
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+ create mode 100644 JSTests/stress/intl-locale-invalid-hourCycles.js
+diff --git a/JSTests/stress/intl-locale-invalid-hourCycles.js b/JSTests/stress/intl-locale-invalid-hourCycles.js
+new file mode 100644
+index 000000000000..7b94eb844764
+--- /dev/null
+++ b/JSTests/stress/intl-locale-invalid-hourCycles.js
+@@ -0,0 +1,12 @@
+function main() {
+    const v24 = new Intl.Locale("trimEnd", { 'numberingSystem': "foobar" });
+    let empty = v24.hourCycles;
+    print(empty);
+}
+
+try {
+    main();
+} catch (e) {
+    if (!(e instanceof TypeError))
+        throw e;
+}
+diff --git a/Source/JavaScriptCore/runtime/IntlLocale.cpp b/Source/JavaScriptCore/runtime/IntlLocale.cpp
+index c3c346163a18..bef424727a8a 100644
+--- a/Source/JavaScriptCore/runtime/IntlLocale.cpp
+++ b/Source/JavaScriptCore/runtime/IntlLocale.cpp
+@@ -632,8 +632,10 @@ JSArray* IntlLocale::hourCycles(JSGlobalObject* globalObject)
+     UErrorCode status = U_ZERO_ERROR;
+     auto generator = std::unique_ptr<UDateTimePatternGenerator, ICUDeleter<udatpg_close>>(udatpg_open(m_localeID.data(), &status));
+-    if (U_FAILURE(status))
+    if (U_FAILURE(status)) {
+        throwTypeError(globalObject, scope, "invalid locale"_s);
+         return nullptr;
+    }
+     // Use "j" skeleton and parse pattern to retrieve the configured hour-cycle information.
+     constexpr const UChar skeleton[] = { 'j', 0 };
+--
+2.40.0
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
index 062f209932..edd64b7b11 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -20,6 +20,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
           file://CVE-2022-46691.patch \
           file://CVE-2022-46699.patch \
           file://CVE-2022-42867.patch \
+           file://CVE-2022-46700.patch \
           "
 SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch new file mode 100644 index 0000000000..242b8337fa --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch
@@ -0,0 +1,67 @@
		1	From 86fbeb6fcd638e2350b09a43dde355f9830e75da Mon Sep 17 00:00:00 2001
		2	From: David Degazio <d_degazio@apple.com>
		3	Date: Tue, 8 Nov 2022 19:54:33 -0800
		4	Subject: [PATCH] Intl.Locale.prototype.hourCycles leaks empty JSValue to
		5	script https://bugs.webkit.org/show_bug.cgi?id=247562 rdar://102031379
		6
		7	Reviewed by Mark Lam.
		8
		9	We currently don't check if IntlLocale::hourCycles returns a null JSArray, which allows it
		10	to be encoded as an empty JSValue and exposed to user code. This patch throws a TypeError
		11	when udatpg_open returns a failed status.
		12
		13	* JSTests/stress/intl-locale-invalid-hourCycles.js: Added.
		14	(main):
		15	* Source/JavaScriptCore/runtime/IntlLocale.cpp:
		16	(JSC::IntlLocale::hourCycles):
		17
		18	Canonical link: https://commits.webkit.org/256473@main
		19
		20	CVE:CVE-2022-46700
		21
		22	Upstream-Status: Backport
		23	[https://github.com/WebKit/WebKit/commit/86fbeb6fcd638e2350b09a43dde355f9830e75da]
		24
		25	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		26	---
		27	JSTests/stress/intl-locale-invalid-hourCycles.js \| 12 ++++++++++++
		28	Source/JavaScriptCore/runtime/IntlLocale.cpp \| 4 +++-
		29	2 files changed, 15 insertions(+), 1 deletion(-)
		30	create mode 100644 JSTests/stress/intl-locale-invalid-hourCycles.js
		31
		32	diff --git a/JSTests/stress/intl-locale-invalid-hourCycles.js b/JSTests/stress/intl-locale-invalid-hourCycles.js
		33	new file mode 100644
		34	index 000000000000..7b94eb844764
		35	--- /dev/null
		36	+++ b/JSTests/stress/intl-locale-invalid-hourCycles.js
		37	@@ -0,0 +1,12 @@
		38	+function main() {
		39	+ const v24 = new Intl.Locale("trimEnd", { 'numberingSystem': "foobar" });
		40	+ let empty = v24.hourCycles;
		41	+ print(empty);
		42	+}
		43	+
		44	+try {
		45	+ main();
		46	+} catch (e) {
		47	+ if (!(e instanceof TypeError))
		48	+ throw e;
		49	+}
		50	diff --git a/Source/JavaScriptCore/runtime/IntlLocale.cpp b/Source/JavaScriptCore/runtime/IntlLocale.cpp
		51	index c3c346163a18..bef424727a8a 100644
		52	--- a/Source/JavaScriptCore/runtime/IntlLocale.cpp
		53	+++ b/Source/JavaScriptCore/runtime/IntlLocale.cpp
		54	@@ -632,8 +632,10 @@ JSArray* IntlLocale::hourCycles(JSGlobalObject* globalObject)
		55
		56	UErrorCode status = U_ZERO_ERROR;
		57	auto generator = std::unique_ptr<UDateTimePatternGenerator, ICUDeleter<udatpg_close>>(udatpg_open(m_localeID.data(), &status));
		58	- if (U_FAILURE(status))
		59	+ if (U_FAILURE(status)) {
		60	+ throwTypeError(globalObject, scope, "invalid locale"_s);
		61	return nullptr;
		62	+ }
		63
		64	// Use "j" skeleton and parse pattern to retrieve the configured hour-cycle information.
		65	constexpr const UChar skeleton[] = { 'j', 0 };
		66	--
		67	2.40.0


diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb index 062f209932..edd64b7b11 100644 --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -20,6 +20,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
20	file://CVE-2022-46691.patch \	20	file://CVE-2022-46691.patch \
21	file://CVE-2022-46699.patch \	21	file://CVE-2022-46699.patch \
22	file://CVE-2022-42867.patch \	22	file://CVE-2022-42867.patch \
		23	file://CVE-2022-46700.patch \
23	"	24	"
24	SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"	25	SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
25		26