Received: by mail.netbsd.org (Postfix, from userid 605)
	id 3F46684E35; Thu, 21 Feb 2019 18:52:17 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by mail.netbsd.org (Postfix) with ESMTP id B535884DEC
	for <pkgsrc-changes@NetBSD.org>; Thu, 21 Feb 2019 18:52:16 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([127.0.0.1])
	by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025)
	with ESMTP id ogZqaOk9ZfdR for <pkgsrc-changes@netbsd.org>;
	Thu, 21 Feb 2019 18:52:16 +0000 (UTC)
Received: from cvs.NetBSD.org (ivanova.NetBSD.org [IPv6:2001:470:a085:999:28c:faff:fe03:5984])
	by mail.netbsd.org (Postfix) with ESMTP id 0595084D81
	for <pkgsrc-changes@NetBSD.org>; Thu, 21 Feb 2019 18:52:16 +0000 (UTC)
Received: by cvs.NetBSD.org (Postfix, from userid 500)
	id 00543FB16; Thu, 21 Feb 2019 18:52:15 +0000 (UTC)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_1550775135287070"
MIME-Version: 1.0
Date: Thu, 21 Feb 2019 18:52:15 +0000
From: "Maya Rashish" <maya@netbsd.org>
Subject: CVS commit: pkgsrc/www/webkit-gtk
To: pkgsrc-changes@NetBSD.org
Reply-To: maya@netbsd.org
X-Mailer: log_accum
Message-Id: <20190221185216.00543FB16@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
List-Id: pkgsrc-changes.NetBSD.org
Precedence: bulk
List-Unsubscribe: <mailto:majordomo@NetBSD.org?subject=Unsubscribe%20pkgsrc-changes&body=unsubscribe%20pkgsrc-changes>

This is a multi-part message in MIME format.

--_----------=_1550775135287070
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	maya
Date:		Thu Feb 21 18:52:15 UTC 2019

Modified Files:
	pkgsrc/www/webkit-gtk: Makefile distinfo
Added Files:
	pkgsrc/www/webkit-gtk/patches:
	    patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp

Log Message:
webkit-gtk: backport upstream patch. security fix.

Subject: [PATCH] Fix DFG doesGC() for CompareEq/Less/LessEq/Greater/GreaterEq
 and CompareStrictEq nodes. https://bugs.webkit.org/show_bug.cgi?id=194800
 <rdar://problem/48183773>

Reviewed by Yusuke Suzuki.

Fix doesGC() for the following nodes:

    CompareEq:
    CompareLess:
    CompareLessEq:
    CompareGreater:
    CompareGreaterEq:
    CompareStrictEq:
        Only return false (i.e. does not GC) for child node use kinds that have
        been vetted to not do anything that can GC.  For all other use kinds
        (including StringUse and BigIntUse), we return true (i.e. does GC).

* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):

This was published alongside with exploit code claiming it is remote
code execution, but I don't understand what the exploit is doing.

bump PKGREVISION


To generate a diff of this commit:
cvs rdiff -u -r1.156 -r1.157 pkgsrc/www/webkit-gtk/Makefile
cvs rdiff -u -r1.115 -r1.116 pkgsrc/www/webkit-gtk/distinfo
cvs rdiff -u -r0 -r1.1 \
    pkgsrc/www/webkit-gtk/patches/patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_1550775135287070
Content-Disposition: inline
Content-Length: 5878
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/www/webkit-gtk/Makefile
diff -u pkgsrc/www/webkit-gtk/Makefile:1.156 pkgsrc/www/webkit-gtk/Makefile:1.157
--- pkgsrc/www/webkit-gtk/Makefile:1.156	Sat Feb  9 11:29:44 2019
+++ pkgsrc/www/webkit-gtk/Makefile	Thu Feb 21 18:52:15 2019
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.156 2019/02/09 11:29:44 leot Exp $
+# $NetBSD: Makefile,v 1.157 2019/02/21 18:52:15 maya Exp $
 
 DISTNAME=	webkitgtk-2.22.6
+PKGREVISION=	1
 PKGNAME=	${DISTNAME:S/webkitgtk/webkit-gtk/}
 CATEGORIES=	www
 MASTER_SITES=	https://www.webkitgtk.org/releases/

Index: pkgsrc/www/webkit-gtk/distinfo
diff -u pkgsrc/www/webkit-gtk/distinfo:1.115 pkgsrc/www/webkit-gtk/distinfo:1.116
--- pkgsrc/www/webkit-gtk/distinfo:1.115	Sat Feb  9 11:29:44 2019
+++ pkgsrc/www/webkit-gtk/distinfo	Thu Feb 21 18:52:15 2019
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.115 2019/02/09 11:29:44 leot Exp $
+$NetBSD: distinfo,v 1.116 2019/02/21 18:52:15 maya Exp $
 
 SHA1 (webkitgtk-2.22.6.tar.xz) = 26a8f8951da03aa4dfc2c25257b6899ea3c2558f
 RMD160 (webkitgtk-2.22.6.tar.xz) = 4ddd00a0eed1e8122a71e070f1f6f5f49f59ca75
@@ -8,6 +8,7 @@ SHA1 (patch-CMakeLists.txt) = 93466370f4
 SHA1 (patch-Source_JavaScriptCore_assembler_ARM64Assembler.h) = a41e02c7a1f9bfb91a2af36ec0410e1bf2b9a745
 SHA1 (patch-Source_JavaScriptCore_assembler_ARMAssembler.h) = bae08310572c2e23c69cbf6aa9760a67345dcfe3
 SHA1 (patch-Source_JavaScriptCore_assembler_MacroAssemblerARM.cpp) = ab75ef8714e5071fcd094735717a2f5d0321c747
+SHA1 (patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp) = 802d83a69975d0754dfb6198488aacc7e3f04d83
 SHA1 (patch-Source_JavaScriptCore_heap_MarkedSpace.cpp) = e6a23d5ef22bddd0a9606fb0e472960e4cf5673e
 SHA1 (patch-Source_JavaScriptCore_jit_ExecutableAllocator.cpp) = 36d29a5db03c2413ae93224ac391f3ff248983e8
 SHA1 (patch-Source_JavaScriptCore_offlineasm_arm64.rb) = 784baf6f3baba2986fbcb7aa10e7abed8f8c6336

Added files:

Index: pkgsrc/www/webkit-gtk/patches/patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp
diff -u /dev/null pkgsrc/www/webkit-gtk/patches/patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp:1.1
--- /dev/null	Thu Feb 21 18:52:15 2019
+++ pkgsrc/www/webkit-gtk/patches/patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp	Thu Feb 21 18:52:15 2019
@@ -0,0 +1,96 @@
+$NetBSD: patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp,v 1.1 2019/02/21 18:52:15 maya Exp $
+
+Fix remote code execution in JavaScript. From upstream commit:
+
+From d51ece4028133113e9e5d0f2576ad23489801ddc Mon Sep 17 00:00:00 2001
+From: "mark.lam@apple.com"
+ <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
+Date: Tue, 19 Feb 2019 02:32:10 +0000
+Subject: [PATCH] Fix DFG doesGC() for CompareEq/Less/LessEq/Greater/GreaterEq
+ and CompareStrictEq nodes. https://bugs.webkit.org/show_bug.cgi?id=194800
+ <rdar://problem/48183773>
+
+Reviewed by Yusuke Suzuki.
+
+Fix doesGC() for the following nodes:
+
+    CompareEq:
+    CompareLess:
+    CompareLessEq:
+    CompareGreater:
+    CompareGreaterEq:
+    CompareStrictEq:
+        Only return false (i.e. does not GC) for child node use kinds that have
+        been vetted to not do anything that can GC.  For all other use kinds
+        (including StringUse and BigIntUse), we return true (i.e. does GC).
+
+* dfg/DFGDoesGC.cpp:
+(JSC::DFG::doesGC):
+
+
+git-svn-id: http://svn.webkit.org/repository/webkit/trunk@241753 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+--- Source/JavaScriptCore/dfg/DFGDoesGC.cpp.orig	2019-02-08 16:17:00.000000000 +0000
++++ Source/JavaScriptCore/dfg/DFGDoesGC.cpp
+@@ -146,14 +146,8 @@ bool doesGC(Graph& graph, Node* node)
+     case RegExpTest:
+     case RegExpMatchFast:
+     case RegExpMatchFastGlobal:
+-    case CompareLess:
+-    case CompareLessEq:
+-    case CompareGreater:
+-    case CompareGreaterEq:
+     case CompareBelow:
+     case CompareBelowEq:
+-    case CompareEq:
+-    case CompareStrictEq:
+     case CompareEqPtr:
+     case SameValue:
+     case Call:
+@@ -374,6 +368,46 @@ bool doesGC(Graph& graph, Node* node)
+     case MapSet:
+         return true;
+ 
++    case CompareEq:
++    case CompareLess:
++    case CompareLessEq:
++    case CompareGreater:
++    case CompareGreaterEq:
++        if (node->isBinaryUseKind(Int32Use)
++#if USE(JSVALUE64)
++            || node->isBinaryUseKind(Int52RepUse)
++#endif
++            || node->isBinaryUseKind(DoubleRepUse)
++            || node->isBinaryUseKind(StringIdentUse)
++            )
++            return false;
++        if (node->op() == CompareEq) {
++            if (node->isBinaryUseKind(BooleanUse)
++                || node->isBinaryUseKind(SymbolUse)
++                || node->isBinaryUseKind(ObjectUse)
++                || node->isBinaryUseKind(ObjectUse, ObjectOrOtherUse) || node->isBinaryUseKind(ObjectOrOtherUse, ObjectUse))
++                return false;
++        }
++        return true;
++
++    case CompareStrictEq:
++        if (node->isBinaryUseKind(BooleanUse)
++            || node->isBinaryUseKind(Int32Use)
++#if USE(JSVALUE64)
++            || node->isBinaryUseKind(Int52RepUse)
++#endif
++            || node->isBinaryUseKind(DoubleRepUse)
++            || node->isBinaryUseKind(SymbolUse)
++            || node->isBinaryUseKind(SymbolUse, UntypedUse)
++            || node->isBinaryUseKind(UntypedUse, SymbolUse)
++            || node->isBinaryUseKind(StringIdentUse)
++            || node->isBinaryUseKind(ObjectUse, UntypedUse) || node->isBinaryUseKind(UntypedUse, ObjectUse)
++            || node->isBinaryUseKind(ObjectUse)
++            || node->isBinaryUseKind(MiscUse, UntypedUse) || node->isBinaryUseKind(UntypedUse, MiscUse)
++            || node->isBinaryUseKind(StringIdentUse, NotStringVarUse) || node->isBinaryUseKind(NotStringVarUse, StringIdentUse))
++            return false;
++        return true;
++
+     case GetIndexedPropertyStorage:
+         if (node->arrayMode().type() == Array::String)
+             return true;


--_----------=_1550775135287070--