From 88e3f147fcaa35d3bfd4f928a956b597c86b130e Mon Sep 17 00:00:00 2001 From: sun_hai_10 Date: Thu, 21 Mar 2024 18:49:17 +0800 Subject: [PATCH] fix cves --- backport-CVE-2023-23599.patch | 102 +++++++++++++++++++++++++++ backport-CVE-2023-23601.patch | 126 ++++++++++++++++++++++++++++++++++ backport-CVE-2023-23602.patch | 123 +++++++++++++++++++++++++++++++++ mozjs91.spec | 9 ++- 4 files changed, 359 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2023-23599.patch create mode 100644 backport-CVE-2023-23601.patch create mode 100644 backport-CVE-2023-23602.patch diff --git a/backport-CVE-2023-23599.patch b/backport-CVE-2023-23599.patch new file mode 100644 index 0000000..101eb74 --- /dev/null +++ b/backport-CVE-2023-23599.patch @@ -0,0 +1,102 @@ +From 20abf3bf81bfe657e5af6741fa7b1b2268b6a457 Mon Sep 17 00:00:00 2001 +From: s30028044 +Date: Wed, 13 Mar 2024 14:17:29 +0800 +Subject: [PATCH] CVE-2023-23599 + +--- + devtools/client/shared/curl.js | 75 ++++++++++++++++++---------------- + 1 file changed, 39 insertions(+), 36 deletions(-) + +diff --git a/devtools/client/shared/curl.js b/devtools/client/shared/curl.js +index 022158bebd..c42e2d0580 100644 +--- a/devtools/client/shared/curl.js ++++ b/devtools/client/shared/curl.js +@@ -426,46 +426,49 @@ const CurlUtils = { + */ + escapeStringWin: function(str) { + /* +- Replace the backtick character ` with `` in order to escape it. +- The backtick character is an escape character in PowerShell and +- can, among other things, be used to disable the effect of some +- of the other escapes created below. +- Also see http://www.rlmueller.net/PowerShellEscape.htm for +- useful details. +- +- Replace dollar sign because of commands in powershell when using +- double quotes. e.g $(calc.exe) Also see +- http://www.rlmueller.net/PowerShellEscape.htm for details. +- +- Replace quote by double quote (but not by \") because it is +- recognized by both cmd.exe and MS Crt arguments parser. +- +- Replace % by "%" because it could be expanded to an environment +- variable value. So %% becomes "%""%". Even if an env variable "" +- (2 doublequotes) is declared, the cmd.exe will not +- substitute it with its value. +- +- Replace each backslash with double backslash to make sure +- MS Crt arguments parser won't collapse them. +- +- Replace new line outside of quotes since cmd.exe doesn't let +- to do it inside. At the same time it gets duplicated, +- because first newline is consumed by ^. +- So for quote: `"Text-start\r\ntext-continue"`, +- we get: `"Text-start"^\r\n\r\n"text-continue"`, +- where `^\r\n` is just breaking the command, the `\r\n` right +- after is actual escaped newline. ++ Because cmd.exe parser and MS Crt arguments parsers use some of the ++ same escape characters, they can interact with each other in ++ horrible ways, the order of operations is critical. + */ ++ const encapsChars = '"'; + return ( +- '"' + ++ encapsChars + + str +- .replaceAll("`", "``") +- .replaceAll("$", "`$") +- .replaceAll('"', '""') +- .replaceAll("%", '"%"') ++ ++ // Replace \ with \\ first because it is an escape character for certain ++ // conditions in both parsers. + .replace(/\\/g, "\\\\") +- .replace(/[\r\n]{1,2}/g, '"^$&$&"') + +- '"' ++ ++ // Replace double quote chars with two double quotes (not by escaping with \") because it is ++ // recognized by both cmd.exe and MS Crt arguments parser. ++ .replace(/"/g, '""') ++ ++ // Escape ` and $ so commands do not get executed e.g $(calc.exe) or `\$(calc.exe) ++ .replace(/[`$]/g, "\\$&") ++ ++ // Then escape all characters we are not sure about with ^ to ensure it ++ // gets to MS Crt parser safely. ++ .replace(/[^a-zA-Z0-9\s_\-:=+~\/.',?;()*\$&\\{}\"`]/g, "^$&") ++ ++ // The % character is special because MS Crt parser will try and look for ++ // ENV variables and fill them in its place. We cannot escape them with % ++ // and cannot escape them with ^ (because it's cmd.exe's escape not MS Crt ++ // parser); So we can get cmd.exe parser to escape the character after it, ++ // if it is followed by a valid beginning character of an ENV variable. ++ // This ensures we do not try and double escape another ^ if it was placed ++ // by the previous replace. ++ .replace(/%(?=[a-zA-Z0-9_])/g, "%^") ++ ++ // We replace \r and \r\n with \n, this allows to consistently escape all new ++ // lines in the next replace ++ .replace(/\r\n?/g, "\n") ++ ++ // Lastly we replace new lines with ^ and TWO new lines because the first ++ // new line is there to enact the escape command the second is the character ++ // to escape (in this case new line). ++ // The extra " enables escaping new lines with ^ within quotes in cmd.exe. ++ .replace(/\n/g, '"^\r\n\r\n"') + ++ encapsChars + ); + }, + }; +-- +2.27.0 + diff --git a/backport-CVE-2023-23601.patch b/backport-CVE-2023-23601.patch new file mode 100644 index 0000000..797057f --- /dev/null +++ b/backport-CVE-2023-23601.patch @@ -0,0 +1,126 @@ +From 6ee2be9efaae3ca33e0c1284966ee0a142026089 Mon Sep 17 00:00:00 2001 +From: s30028044 +Date: Sat, 9 Mar 2024 22:00:16 +0800 +Subject: [PATCH] CVE-2023-23601 + +--- + dom/base/ContentAreaDropListener.jsm | 25 +++++++------------------ + dom/events/DataTransfer.cpp | 12 ++++++++++++ + dom/events/DataTransfer.h | 3 +++ + dom/webidl/DataTransfer.webidl | 7 +++++++ + 4 files changed, 29 insertions(+), 18 deletions(-) + +diff --git a/dom/base/ContentAreaDropListener.jsm b/dom/base/ContentAreaDropListener.jsm +index d3d64d9a81..e812c96656 100644 +--- a/dom/base/ContentAreaDropListener.jsm ++++ b/dom/base/ContentAreaDropListener.jsm +@@ -261,30 +261,19 @@ ContentAreaDropListener.prototype = { + return true; + } + +- let sourceNode = dataTransfer.mozSourceNode; +- if (!sourceNode) { ++ // If this is an external drag, allow drop. ++ let sourceWC = dataTransfer.sourceWindowContext; ++ if (!sourceWC) { + return true; + } + +- // don't allow a drop of a node from the same document onto this one +- let sourceDocument = sourceNode.ownerDocument; +- let eventDocument = aEvent.originalTarget.ownerDocument; +- if (sourceDocument == eventDocument) { ++ // If drag source and drop target are in the same top window, don't allow. ++ let eventWC = ++ aEvent.originalTarget.ownerGlobal.browsingContext.currentWindowContext; ++ if (eventWC && sourceWC.topWindowContext == eventWC.topWindowContext) { + return false; + } + +- // also check for nodes in other child or sibling frames by checking +- // if both have the same top window. +- if (sourceDocument && eventDocument) { +- if (sourceDocument.defaultView == null) { +- return true; +- } +- let sourceRoot = sourceDocument.defaultView.top; +- if (sourceRoot && sourceRoot == eventDocument.defaultView.top) { +- return false; +- } +- } +- + return true; + }, + +diff --git a/dom/events/DataTransfer.cpp b/dom/events/DataTransfer.cpp +index 243b102d43..82a5a99a17 100644 +--- a/dom/events/DataTransfer.cpp ++++ b/dom/events/DataTransfer.cpp +@@ -40,6 +40,7 @@ + #include "mozilla/dom/FileList.h" + #include "mozilla/dom/BindingUtils.h" + #include "mozilla/dom/OSFileSystem.h" ++#include "mozilla/dom/WindowContext.h" + #include "mozilla/dom/Promise.h" + #include "nsComponentManagerUtils.h" + #include "nsNetUtil.h" +@@ -436,6 +437,17 @@ already_AddRefed DataTransfer::GetMozSourceNode() { + return sourceNode.forget(); + } + ++already_AddRefed DataTransfer::GetSourceWindowContext() { ++ nsCOMPtr dragSession = nsContentUtils::GetDragSession(); ++ if (!dragSession) { ++ return nullptr; ++ } ++ ++ RefPtr sourceWindowContext; ++ dragSession->GetSourceWindowContext(getter_AddRefs(sourceWindowContext)); ++ return sourceWindowContext.forget(); ++} ++ + already_AddRefed DataTransfer::MozTypesAt( + uint32_t aIndex, CallerType aCallerType, ErrorResult& aRv) const { + // Only the first item is valid for clipboard events +diff --git a/dom/events/DataTransfer.h b/dom/events/DataTransfer.h +index a091f2069f..614b33ed25 100644 +--- a/dom/events/DataTransfer.h ++++ b/dom/events/DataTransfer.h +@@ -41,6 +41,7 @@ class FileList; + class Promise; + template + class Optional; ++class WindowContext; + + #define NS_DATATRANSFER_IID \ + { \ +@@ -261,6 +262,8 @@ class DataTransfer final : public nsISupports, public nsWrapperCache { + + already_AddRefed GetMozSourceNode(); + ++ already_AddRefed GetSourceWindowContext(); ++ + /* + * Integer version of dropEffect, set to one of the constants in + * nsIDragService. +diff --git a/dom/webidl/DataTransfer.webidl b/dom/webidl/DataTransfer.webidl +index 7f7528d9c0..da89243b6f 100644 +--- a/dom/webidl/DataTransfer.webidl ++++ b/dom/webidl/DataTransfer.webidl +@@ -159,6 +159,13 @@ partial interface DataTransfer { + [UseCounter] + readonly attribute Node? mozSourceNode; + ++ /** ++ * The window context that mouse was pressed over to begin the drag. For ++ * external drags, this will be null. ++ */ ++ [ChromeOnly] ++ readonly attribute WindowContext? sourceWindowContext; ++ + /** + * The URI spec of the triggering principal. This may be different than + * sourceNode's principal when sourceNode is xul:browser and the drag is +-- +2.27.0 + diff --git a/backport-CVE-2023-23602.patch b/backport-CVE-2023-23602.patch new file mode 100644 index 0000000..849cd59 --- /dev/null +++ b/backport-CVE-2023-23602.patch @@ -0,0 +1,123 @@ +From 500a65993b8054feec5ff74a57f446722c2564de Mon Sep 17 00:00:00 2001 +From: s30028044 +Date: Sat, 9 Mar 2024 21:43:47 +0800 +Subject: [PATCH] CVE-2023-23602 + +--- + dom/websocket/WebSocket.cpp | 37 ++++++++++++++++++++++++------------- + 1 file changed, 24 insertions(+), 13 deletions(-) + +diff --git a/dom/websocket/WebSocket.cpp b/dom/websocket/WebSocket.cpp +index 741f7b4c05..3786788f9e 100644 +--- a/dom/websocket/WebSocket.cpp ++++ b/dom/websocket/WebSocket.cpp +@@ -152,7 +152,8 @@ class WebSocketImpl final : public nsIInterfaceRequestor, + bool IsTargetThread() const; + + nsresult Init(JSContext* aCx, nsIPrincipal* aLoadingPrincipal, +- nsIPrincipal* aPrincipal, bool aIsServerSide, ++ nsIPrincipal* aPrincipal, const Maybe& aClientInfo, ++ nsICSPEventListener* aCSPEventListener, bool aIsServerSide, + const nsAString& aURL, nsTArray& aProtocolArray, + const nsACString& aScriptFile, uint32_t aScriptLine, + uint32_t aScriptColumn); +@@ -1082,12 +1083,14 @@ class WebSocketMainThreadRunnable : public WorkerMainThreadRunnable { + class InitRunnable final : public WebSocketMainThreadRunnable { + public: + InitRunnable(WorkerPrivate* aWorkerPrivate, WebSocketImpl* aImpl, ++ const Maybe& aClientInfo, + bool aIsServerSide, const nsAString& aURL, + nsTArray& aProtocolArray, + const nsACString& aScriptFile, uint32_t aScriptLine, + uint32_t aScriptColumn) + : WebSocketMainThreadRunnable(aWorkerPrivate, "WebSocket :: init"_ns), + mImpl(aImpl), ++ mClientInfo(aClientInfo), + mIsServerSide(aIsServerSide), + mURL(aURL), + mProtocolArray(aProtocolArray), +@@ -1117,10 +1120,10 @@ class InitRunnable final : public WebSocketMainThreadRunnable { + return true; + } + +- mErrorCode = +- mImpl->Init(jsapi.cx(), mWorkerPrivate->GetPrincipal(), +- doc->NodePrincipal(), mIsServerSide, mURL, mProtocolArray, +- mScriptFile, mScriptLine, mScriptColumn); ++ mErrorCode = mImpl->Init( ++ jsapi.cx(), mWorkerPrivate->GetPrincipal(), doc->NodePrincipal(), ++ mClientInfo, mWorkerPrivate->CSPEventListener(), mIsServerSide, mURL, ++ mProtocolArray, mScriptFile, mScriptLine, mScriptColumn); + return true; + } + +@@ -1130,7 +1133,8 @@ class InitRunnable final : public WebSocketMainThreadRunnable { + + mErrorCode = + mImpl->Init(nullptr, mWorkerPrivate->GetPrincipal(), +- aTopLevelWorkerPrivate->GetPrincipal(), mIsServerSide, mURL, ++ aTopLevelWorkerPrivate->GetPrincipal(), mClientInfo, ++ mWorkerPrivate->CSPEventListener(), mIsServerSide, mURL, + mProtocolArray, mScriptFile, mScriptLine, mScriptColumn); + return true; + } +@@ -1138,6 +1142,7 @@ class InitRunnable final : public WebSocketMainThreadRunnable { + // Raw pointer. This worker runnable runs synchronously. + WebSocketImpl* mImpl; + ++ Maybe mClientInfo; + bool mIsServerSide; + const nsAString& mURL; + nsTArray& mProtocolArray; +@@ -1318,8 +1323,8 @@ already_AddRefed WebSocket::ConstructorCommon( + } + + aRv = webSocketImpl->Init(aGlobal.Context(), loadingPrincipal, principal, +- !!aTransportProvider, aUrl, protocolArray, ""_ns, +- 0, 0); ++ Nothing(), nullptr, !!aTransportProvider, aUrl, ++ protocolArray, ""_ns, 0, 0); + + if (NS_WARN_IF(aRv.Failed())) { + return nullptr; +@@ -1344,8 +1349,9 @@ already_AddRefed WebSocket::ConstructorCommon( + } + + RefPtr runnable = new InitRunnable( +- workerPrivate, webSocketImpl, !!aTransportProvider, aUrl, protocolArray, +- nsDependentCString(file.get()), lineno, column); ++ workerPrivate, webSocketImpl, ++ workerPrivate->GlobalScope()->GetClientInfo(), !!aTransportProvider, ++ aUrl, protocolArray, nsDependentCString(file.get()), lineno, column); + runnable->Dispatch(Canceling, aRv); + if (NS_WARN_IF(aRv.Failed())) { + return nullptr; +@@ -1526,8 +1532,10 @@ void WebSocket::DisconnectFromOwner() { + //----------------------------------------------------------------------------- + + nsresult WebSocketImpl::Init(JSContext* aCx, nsIPrincipal* aLoadingPrincipal, +- nsIPrincipal* aPrincipal, bool aIsServerSide, +- const nsAString& aURL, ++ nsIPrincipal* aPrincipal, ++ const Maybe& aClientInfo, ++ nsICSPEventListener* aCSPEventListener, ++ bool aIsServerSide, const nsAString& aURL + nsTArray& aProtocolArray, + const nsACString& aScriptFile, + uint32_t aScriptLine, uint32_t aScriptColumn) { +@@ -1624,8 +1632,11 @@ nsresult WebSocketImpl::Init(JSContext* aCx, nsIPrincipal* aLoadingPrincipal, + aPrincipal, // loading principal + aPrincipal, // triggering principal + originDoc, nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK, +- nsIContentPolicy::TYPE_WEBSOCKET); ++ nsIContentPolicy::TYPE_WEBSOCKET, aClientInfo); + ++ if (aCSPEventListener) { ++ secCheckLoadInfo->SetCspEventListener(aCSPEventListener); ++ } + int16_t shouldLoad = nsIContentPolicy::ACCEPT; + rv = NS_CheckContentLoadPolicy(uri, secCheckLoadInfo, ""_ns, &shouldLoad, + nsContentUtils::GetContentPolicy()); +-- +2.27.0 + diff --git a/mozjs91.spec b/mozjs91.spec index 2c6ada7..567db73 100644 --- a/mozjs91.spec +++ b/mozjs91.spec @@ -12,7 +12,7 @@ # Big endian platforms Name: mozjs%{major} Version: 91.6.0 -Release: 3 +Release: 4 Summary: SpiderMonkey JavaScript library License: MPL-2.0 Group: System/Libraries @@ -37,6 +37,10 @@ Patch14: init_patch.patch Patch15: spidermonkey_checks_disable.patch Patch16: spidermonkey_support_loongarch64.patch +Patch17: backport-CVE-2023-23599.patch +Patch18: backport-CVE-2023-23601.patch +Patch19: backport-CVE-2023-23602.patch + BuildRequires: autoconf213 cargo ccache clang-devel gcc gcc-c++ libtool perl-devel llvm llvm-devel nasm pkgconfig python3-devel python3-setuptools BuildRequires: python3-six readline-devel zip rust pkgconfig(icu-i18n) >= 67.1 pkgconfig(libffi) pkgconfig(nspr) pkgconfig(zlib) icu @@ -207,6 +211,9 @@ popd %{_includedir}/mozjs-%{major}/ %changelog +* Thu Mar 21 2024 sunhai - 91.6.0-4 +- fix CVEs + * Thu Dec 15 2022 liuyu - 91.6.0-3 - support loongarch64 in spidermonkey -- Gitee