A use after free issue was addressed with improved memory management. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing maliciously crafted web content may lead to arbitrary code execution.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-42867 https://support.apple.com/en-us/HT213537 Signed-off-by: Yogita Urade <[email protected]> --- .../webkit/webkitgtk/CVE-2022-42867.patch | 104 ++++++++++++++++++ meta/recipes-sato/webkit/webkitgtk_2.36.8.bb | 1 + 2 files changed, 105 insertions(+) create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch new file mode 100644 index 0000000000..bf06809051 --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch @@ -0,0 +1,104 @@ +From f67a882170609d15836204a689dc552322fbe653 Mon Sep 17 00:00:00 2001 +From: Yogita Urade <[email protected]> +Date: Wed, 7 Jun 2023 08:15:11 +0000 +Subject: [oe-core][kirkstone][PATCH 1/1] RenderElement::updateFillImages + should take pointer arguments like other similar functions + https://bugs.webkit.org/show_bug.cgi?id=247317 rdar://100273147 + +Reviewed by Alan Baradlay. + +* Source/WebCore/rendering/RenderElement.cpp: +(WebCore::RenderElement::updateFillImages): +(WebCore::RenderElement::styleDidChange): +* Source/WebCore/rendering/RenderElement.h: + +Canonical link: https://commits.webkit.org/256215@main + +CVE: CVE-2022-42867 + +Upstream-Status: Backport +[https://github.com/WebKit/WebKit/commit/091a04e55c801ac6ba13f4b328fbee2eece853fc] + +Signed-off-by: Yogita Urade <[email protected]> +--- + Source/WebCore/rendering/RenderElement.cpp | 27 ++++++++++++++-------- + Source/WebCore/rendering/RenderElement.h | 2 +- + 2 files changed, 19 insertions(+), 10 deletions(-) + +diff --git a/Source/WebCore/rendering/RenderElement.cpp b/Source/WebCore/rendering/RenderElement.cpp +index da43bf3d..931686b8 100644 +--- a/Source/WebCore/rendering/RenderElement.cpp ++++ b/Source/WebCore/rendering/RenderElement.cpp +@@ -358,7 +358,7 @@ inline bool RenderElement::shouldRepaintForStyleDifference(StyleDifference diff) + return diff == StyleDifference::Repaint || (diff == StyleDifference::RepaintIfTextOrBorderOrOutline && hasImmediateNonWhitespaceTextChildOrBorderOrOutline()); + } + +-void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer& newLayers) ++void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer* newLayers) + { + auto fillImagesAreIdentical = [](const FillLayer* layer1, const FillLayer* layer2) -> bool { + if (layer1 == layer2) +@@ -379,7 +379,7 @@ void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer + }; + + auto isRegisteredWithNewFillImages = [&]() -> bool { +- for (auto* layer = &newLayers; layer; layer = layer->next()) { ++ for (auto* layer = newLayers; layer; layer = layer->next()) { + if (layer->image() && !layer->image()->hasClient(*this)) + return false; + } +@@ -388,11 +388,11 @@ void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer + + // If images have the same characteristics and this element is already registered as a + // client to the new images, there is nothing to do. +- if (fillImagesAreIdentical(oldLayers, &newLayers) && isRegisteredWithNewFillImages()) ++ if (fillImagesAreIdentical(oldLayers, newLayers) && isRegisteredWithNewFillImages()) + return; + + // Add before removing, to avoid removing all clients of an image that is in both sets. +- for (auto* layer = &newLayers; layer; layer = layer->next()) { ++ for (auto* layer = newLayers; layer; layer = layer->next()) { + if (layer->image()) + layer->image()->addClient(*this); + } +@@ -937,11 +937,20 @@ static inline bool areCursorsEqual(const RenderStyle* a, const RenderStyle* b) + + void RenderElement::styleDidChange(StyleDifference diff, const RenderStyle* oldStyle) + { +- updateFillImages(oldStyle ? &oldStyle->backgroundLayers() : nullptr, m_style.backgroundLayers()); +- updateFillImages(oldStyle ? &oldStyle->maskLayers() : nullptr, m_style.maskLayers()); +- updateImage(oldStyle ? oldStyle->borderImage().image() : nullptr, m_style.borderImage().image()); +- updateImage(oldStyle ? oldStyle->maskBoxImage().image() : nullptr, m_style.maskBoxImage().image()); +- updateShapeImage(oldStyle ? oldStyle->shapeOutside() : nullptr, m_style.shapeOutside()); ++ auto registerImages = [this](auto* style, auto* oldStyle) { ++ if (!style && !oldStyle) ++ return; ++ updateFillImages(oldStyle ? &oldStyle->backgroundLayers() : nullptr, style ? &style->backgroundLayers() : nullptr); ++ updateFillImages(oldStyle ? &oldStyle->maskLayers() : nullptr, style ? &style->maskLayers() : nullptr); ++ updateImage(oldStyle ? oldStyle->borderImage().image() : nullptr, style ? style->borderImage().image() : nullptr); ++ updateImage(oldStyle ? oldStyle->maskBoxImage().image() : nullptr, style ? style->maskBoxImage().image() : nullptr); ++ updateShapeImage(oldStyle ? oldStyle->shapeOutside() : nullptr, style ? style->shapeOutside() : nullptr); ++ }; ++ ++ registerImages(&style(), oldStyle); ++ ++ // Are there other pseudo-elements that need the resources to be registered? ++ registerImages(style().getCachedPseudoStyle(PseudoId::FirstLine), oldStyle ? oldStyle->getCachedPseudoStyle(PseudoId::FirstLine) : nullptr); + + SVGRenderSupport::styleChanged(*this, oldStyle); + +diff --git a/Source/WebCore/rendering/RenderElement.h b/Source/WebCore/rendering/RenderElement.h +index f376cecb..d6ba2cdf 100644 +--- a/Source/WebCore/rendering/RenderElement.h ++++ b/Source/WebCore/rendering/RenderElement.h +@@ -349,7 +349,7 @@ private: + bool shouldRepaintForStyleDifference(StyleDifference) const; + bool hasImmediateNonWhitespaceTextChildOrBorderOrOutline() const; + +- void updateFillImages(const FillLayer*, const FillLayer&); ++ void updateFillImages(const FillLayer*, const FillLayer*); + void updateImage(StyleImage*, StyleImage*); + void updateShapeImage(const ShapeValue*, const ShapeValue*); + +-- +2.35.5 diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb index 8f6514a82b..062f209932 100644 --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb @@ -19,6 +19,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \ file://CVE-2022-32923.patch \ file://CVE-2022-46691.patch \ file://CVE-2022-46699.patch \ + file://CVE-2022-42867.patch \ " SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437" -- 2.40.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#182553): https://lists.openembedded.org/g/openembedded-core/message/182553 Mute This Topic: https://lists.openembedded.org/mt/99429023/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
