From 8da8cd1feb801db8f752824ff5ad5c2adacd2cb8 Mon Sep 17 00:00:00 2001 From: sun_hai_10 Date: Mon, 8 Apr 2024 20:26:32 +0800 Subject: [PATCH] fix cves (cherry picked from commit f16b820f3c5ae65f2ebb65a726b84bb58fc52f35) --- backport-CVE-2023-23599.patch | 42 ++++++++++++ backport-CVE-2023-23601.patch | 118 ++++++++++++++++++++++++++++++++ backport-CVE-2023-23602.patch | 125 ++++++++++++++++++++++++++++++++++ mozjs78.spec | 9 ++- 4 files changed, 293 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2023-23599.patch create mode 100644 backport-CVE-2023-23601.patch create mode 100644 backport-CVE-2023-23602.patch diff --git a/backport-CVE-2023-23599.patch b/backport-CVE-2023-23599.patch new file mode 100644 index 0000000..0368d14 --- /dev/null +++ b/backport-CVE-2023-23599.patch @@ -0,0 +1,42 @@ +From fd34a58ac999727dde9fbe909953e1a9b5e34b04 Mon Sep 17 00:00:00 2001 +From: s30028044 +Date: Mon, 8 Apr 2024 19:41:26 +0800 +Subject: [PATCH] CVE-2023-23599 + +--- + devtools/client/netmonitor/test/browser_net_curl-utils.js | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/devtools/client/netmonitor/test/browser_net_curl-utils.js b/devtools/client/netmonitor/test/browser_net_curl-utils.js +index dbca31b..5258f5c 100644 +--- a/devtools/client/netmonitor/test/browser_net_curl-utils.js ++++ b/devtools/client/netmonitor/test/browser_net_curl-utils.js +@@ -307,10 +307,10 @@ function testEscapeStringWin() { + "Double quotes should be escaped." + ); + +- const percentSigns = "%AppData%"; ++ const percentSigns = "%TEMP% %@foo% %2XX% %_XX% %?XX%"; + is( + CurlUtils.escapeStringWin(percentSigns), +- '""%"AppData"%""', ++ '"^%^TEMP^% ^%^@foo^% ^%^2XX^% ^%^_XX^% ^%?XX^%"', + "Percent signs should be escaped." + ); + +@@ -321,10 +321,10 @@ function testEscapeStringWin() { + "Backslashes should be escaped." + ); + +- const newLines = "line1\r\nline2\r\nline3"; ++ const newLines = "line1\r\nline2\r\rline3\n\nline4"; + is( + CurlUtils.escapeStringWin(newLines), +- '"line1"^\u000d\u000A\u000d\u000A"line2"^\u000d\u000A\u000d\u000A"line3"', ++ '"line1"^\r\n\r\n"line2"^\r\n\r\n""^\r\n\r\n"line3"^\r\n\r\n""^\r\n\r\n"line4"', + "Newlines should be escaped." + ); + } +-- +2.27.0 + diff --git a/backport-CVE-2023-23601.patch b/backport-CVE-2023-23601.patch new file mode 100644 index 0000000..1037cc2 --- /dev/null +++ b/backport-CVE-2023-23601.patch @@ -0,0 +1,118 @@ +From 5d3ed1e2012322bff7593b7a508f89203d9cd3f9 Mon Sep 17 00:00:00 2001 +From: s30028044 +Date: Mon, 8 Apr 2024 19:50:07 +0800 +Subject: [PATCH] CVE-2023-23601 + +--- + dom/base/ContentAreaDropListener.jsm | 25 +++++++------------------ + dom/events/DataTransfer.cpp | 11 +++++++++++ + dom/events/DataTransfer.h | 3 +++ + dom/webidl/DataTransfer.webidl | 7 +++++++ + 4 files changed, 28 insertions(+), 18 deletions(-) + +diff --git a/dom/base/ContentAreaDropListener.jsm b/dom/base/ContentAreaDropListener.jsm +index 26764ac..adce0e1 100644 +--- a/dom/base/ContentAreaDropListener.jsm ++++ b/dom/base/ContentAreaDropListener.jsm +@@ -261,30 +261,19 @@ ContentAreaDropListener.prototype = { + return true; + } + +- let sourceNode = dataTransfer.mozSourceNode; +- if (!sourceNode) { ++ // If this is an external drag, allow drop. ++ let sourceWC = dataTransfer.sourceWindowContext; ++ if (!sourceWC) { + return true; + } + +- // don't allow a drop of a node from the same document onto this one +- let sourceDocument = sourceNode.ownerDocument; +- let eventDocument = aEvent.originalTarget.ownerDocument; +- if (sourceDocument == eventDocument) { ++ // If drag source and drop target are in the same top window, don't allow. ++ let eventWC = ++ aEvent.originalTarget.ownerGlobal.browsingContext.currentWindowContext; ++ if (eventWC && sourceWC.topWindowContext == eventWC.topWindowContext) { + return false; + } + +- // also check for nodes in other child or sibling frames by checking +- // if both have the same top window. +- if (sourceDocument && eventDocument) { +- if (sourceDocument.defaultView == null) { +- return true; +- } +- let sourceRoot = sourceDocument.defaultView.top; +- if (sourceRoot && sourceRoot == eventDocument.defaultView.top) { +- return false; +- } +- } +- + return true; + }, + +diff --git a/dom/events/DataTransfer.cpp b/dom/events/DataTransfer.cpp +index 4c623a2..e725e8d 100644 +--- a/dom/events/DataTransfer.cpp ++++ b/dom/events/DataTransfer.cpp +@@ -435,6 +435,17 @@ already_AddRefed DataTransfer::GetMozSourceNode() { + return sourceNode.forget(); + } + ++already_AddRefed DataTransfer::GetSourceWindowContext() { ++ nsCOMPtr dragSession = nsContentUtils::GetDragSession(); ++ if (!dragSession) { ++ return nullptr; ++ } ++ ++ RefPtr sourceWindowContext; ++ dragSession->GetSourceWindowContext(getter_AddRefs(sourceWindowContext)); ++ return sourceWindowContext.forget(); ++} ++ + already_AddRefed DataTransfer::MozTypesAt( + uint32_t aIndex, CallerType aCallerType, ErrorResult& aRv) const { + // Only the first item is valid for clipboard events +diff --git a/dom/events/DataTransfer.h b/dom/events/DataTransfer.h +index 1d3305e..c086e02 100644 +--- a/dom/events/DataTransfer.h ++++ b/dom/events/DataTransfer.h +@@ -40,6 +40,7 @@ class FileList; + class Promise; + template + class Optional; ++class WindowContext; + + #define NS_DATATRANSFER_IID \ + { \ +@@ -257,6 +258,8 @@ class DataTransfer final : public nsISupports, public nsWrapperCache { + + already_AddRefed GetMozSourceNode(); + ++ already_AddRefed GetSourceWindowContext(); ++ + /* + * Integer version of dropEffect, set to one of the constants in + * nsIDragService. +diff --git a/dom/webidl/DataTransfer.webidl b/dom/webidl/DataTransfer.webidl +index f37bcf7..ac019a5 100644 +--- a/dom/webidl/DataTransfer.webidl ++++ b/dom/webidl/DataTransfer.webidl +@@ -159,6 +159,13 @@ partial interface DataTransfer { + [UseCounter] + readonly attribute Node? mozSourceNode; + ++ /** ++ * The window context that mouse was pressed over to begin the drag. For ++ * external drags, this will be null. ++ */ ++ [ChromeOnly] ++ readonly attribute WindowContext? sourceWindowContext; ++ + /** + * The URI spec of the triggering principal. This may be different than + * sourceNode's principal when sourceNode is xul:browser and the drag is +-- +2.27.0 + diff --git a/backport-CVE-2023-23602.patch b/backport-CVE-2023-23602.patch new file mode 100644 index 0000000..401517d --- /dev/null +++ b/backport-CVE-2023-23602.patch @@ -0,0 +1,125 @@ +From 09cd706b37d396636546c8a402fe8ca7438716c4 Mon Sep 17 00:00:00 2001 +From: s30028044 +Date: Mon, 8 Apr 2024 20:02:38 +0800 +Subject: [PATCH] CVE-2023-23602 + +--- + dom/websocket/WebSocket.cpp | 39 ++++++++++++++++++++++++------------- + 1 file changed, 25 insertions(+), 14 deletions(-) + +diff --git a/dom/websocket/WebSocket.cpp b/dom/websocket/WebSocket.cpp +index caa60d9cd5..59aca1d227 100644 +--- a/dom/websocket/WebSocket.cpp ++++ b/dom/websocket/WebSocket.cpp +@@ -120,7 +120,8 @@ class WebSocketImpl final : public nsIInterfaceRequestor, + bool IsTargetThread() const; + + nsresult Init(JSContext* aCx, nsIPrincipal* aLoadingPrincipal, +- nsIPrincipal* aPrincipal, bool aIsServerSide, ++ nsIPrincipal* aPrincipal, const Maybe& aClientInfo, ++ nsICSPEventListener* aCSPEventListener, bool aIsServerSide, + const nsAString& aURL, nsTArray& aProtocolArray, + const nsACString& aScriptFile, uint32_t aScriptLine, + uint32_t aScriptColumn); +@@ -979,6 +980,7 @@ class WebSocketMainThreadRunnable : public WorkerMainThreadRunnable { + class InitRunnable final : public WebSocketMainThreadRunnable { + public: + InitRunnable(WorkerPrivate* aWorkerPrivate, WebSocketImpl* aImpl, ++ const Maybe& aClientInfo, + bool aIsServerSide, const nsAString& aURL, + nsTArray& aProtocolArray, + const nsACString& aScriptFile, uint32_t aScriptLine, +@@ -986,6 +988,7 @@ class InitRunnable final : public WebSocketMainThreadRunnable { + : WebSocketMainThreadRunnable(aWorkerPrivate, + NS_LITERAL_CSTRING("WebSocket :: init")), + mImpl(aImpl), ++ mClientInfo(aClientInfo), + mIsServerSide(aIsServerSide), + mURL(aURL), + mProtocolArray(aProtocolArray), +@@ -1015,10 +1018,10 @@ class InitRunnable final : public WebSocketMainThreadRunnable { + return true; + } + +- mErrorCode = +- mImpl->Init(jsapi.cx(), mWorkerPrivate->GetPrincipal(), +- doc->NodePrincipal(), mIsServerSide, mURL, mProtocolArray, +- mScriptFile, mScriptLine, mScriptColumn); ++ mErrorCode = mImpl->Init( ++ jsapi.cx(), mWorkerPrivate->GetPrincipal(), doc->NodePrincipal(), ++ mClientInfo, mWorkerPrivate->CSPEventListener(), mIsServerSide, mURL, ++ mProtocolArray, mScriptFile, mScriptLine, mScriptColumn); + return true; + } + +@@ -1028,7 +1031,8 @@ class InitRunnable final : public WebSocketMainThreadRunnable { + + mErrorCode = + mImpl->Init(nullptr, mWorkerPrivate->GetPrincipal(), +- aTopLevelWorkerPrivate->GetPrincipal(), mIsServerSide, mURL, ++ aTopLevelWorkerPrivate->GetPrincipal(), mClientInfo, ++ mWorkerPrivate->CSPEventListener(), mIsServerSide, mURL, + mProtocolArray, mScriptFile, mScriptLine, mScriptColumn); + return true; + } +@@ -1036,6 +1040,7 @@ class InitRunnable final : public WebSocketMainThreadRunnable { + // Raw pointer. This worker runnable runs synchronously. + WebSocketImpl* mImpl; + ++ Maybe mClientInfo; + bool mIsServerSide; + const nsAString& mURL; + nsTArray& mProtocolArray; +@@ -1230,9 +1235,8 @@ already_AddRefed WebSocket::ConstructorCommon( + } + + aRv = webSocketImpl->Init(aGlobal.Context(), loadingPrincipal, principal, +- !!aTransportProvider, aUrl, protocolArray, +- EmptyCString(), 0, 0); +- ++ Nothing(), nullptr, !!aTransportProvider, aUrl, ++ protocolArray, ""_ns, 0, 0); + if (NS_WARN_IF(aRv.Failed())) { + return nullptr; + } +@@ -1256,8 +1260,9 @@ already_AddRefed WebSocket::ConstructorCommon( + } + + RefPtr runnable = new InitRunnable( +- workerPrivate, webSocketImpl, !!aTransportProvider, aUrl, protocolArray, +- nsDependentCString(file.get()), lineno, column); ++ workerPrivate, webSocketImpl, ++ workerPrivate->GlobalScope()->GetClientInfo(), !!aTransportProvider, ++ aUrl, protocolArray, nsDependentCString(file.get()), lineno, column); + runnable->Dispatch(Canceling, aRv); + if (NS_WARN_IF(aRv.Failed())) { + return nullptr; +@@ -1443,8 +1448,10 @@ void WebSocket::DisconnectFromOwner() { + //----------------------------------------------------------------------------- + + nsresult WebSocketImpl::Init(JSContext* aCx, nsIPrincipal* aLoadingPrincipal, +- nsIPrincipal* aPrincipal, bool aIsServerSide, +- const nsAString& aURL, ++ nsIPrincipal* aPrincipal, ++ const Maybe& aClientInfo, ++ nsICSPEventListener* aCSPEventListener, ++ bool aIsServerSide, const nsAString& aURL, + nsTArray& aProtocolArray, + const nsACString& aScriptFile, + uint32_t aScriptLine, uint32_t aScriptColumn) { +@@ -1537,7 +1544,11 @@ nsresult WebSocketImpl::Init(JSContext* aCx, nsIPrincipal* aLoadingPrincipal, + aPrincipal, // loading principal + aPrincipal, // triggering principal + originDoc, nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK, +- nsIContentPolicy::TYPE_WEBSOCKET); ++ nsIContentPolicy::TYPE_WEBSOCKET, aClientInfo); ++ ++ if (aCSPEventListener) { ++ secCheckLoadInfo->SetCspEventListener(aCSPEventListener); ++ } + + int16_t shouldLoad = nsIContentPolicy::ACCEPT; + rv = NS_CheckContentLoadPolicy(uri, secCheckLoadInfo, EmptyCString(), +-- +2.27.0 + diff --git a/mozjs78.spec b/mozjs78.spec index 63b0c40..32c4557 100644 --- a/mozjs78.spec +++ b/mozjs78.spec @@ -2,7 +2,7 @@ Name: mozjs%{major} Version: 78.4.0 -Release: 2 +Release: 3 Summary: SpiderMonkey JavaScript library License: MPLv2.0 and MPLv1.1 and BSD and GPLv2+ and GPLv3+ and LGPLv2+ and AFL and ASL 2.0 URL: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey @@ -23,6 +23,10 @@ Patch08: spidermonkey_checks_disable.patch Patch09: Update-syn-and-proc-macro2-so-that-Firefox-can-build-on-Rust-nightly-again.patch Patch10: Fix-build-with-rust-nightly.patch +Patch11: backport-CVE-2023-23599.patch +Patch12: backport-CVE-2023-23601.patch +Patch13: backport-CVE-2023-23602.patch + BuildRequires: autoconf213 cargo clang-devel gcc gcc-c++ perl-devel pkgconfig(libffi) pkgconfig(zlib) BuildRequires: python3-devel python3-six readline-devel zip nasm llvm llvm-devel icu rust @@ -101,6 +105,9 @@ popd %doc js/src/README.html %changelog +* Mon Apr 08 2024 sunhai - 78.4.0-3 +- fix CVEs + * Tue May 11 2021 zhanzhimin - 78.4.0-2 - Type:bugfix - ID:NA -- Gitee