update to 2.40.5

Signed-off-by: Toshaan Bharvani <toshaan@powerel.org>
1 year ago · 7db27dab87
2 changed files with 184 additions and 49 deletions
--- a/SOURCES/CVE-2023-42917.patch
+++ b/SOURCES/CVE-2023-42917.patch
@ -0,0 +1,80 @@
				@@ -0,0 +1,80 @@
+From 00352dd86bfa102b6e4b792120e3ef3498a27d1e Mon Sep 17 00:00:00 2001
+From: Russell Epstein <repstein@apple.com>
+Date: Fri, 17 Nov 2023 15:48:32 -0800
+Subject: [PATCH] Cherry-pick b0a755e34426.
+ https://bugs.webkit.org/show_bug.cgi?id=265067
+
+    Race condition between JSObject::getDirectConcurrently users and Structure::flattenDictionaryStructure
+    https://bugs.webkit.org/show_bug.cgi?id=265067
+    rdar://118548733
+
+    Reviewed by Justin Michaud and Mark Lam.
+
+    Like Array shift/unshift, flattenDictionaryStructure is the other code which can shrink butterfly for named properties (no other code does it).
+    Compiler threads rely on the fact that normally named property storage never shrunk. And we should catch this exceptional case by taking a cellLock
+    in the compiler thread. But flattenDictionaryStructure is not taking cellLock correctly.
+
+    This patch computes afterOutOfLineCapacity first to detect that whether this flattening will shrink the butterfly.
+    And if it is, then we take a cellLock. We do not need to take it if we do not shrink the butterfly.
+
+    * Source/JavaScriptCore/runtime/Structure.cpp:
+    (JSC::Structure::flattenDictionaryStructure):
+
+    Canonical link: https://commits.webkit.org/267815.577@safari-7617-branch
+
+    Canonical link: https://commits.webkit.org/265870.632@safari-7616.2.9.10-branch
+---
+ Source/JavaScriptCore/runtime/Structure.cpp | 28 +++++++++++++++------
+ 1 file changed, 21 insertions(+), 7 deletions(-)
+
+diff --git a/Source/JavaScriptCore/runtime/Structure.cpp b/Source/JavaScriptCore/runtime/Structure.cpp
+index 2922e2478794c..9d094e2c8adc8 100644
+--- a/Source/JavaScriptCore/runtime/Structure.cpp
+++ b/Source/JavaScriptCore/runtime/Structure.cpp
+@@ -913,17 +913,31 @@ Structure* Structure::flattenDictionaryStructure(VM& vm, JSObject* object)
+     checkOffsetConsistency();
+     ASSERT(isDictionary());
+     ASSERT(object->structure() == this);
+-    
+-    GCSafeConcurrentJSLocker locker(m_lock, vm);
+-    
+-    object->setStructureIDDirectly(id().nuke());
+-    WTF::storeStoreFence();
+ 
+    Locker<JSCellLock> cellLocker(NoLockingNecessary);
+
+    PropertyTable* table = nullptr;
+     size_t beforeOutOfLineCapacity = this->outOfLineCapacity();
+    size_t afterOutOfLineCapacity = beforeOutOfLineCapacity;
+     if (isUncacheableDictionary()) {
+-        PropertyTable* table = propertyTableOrNull();
+        table = propertyTableOrNull();
+         ASSERT(table);
+        PropertyOffset maxOffset = invalidOffset;
+        if (unsigned propertyCount = table->size())
+            maxOffset = offsetForPropertyNumber(propertyCount - 1, m_inlineCapacity);
+        afterOutOfLineCapacity = outOfLineCapacity(maxOffset);
+    }
+ 
+    // This is the only case we shrink butterfly in this function. We should take a cell lock to protect against concurrent access to the butterfly.
+    if (beforeOutOfLineCapacity != afterOutOfLineCapacity)
+        cellLocker = Locker { object->cellLock() };
+
+    GCSafeConcurrentJSLocker locker(m_lock, vm);
+
+    object->setStructureIDDirectly(id().nuke());
+    WTF::storeStoreFence();
+
+    if (isUncacheableDictionary()) {
+         size_t propertyCount = table->size();
+ 
+         // Holds our values compacted by insertion order. This is OK since GC is deferred.
+@@ -955,7 +969,7 @@ Structure* Structure::flattenDictionaryStructure(VM& vm, JSObject* object)
+     setDictionaryKind(NoneDictionaryKind);
+     setHasBeenFlattenedBefore(true);
+ 
+-    size_t afterOutOfLineCapacity = this->outOfLineCapacity();
+    ASSERT(this->outOfLineCapacity() == afterOutOfLineCapacity);
+ 
+     if (object->butterfly() && beforeOutOfLineCapacity != afterOutOfLineCapacity) {
+         ASSERT(beforeOutOfLineCapacity > afterOutOfLineCapacity);
--- a/SPECS/webkit2gtk3.spec
+++ b/SPECS/webkit2gtk3.spec
@ -1,5 +1,3 @@
				@@ -1,5 +1,3 @@
-%define _smp_mflags -j4
-
 ## NOTE: Lots of files in various subdirectories have the same name (such as
 ## "LICENSE") so this short macro allows us to distinguish them by using their
 ## directory names (from the source tree) as prefixes for the files.
@ -12,14 +10,9 @@
				@@ -12,14 +10,9 @@
 %global with_gamepad 1
 %endif

-# Build documentation by default (use `rpmbuild --without docs` to override it).
-# This is used by Coverity. Coverity injects custom compiler warnings, but
-# any warning during WebKit docs build is fatal!
-%bcond_without docs
-
 Name:           webkit2gtk3
-Version:        2.36.7
-Release:        1%{?dist}
+Version:        2.40.5
+Release:        1%{?dist}.1
 Summary:        GTK Web content engine library

 License:        LGPLv2
@ -31,11 +24,7 @@ Source1:        https://webkitgtk.org/releases/webkitgtk-%{version}.tar.xz.asc
				@@ -31,11 +24,7 @@ Source1:        https://webkitgtk.org/releases/webkitgtk-%{version}.tar.xz.asc
 # $ gpg --export --export-options export-minimal D7FCF61CF9A2DEAB31D81BD3F3D322D0EC4582C3 5AA3BC334FD7E3369E7C77B291C559DBE4C9123B > webkitgtk-keys.gpg
 Source2:        webkitgtk-keys.gpg

-%if 0%{?rhel}
-# https://bugs.webkit.org/show_bug.cgi?id=217989
-# https://bugs.webkit.org/show_bug.cgi?id=227905
-Patch0:         aarch64-page-size.patch
-%endif
+Patch:          CVE-2023-42917.patch

 BuildRequires:  bison
 BuildRequires:  bubblewrap
@ -46,10 +35,10 @@ BuildRequires:  gettext
				@@ -46,10 +35,10 @@ BuildRequires:  gettext
 BuildRequires:  git
 BuildRequires:  gnupg2
 BuildRequires:  gperf
-BuildRequires:  gtk-doc
 BuildRequires:  hyphen-devel
 BuildRequires:  libatomic
 BuildRequires:  ninja-build
+BuildRequires:  openssl-devel
 BuildRequires:  perl(English)
 BuildRequires:  perl(FindBin)
 BuildRequires:  perl(JSON::PP)
@ -57,6 +46,7 @@ BuildRequires:  python3
				@@ -57,6 +46,7 @@ BuildRequires:  python3
 BuildRequires:  ruby
 BuildRequires:  rubygems
 BuildRequires:  rubygem-json
+BuildRequires:  unifdef
 BuildRequires:  xdg-dbus-proxy

 BuildRequires:  pkgconfig(atspi-2)
@ -65,16 +55,19 @@ BuildRequires:  pkgconfig(egl)
				@@ -65,16 +55,19 @@ BuildRequires:  pkgconfig(egl)
 BuildRequires:  pkgconfig(enchant-2)
 BuildRequires:  pkgconfig(fontconfig)
 BuildRequires:  pkgconfig(freetype2)
+BuildRequires:  pkgconfig(gbm)
 BuildRequires:  pkgconfig(gl)
 BuildRequires:  pkgconfig(glib-2.0)
 BuildRequires:  pkgconfig(glesv2)
 BuildRequires:  pkgconfig(gobject-introspection-1.0)
 BuildRequires:  pkgconfig(gstreamer-1.0)
+BuildRequires:  pkgconfig(gstreamer-plugins-bad-1.0)
 BuildRequires:  pkgconfig(gstreamer-plugins-base-1.0)
 BuildRequires:  pkgconfig(gtk+-3.0)
 BuildRequires:  pkgconfig(harfbuzz)
 BuildRequires:  pkgconfig(icu-uc)
 BuildRequires:  pkgconfig(lcms2)
+BuildRequires:  pkgconfig(libdrm)
 BuildRequires:  pkgconfig(libgcrypt)
 BuildRequires:  pkgconfig(libjpeg)
 BuildRequires:  pkgconfig(libnotify)
@ -130,6 +123,10 @@ Provides:       webkitgtk4 = %{version}-%{release}
				@@ -130,6 +123,10 @@ Provides:       webkitgtk4 = %{version}-%{release}
 Obsoletes:      webkit2gtk3-plugin-process-gtk2 < %{version}-%{release}
 Provides:       webkit2gtk3-plugin-process-gtk2 = %{version}-%{release}

+# Don't build documentation anymore to avoid gi-docgen dependency
+Obsoletes:      webkit2gtk3-doc < %{version}-%{release}
+Provides:       webkit2gtk3-doc = %{version}-%{release}
+
 # We're supposed to specify versions here, but these libraries don't do
 # normal releases. Accordingly, they're not suitable to be system libs.
 Provides:       bundled(angle)
@ -159,18 +156,6 @@ Provides:       webkitgtk4-devel = %{version}-%{release}
				@@ -159,18 +156,6 @@ Provides:       webkitgtk4-devel = %{version}-%{release}
 The %{name}-devel package contains libraries, build data, and header
 files for developing applications that use %{name}.

-%if %{with docs}
-%package        doc
-Summary:        Documentation files for %{name}
-BuildArch:      noarch
-Requires:       %{name} = %{version}-%{release}
-Obsoletes:      webkitgtk4-doc < %{version}-%{release}
-Provides:       webkitgtk4-doc = %{version}-%{release}
-
-%description    doc
-This package contains developer documentation for %{name}.
-%endif
-
 %package        jsc
 Summary:        JavaScript engine from %{name}
 Obsoletes:      webkitgtk4-jsc < %{version}-%{release}
@ -226,21 +211,17 @@ rm -rf Source/ThirdParty/qunit/
				@@ -226,21 +211,17 @@ rm -rf Source/ThirdParty/qunit/
  -GNinja \
  -DPORT=GTK \
  -DCMAKE_BUILD_TYPE=Release \
-  -DENABLE_MINIBROWSER=ON \
+  -DENABLE_JIT=OFF \
  -DUSE_SOUP2=ON \
-%if %{with docs}
-  -DENABLE_GTKDOC=ON \
-%endif
+  -DUSE_AVIF=OFF \
+  -DENABLE_DOCUMENTATION=OFF \
+  -DUSE_GSTREAMER_TRANSCODER=OFF \
 %if !0%{?with_gamepad}
  -DENABLE_GAMEPAD=OFF \
 %endif
-%if 0%{?fedora}
-  -DUSER_AGENT_BRANDING="Fedora" \
-%endif
 %if 0%{?rhel}
 %ifarch aarch64
-  -DENABLE_JIT=OFF \
-  -DUSE_SYSTEM_MALLOC=ON \
+  -DUSE_64KB_PAGE_BLOCK=ON \
 %endif
 %endif
  %{nil}
@ -252,12 +233,11 @@ export NINJA_STATUS="[%f/%t][%e] "
				@@ -252,12 +233,11 @@ export NINJA_STATUS="[%f/%t][%e] "
 %install
 %cmake_install

-%find_lang WebKit2GTK-4.0
+%find_lang WebKitGTK-4.0

 # Finally, copy over and rename various files for %%license inclusion
 %add_to_license_files Source/JavaScriptCore/COPYING.LIB
 %add_to_license_files Source/ThirdParty/ANGLE/LICENSE
-%add_to_license_files Source/ThirdParty/ANGLE/src/common/third_party/smhasher/LICENSE
 %add_to_license_files Source/ThirdParty/ANGLE/src/third_party/libXNVCtrl/LICENSE
 %add_to_license_files Source/WebCore/LICENSE-APPLE
 %add_to_license_files Source/WebCore/LICENSE-LGPL-2
@ -269,7 +249,7 @@ export NINJA_STATUS="[%f/%t][%e] "
				@@ -269,7 +249,7 @@ export NINJA_STATUS="[%f/%t][%e] "
 %add_to_license_files Source/WTF/wtf/dtoa/COPYING
 %add_to_license_files Source/WTF/wtf/dtoa/LICENSE

-%files -f WebKit2GTK-4.0.lang
+%files -f WebKitGTK-4.0.lang
 %license _license_files/*ThirdParty*
 %license _license_files/*WebCore*
 %license _license_files/*WebInspectorUI*
@ -312,19 +292,94 @@ export NINJA_STATUS="[%f/%t][%e] "
				@@ -312,19 +292,94 @@ export NINJA_STATUS="[%f/%t][%e] "
 %dir %{_datadir}/gir-1.0
 %{_datadir}/gir-1.0/JavaScriptCore-4.0.gir

-%if %{with docs}
-%files doc
-%dir %{_datadir}/gtk-doc
-%dir %{_datadir}/gtk-doc/html
-%{_datadir}/gtk-doc/html/jsc-glib-4.0/
-%{_datadir}/gtk-doc/html/webkit2gtk-4.0/
-%{_datadir}/gtk-doc/html/webkitdomgtk-4.0/
-%endif
-
 %changelog
+* Tue Dec 05 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.40.5-1.1
+- Add patch for CVE-2023-42917
+  Resolves: RHEL-18173
+
+* Tue Aug 01 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.40.5-1
+- Update to 2.40.5
+  Related: #2176270
+
+* Fri Jul 21 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.40.4-1
+- Update to 2.40.4
+  Related: #2176270
+
+* Tue Jul 11 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.40.3-2
+- Disable JIT
+  Related: #2176270
+
+* Wed Jun 28 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.40.3-1
+- Update to 2.40.3
+  Related: #2176270
+
+* Tue May 30 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.40.2-1
+- Update to 2.40.2
+  Related: #2176270
+
+* Thu May 04 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.40.1-1
+- Upgrade to 2.40.1
+  Resolves: #2176270
+
+* Wed Feb 15 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.38.5-1
+- Update to 2.38.5
+  Related: #2127467
+
+* Thu Feb 02 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.38.4-1
+- Update to 2.38.4
+  Related: #2127467
+
+* Thu Dec 22 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.38.3-1
+- Update to 2.38.3
+  Related: #2127467
+
+* Fri Nov 04 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.38.2-1
+- Update to 2.38.2
+  Related: #2127467
+
+* Mon Oct 31 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.38.1-2
+- Fix use with aarch64 64 KiB page size
+  Related: #2127467
+
+* Mon Oct 24 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.38.1-1
+- Update to 2.38.1
+  Resolves: #2127467
+
 * Wed Aug 24 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.7-1
 - Update to 2.36.7
-  Related: #2123430
+  Related: #2061996
+
+* Tue Aug 09 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.6-1
+- Update to 2.36.6
+  Related: #2061996
+
+* Tue Aug 02 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.5-2
+- Fix Eclipse after update to 2.36.5
+  Related: #2061996
+
+* Thu Jul 28 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.5-1
+- Update to 2.36.5
+  Related: #2061996
+
+* Tue Jul 05 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.4-1
+- Update to 2.36.4
+  Related: #2061996
+
+* Thu Jun 02 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.3-1
+- Update to 2.36.3
+- Related: #2061996
+- Resolves: #2092749
+
+* Wed May 18 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.2-1
+- Update to 2.36.2
+  Related: #2061996
+
+* Thu Apr 21 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.1-1
+- Update to 2.36.1
+  Related: #2061996
+- Resolves: #2075493
+- Resolves: #2075495
+- Resolves: #2075497

 * Thu Feb 17 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.34.6-1
 - Update to 2.34.6