The issue was addressed with improved memory handling.
This issue is fixed in macOS Ventura 13.2, macOS Monterey
12.6.3, tvOS 16.3, Safari 16.3, watchOS 9.3, iOS 16.3 and
iPadOS 16.3, macOS Big Sur 11.7.3. Processing maliciously
crafted web content may lead to arbitrary code execution.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-23517
https://support.apple.com/en-us/HT213638
https://bugs.webkit.org/show_bug.cgi?id=248268
https://github.com/WebKit/WebKit/pull/6756
Signed-off-by: Yogita Urade <[email protected]>
---
.../CVE-2023-23517-CVE-2023-23518.patch | 131 ++++++++++++++++++
meta/recipes-sato/webkit/webkitgtk_2.36.8.bb | 1 +
2 files changed, 132 insertions(+)
create mode 100644
meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch
diff --git
a/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch
b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch
new file mode 100644
index 0000000000..721f045e0d
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23517-CVE-2023-23518.patch
@@ -0,0 +1,131 @@
+From f44648f07471b6c34f61993baa8997f7519a18a1 Mon Sep 17 00:00:00 2001
+From: Youenn Fablet <[email protected]>
+Date: Mon, 28 Nov 2022 00:43:35 -0800
+Subject: [PATCH] Type getter is not needed for internal ReadableStream sources
+ https://bugs.webkit.org/show_bug.cgi?id=248268 rdar://102338913
+
+Reviewed by Eric Carlson.
+
+Make ReadableStreamSource method privates.
+In ReadableStream, use @getters instead of private getters to allow getting
private values from prototype.
+Covered by added test.
+
+* LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt: Added.
+* LayoutTests/http/wpt/fetch/fetch-stream-source.html: Added.
+* Source/WebCore/Modules/streams/ReadableStream.js:
+(initializeReadableStream):
+* Source/WebCore/Modules/streams/ReadableStreamSource.idl:
+* Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h:
+(WebCore::IDLOperationReturningPromise::call):
+
+Canonical link: https://commits.webkit.org/257063@main
+
+CVE: CVE-2023-23517 CVE-2023-23518
+
+Upstream-Status: Backport
+[https://github.com/WebKit/WebKit/commit/f44648f07471b6c34f61993baa8997f7519a18a1]
+
+Signed-off-by: Yogita Urade <[email protected]>
+---
+ .../fetch/fetch-stream-source-expected.txt | 3 +++
+ .../http/wpt/fetch/fetch-stream-source.html | 24 +++++++++++++++++++
+ .../WebCore/Modules/streams/ReadableStream.js | 4 ++--
+ .../Modules/streams/ReadableStreamSource.idl | 8 +++----
+ .../js/JSDOMOperationReturningPromise.h | 4 +++-
+ 5 files changed, 36 insertions(+), 7 deletions(-)
+ create mode 100644 LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt
+ create mode 100644 LayoutTests/http/wpt/fetch/fetch-stream-source.html
+
+diff --git a/LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt
b/LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt
+new file mode 100644
+index 000000000000..856ea8180ca2
+--- /dev/null
++++ b/LayoutTests/http/wpt/fetch/fetch-stream-source-expected.txt
+@@ -0,0 +1,3 @@
++
++PASS Only JS streams should check type
++
+diff --git a/LayoutTests/http/wpt/fetch/fetch-stream-source.html
b/LayoutTests/http/wpt/fetch/fetch-stream-source.html
+new file mode 100644
+index 000000000000..fbebfa5e524f
+--- /dev/null
++++ b/LayoutTests/http/wpt/fetch/fetch-stream-source.html
+@@ -0,0 +1,24 @@
++<!doctype html>
++<html>
++ <head>
++ <meta charset="utf-8">
++ <title>Fetch and source</title>
++ <script src="/resources/testharness.js"></script>
++ <script src="/resources/testharnessreport.js"></script>
++ </head>
++ <body>
++ <script>
++promise_test(async () => {
++ let counter = 0;
++ Object.prototype.__defineGetter__("type", function() {
++ counter++;
++ });
++
++ const response = await fetch('/');
++ const fetchReadableStream = response.body;
++ const [r1, r2] = fetchReadableStream.tee();
++ assert_equals(counter, 0);
++}, "Only JS streams should check type");
++ </script>
++ </body>
++</html>
+diff --git a/Source/WebCore/Modules/streams/ReadableStream.js
b/Source/WebCore/Modules/streams/ReadableStream.js
+index ddef56ecd460..7f0def325d84 100644
+--- a/Source/WebCore/Modules/streams/ReadableStream.js
++++ b/Source/WebCore/Modules/streams/ReadableStream.js
+@@ -48,10 +48,10 @@ function initializeReadableStream(underlyingSource,
strategy)
+
+ // FIXME: We should introduce
https://streams.spec.whatwg.org/#create-readable-stream.
+ // For now, we emulate this with underlyingSource with private properties.
+- if (@getByIdDirectPrivate(underlyingSource, "pull") !== @undefined) {
++ if (underlyingSource.@pull !== @undefined) {
+ const size = @getByIdDirectPrivate(strategy, "size");
+ const highWaterMark = @getByIdDirectPrivate(strategy,
"highWaterMark");
+- @setupReadableStreamDefaultController(this, underlyingSource, size, highWaterMark !== @undefined ?
highWaterMark : 1, @getByIdDirectPrivate(underlyingSource, "start"),
@getByIdDirectPrivate(underlyingSource, "pull"), @getByIdDirectPrivate(underlyingSource,
"cancel"));
++ @setupReadableStreamDefaultController(this, underlyingSource, size,
highWaterMark !== @undefined ? highWaterMark : 1, underlyingSource.@start,
underlyingSource.@pull, underlyingSource.@cancel);
+ return this;
+ }
+
+diff --git a/Source/WebCore/Modules/streams/ReadableStreamSource.idl
b/Source/WebCore/Modules/streams/ReadableStreamSource.idl
+index cce9ea37ce80..ae7f1403b8ac 100644
+--- a/Source/WebCore/Modules/streams/ReadableStreamSource.idl
++++ b/Source/WebCore/Modules/streams/ReadableStreamSource.idl
+@@ -30,10 +30,10 @@
+ LegacyNoInterfaceObject,
+ SkipVTableValidation
+ ] interface ReadableStreamSource {
+- [Custom] Promise<undefined> start(ReadableStreamDefaultController
controller);
+- [Custom] Promise<undefined> pull(ReadableStreamDefaultController
controller);
+- undefined cancel(any reason);
++ [Custom, PrivateIdentifier] Promise<undefined>
start(ReadableStreamDefaultController controller);
++ [Custom, PrivateIdentifier] Promise<undefined>
pull(ReadableStreamDefaultController controller);
++ [PrivateIdentifier] undefined cancel(any reason);
+
+ // Place holder to keep the controller linked to the source.
+- [CachedAttribute, CustomGetter] readonly attribute any controller;
++ [CachedAttribute, CustomGetter, PrivateIdentifier] readonly attribute any
controller;
+ };
+diff --git a/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h
b/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h
+index c4d1513ad5c4..1dda9d3834f7 100644
+--- a/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h
++++ b/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h
+@@ -43,8 +43,10 @@ public:
+ if constexpr (shouldThrow != CastedThisErrorBehavior::Assert) {
+ if (UNLIKELY(!thisObject))
+ return rejectPromiseWithThisTypeError(promise.get(),
JSClass::info()->className, operationName);
+- } else
++ } else {
++ UNUSED_PARAM(operationName);
+ ASSERT(thisObject);
++ }
+
+ ASSERT_GC_OBJECT_INHERITS(thisObject, JSClass::info());
+
+--
+2.40.0
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
index cf1b8b2cc0..69663c1cb7 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -21,6 +21,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
file://CVE-2022-46699.patch \
file://CVE-2022-42867.patch \
file://CVE-2022-42856.patch \
+ file://CVE-2023-23517-CVE-2023-23518.patch \
"
SRC_URI[sha256sum] =
"0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
--
2.40.0
