diff --git a/SOURCES/CVE-2023-42917.patch b/SOURCES/CVE-2023-42917.patch new file mode 100644 index 0000000..a638b86 --- /dev/null +++ b/SOURCES/CVE-2023-42917.patch @@ -0,0 +1,80 @@ +From 00352dd86bfa102b6e4b792120e3ef3498a27d1e Mon Sep 17 00:00:00 2001 +From: Russell Epstein +Date: Fri, 17 Nov 2023 15:48:32 -0800 +Subject: [PATCH] Cherry-pick b0a755e34426. + https://bugs.webkit.org/show_bug.cgi?id=265067 + + Race condition between JSObject::getDirectConcurrently users and Structure::flattenDictionaryStructure + https://bugs.webkit.org/show_bug.cgi?id=265067 + rdar://118548733 + + Reviewed by Justin Michaud and Mark Lam. + + Like Array shift/unshift, flattenDictionaryStructure is the other code which can shrink butterfly for named properties (no other code does it). + Compiler threads rely on the fact that normally named property storage never shrunk. And we should catch this exceptional case by taking a cellLock + in the compiler thread. But flattenDictionaryStructure is not taking cellLock correctly. + + This patch computes afterOutOfLineCapacity first to detect that whether this flattening will shrink the butterfly. + And if it is, then we take a cellLock. We do not need to take it if we do not shrink the butterfly. + + * Source/JavaScriptCore/runtime/Structure.cpp: + (JSC::Structure::flattenDictionaryStructure): + + Canonical link: https://commits.webkit.org/267815.577@safari-7617-branch + + Canonical link: https://commits.webkit.org/265870.632@safari-7616.2.9.10-branch +--- + Source/JavaScriptCore/runtime/Structure.cpp | 28 +++++++++++++++------ + 1 file changed, 21 insertions(+), 7 deletions(-) + +diff --git a/Source/JavaScriptCore/runtime/Structure.cpp b/Source/JavaScriptCore/runtime/Structure.cpp +index 2922e2478794c..9d094e2c8adc8 100644 +--- a/Source/JavaScriptCore/runtime/Structure.cpp ++++ b/Source/JavaScriptCore/runtime/Structure.cpp +@@ -913,17 +913,31 @@ Structure* Structure::flattenDictionaryStructure(VM& vm, JSObject* object) + checkOffsetConsistency(); + ASSERT(isDictionary()); + ASSERT(object->structure() == this); +- +- GCSafeConcurrentJSLocker locker(m_lock, vm); +- +- object->setStructureIDDirectly(id().nuke()); +- WTF::storeStoreFence(); + ++ Locker cellLocker(NoLockingNecessary); ++ ++ PropertyTable* table = nullptr; + size_t beforeOutOfLineCapacity = this->outOfLineCapacity(); ++ size_t afterOutOfLineCapacity = beforeOutOfLineCapacity; + if (isUncacheableDictionary()) { +- PropertyTable* table = propertyTableOrNull(); ++ table = propertyTableOrNull(); + ASSERT(table); ++ PropertyOffset maxOffset = invalidOffset; ++ if (unsigned propertyCount = table->size()) ++ maxOffset = offsetForPropertyNumber(propertyCount - 1, m_inlineCapacity); ++ afterOutOfLineCapacity = outOfLineCapacity(maxOffset); ++ } + ++ // This is the only case we shrink butterfly in this function. We should take a cell lock to protect against concurrent access to the butterfly. ++ if (beforeOutOfLineCapacity != afterOutOfLineCapacity) ++ cellLocker = Locker { object->cellLock() }; ++ ++ GCSafeConcurrentJSLocker locker(m_lock, vm); ++ ++ object->setStructureIDDirectly(id().nuke()); ++ WTF::storeStoreFence(); ++ ++ if (isUncacheableDictionary()) { + size_t propertyCount = table->size(); + + // Holds our values compacted by insertion order. This is OK since GC is deferred. +@@ -955,7 +969,7 @@ Structure* Structure::flattenDictionaryStructure(VM& vm, JSObject* object) + setDictionaryKind(NoneDictionaryKind); + setHasBeenFlattenedBefore(true); + +- size_t afterOutOfLineCapacity = this->outOfLineCapacity(); ++ ASSERT(this->outOfLineCapacity() == afterOutOfLineCapacity); + + if (object->butterfly() && beforeOutOfLineCapacity != afterOutOfLineCapacity) { + ASSERT(beforeOutOfLineCapacity > afterOutOfLineCapacity); diff --git a/SPECS/webkit2gtk3.spec b/SPECS/webkit2gtk3.spec index ba1ffab..3384fd6 100644 --- a/SPECS/webkit2gtk3.spec +++ b/SPECS/webkit2gtk3.spec @@ -1,5 +1,3 @@ -%define _smp_mflags -j4 - ## NOTE: Lots of files in various subdirectories have the same name (such as ## "LICENSE") so this short macro allows us to distinguish them by using their ## directory names (from the source tree) as prefixes for the files. @@ -12,14 +10,9 @@ %global with_gamepad 1 %endif -# Build documentation by default (use `rpmbuild --without docs` to override it). -# This is used by Coverity. Coverity injects custom compiler warnings, but -# any warning during WebKit docs build is fatal! -%bcond_without docs - Name: webkit2gtk3 -Version: 2.36.7 -Release: 1%{?dist} +Version: 2.40.5 +Release: 1%{?dist}.1 Summary: GTK Web content engine library License: LGPLv2 @@ -31,11 +24,7 @@ Source1: https://webkitgtk.org/releases/webkitgtk-%{version}.tar.xz.asc # $ gpg --export --export-options export-minimal D7FCF61CF9A2DEAB31D81BD3F3D322D0EC4582C3 5AA3BC334FD7E3369E7C77B291C559DBE4C9123B > webkitgtk-keys.gpg Source2: webkitgtk-keys.gpg -%if 0%{?rhel} -# https://bugs.webkit.org/show_bug.cgi?id=217989 -# https://bugs.webkit.org/show_bug.cgi?id=227905 -Patch0: aarch64-page-size.patch -%endif +Patch: CVE-2023-42917.patch BuildRequires: bison BuildRequires: bubblewrap @@ -46,10 +35,10 @@ BuildRequires: gettext BuildRequires: git BuildRequires: gnupg2 BuildRequires: gperf -BuildRequires: gtk-doc BuildRequires: hyphen-devel BuildRequires: libatomic BuildRequires: ninja-build +BuildRequires: openssl-devel BuildRequires: perl(English) BuildRequires: perl(FindBin) BuildRequires: perl(JSON::PP) @@ -57,6 +46,7 @@ BuildRequires: python3 BuildRequires: ruby BuildRequires: rubygems BuildRequires: rubygem-json +BuildRequires: unifdef BuildRequires: xdg-dbus-proxy BuildRequires: pkgconfig(atspi-2) @@ -65,16 +55,19 @@ BuildRequires: pkgconfig(egl) BuildRequires: pkgconfig(enchant-2) BuildRequires: pkgconfig(fontconfig) BuildRequires: pkgconfig(freetype2) +BuildRequires: pkgconfig(gbm) BuildRequires: pkgconfig(gl) BuildRequires: pkgconfig(glib-2.0) BuildRequires: pkgconfig(glesv2) BuildRequires: pkgconfig(gobject-introspection-1.0) BuildRequires: pkgconfig(gstreamer-1.0) +BuildRequires: pkgconfig(gstreamer-plugins-bad-1.0) BuildRequires: pkgconfig(gstreamer-plugins-base-1.0) BuildRequires: pkgconfig(gtk+-3.0) BuildRequires: pkgconfig(harfbuzz) BuildRequires: pkgconfig(icu-uc) BuildRequires: pkgconfig(lcms2) +BuildRequires: pkgconfig(libdrm) BuildRequires: pkgconfig(libgcrypt) BuildRequires: pkgconfig(libjpeg) BuildRequires: pkgconfig(libnotify) @@ -130,6 +123,10 @@ Provides: webkitgtk4 = %{version}-%{release} Obsoletes: webkit2gtk3-plugin-process-gtk2 < %{version}-%{release} Provides: webkit2gtk3-plugin-process-gtk2 = %{version}-%{release} +# Don't build documentation anymore to avoid gi-docgen dependency +Obsoletes: webkit2gtk3-doc < %{version}-%{release} +Provides: webkit2gtk3-doc = %{version}-%{release} + # We're supposed to specify versions here, but these libraries don't do # normal releases. Accordingly, they're not suitable to be system libs. Provides: bundled(angle) @@ -159,18 +156,6 @@ Provides: webkitgtk4-devel = %{version}-%{release} The %{name}-devel package contains libraries, build data, and header files for developing applications that use %{name}. -%if %{with docs} -%package doc -Summary: Documentation files for %{name} -BuildArch: noarch -Requires: %{name} = %{version}-%{release} -Obsoletes: webkitgtk4-doc < %{version}-%{release} -Provides: webkitgtk4-doc = %{version}-%{release} - -%description doc -This package contains developer documentation for %{name}. -%endif - %package jsc Summary: JavaScript engine from %{name} Obsoletes: webkitgtk4-jsc < %{version}-%{release} @@ -226,21 +211,17 @@ rm -rf Source/ThirdParty/qunit/ -GNinja \ -DPORT=GTK \ -DCMAKE_BUILD_TYPE=Release \ - -DENABLE_MINIBROWSER=ON \ + -DENABLE_JIT=OFF \ -DUSE_SOUP2=ON \ -%if %{with docs} - -DENABLE_GTKDOC=ON \ -%endif + -DUSE_AVIF=OFF \ + -DENABLE_DOCUMENTATION=OFF \ + -DUSE_GSTREAMER_TRANSCODER=OFF \ %if !0%{?with_gamepad} -DENABLE_GAMEPAD=OFF \ %endif -%if 0%{?fedora} - -DUSER_AGENT_BRANDING="Fedora" \ -%endif %if 0%{?rhel} %ifarch aarch64 - -DENABLE_JIT=OFF \ - -DUSE_SYSTEM_MALLOC=ON \ + -DUSE_64KB_PAGE_BLOCK=ON \ %endif %endif %{nil} @@ -252,12 +233,11 @@ export NINJA_STATUS="[%f/%t][%e] " %install %cmake_install -%find_lang WebKit2GTK-4.0 +%find_lang WebKitGTK-4.0 # Finally, copy over and rename various files for %%license inclusion %add_to_license_files Source/JavaScriptCore/COPYING.LIB %add_to_license_files Source/ThirdParty/ANGLE/LICENSE -%add_to_license_files Source/ThirdParty/ANGLE/src/common/third_party/smhasher/LICENSE %add_to_license_files Source/ThirdParty/ANGLE/src/third_party/libXNVCtrl/LICENSE %add_to_license_files Source/WebCore/LICENSE-APPLE %add_to_license_files Source/WebCore/LICENSE-LGPL-2 @@ -269,7 +249,7 @@ export NINJA_STATUS="[%f/%t][%e] " %add_to_license_files Source/WTF/wtf/dtoa/COPYING %add_to_license_files Source/WTF/wtf/dtoa/LICENSE -%files -f WebKit2GTK-4.0.lang +%files -f WebKitGTK-4.0.lang %license _license_files/*ThirdParty* %license _license_files/*WebCore* %license _license_files/*WebInspectorUI* @@ -312,19 +292,94 @@ export NINJA_STATUS="[%f/%t][%e] " %dir %{_datadir}/gir-1.0 %{_datadir}/gir-1.0/JavaScriptCore-4.0.gir -%if %{with docs} -%files doc -%dir %{_datadir}/gtk-doc -%dir %{_datadir}/gtk-doc/html -%{_datadir}/gtk-doc/html/jsc-glib-4.0/ -%{_datadir}/gtk-doc/html/webkit2gtk-4.0/ -%{_datadir}/gtk-doc/html/webkitdomgtk-4.0/ -%endif - %changelog +* Tue Dec 05 2023 Michael Catanzaro - 2.40.5-1.1 +- Add patch for CVE-2023-42917 + Resolves: RHEL-18173 + +* Tue Aug 01 2023 Michael Catanzaro - 2.40.5-1 +- Update to 2.40.5 + Related: #2176270 + +* Fri Jul 21 2023 Michael Catanzaro - 2.40.4-1 +- Update to 2.40.4 + Related: #2176270 + +* Tue Jul 11 2023 Michael Catanzaro - 2.40.3-2 +- Disable JIT + Related: #2176270 + +* Wed Jun 28 2023 Michael Catanzaro - 2.40.3-1 +- Update to 2.40.3 + Related: #2176270 + +* Tue May 30 2023 Michael Catanzaro - 2.40.2-1 +- Update to 2.40.2 + Related: #2176270 + +* Thu May 04 2023 Michael Catanzaro - 2.40.1-1 +- Upgrade to 2.40.1 + Resolves: #2176270 + +* Wed Feb 15 2023 Michael Catanzaro - 2.38.5-1 +- Update to 2.38.5 + Related: #2127467 + +* Thu Feb 02 2023 Michael Catanzaro - 2.38.4-1 +- Update to 2.38.4 + Related: #2127467 + +* Thu Dec 22 2022 Michael Catanzaro - 2.38.3-1 +- Update to 2.38.3 + Related: #2127467 + +* Fri Nov 04 2022 Michael Catanzaro - 2.38.2-1 +- Update to 2.38.2 + Related: #2127467 + +* Mon Oct 31 2022 Michael Catanzaro - 2.38.1-2 +- Fix use with aarch64 64 KiB page size + Related: #2127467 + +* Mon Oct 24 2022 Michael Catanzaro - 2.38.1-1 +- Update to 2.38.1 + Resolves: #2127467 + * Wed Aug 24 2022 Michael Catanzaro - 2.36.7-1 - Update to 2.36.7 - Related: #2123430 + Related: #2061996 + +* Tue Aug 09 2022 Michael Catanzaro - 2.36.6-1 +- Update to 2.36.6 + Related: #2061996 + +* Tue Aug 02 2022 Michael Catanzaro - 2.36.5-2 +- Fix Eclipse after update to 2.36.5 + Related: #2061996 + +* Thu Jul 28 2022 Michael Catanzaro - 2.36.5-1 +- Update to 2.36.5 + Related: #2061996 + +* Tue Jul 05 2022 Michael Catanzaro - 2.36.4-1 +- Update to 2.36.4 + Related: #2061996 + +* Thu Jun 02 2022 Michael Catanzaro - 2.36.3-1 +- Update to 2.36.3 +- Related: #2061996 +- Resolves: #2092749 + +* Wed May 18 2022 Michael Catanzaro - 2.36.2-1 +- Update to 2.36.2 + Related: #2061996 + +* Thu Apr 21 2022 Michael Catanzaro - 2.36.1-1 +- Update to 2.36.1 + Related: #2061996 +- Resolves: #2075493 +- Resolves: #2075495 +- Resolves: #2075497 * Thu Feb 17 2022 Michael Catanzaro - 2.34.6-1 - Update to 2.34.6