[1/2] package/wpewebkit: security bump to version 2.42.5

Fixes the following security issues:

https://wpewebkit.org/security/WSA-2024-0001.html

- CVE-2024-23222: Processing maliciously crafted web content may lead to
  arbitrary code execution. Apple is aware of a report that this issue
  may have been exploited. Description: A type confusion issue was
  addressed with improved checks.

- CVE-2024-23206: A maliciously crafted webpage may be able to
  fingerprint the user. Description: An access issue was addressed with
  improved access restrictions.

- CVE-2024-23213: Processing web content may lead to arbitrary code
  execution. Description: The issue was addressed with improved memory
  handling.

Add an upstream post-2.42.5 patch to fix an issue with an invalid
backport causing a build issue.

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
---
 ...velInterpreter.cpp-339-21-error-t6-w.patch | 39 +++++++++++++++++++
 package/wpewebkit/wpewebkit.hash              |  6 +--
 package/wpewebkit/wpewebkit.mk                |  3 +-
 3 files changed, 44 insertions(+), 4 deletions(-)
 create mode 100644 package/wpewebkit/0002-GTK-2.42.5-LowLevelInterpreter.cpp-339-21-error-t6-w.patch

Adrian, All,

On 2024-02-12 16:32 +0200, Adrian Perez de Castro spake thusly:
> Fixes the following security issues:
> 
> https://wpewebkit.org/security/WSA-2024-0001.html
> 
> - CVE-2024-23222: Processing maliciously crafted web content may lead to
>   arbitrary code execution. Apple is aware of a report that this issue
>   may have been exploited. Description: A type confusion issue was
>   addressed with improved checks.
> 
> - CVE-2024-23206: A maliciously crafted webpage may be able to
>   fingerprint the user. Description: An access issue was addressed with
>   improved access restrictions.
> 
> - CVE-2024-23213: Processing web content may lead to arbitrary code
>   execution. Description: The issue was addressed with improved memory
>   handling.
> 
> Add an upstream post-2.42.5 patch to fix an issue with an invalid
> backport causing a build issue.
> 
> Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  ...velInterpreter.cpp-339-21-error-t6-w.patch | 39 +++++++++++++++++++
>  package/wpewebkit/wpewebkit.hash              |  6 +--
>  package/wpewebkit/wpewebkit.mk                |  3 +-
>  3 files changed, 44 insertions(+), 4 deletions(-)
>  create mode 100644 package/wpewebkit/0002-GTK-2.42.5-LowLevelInterpreter.cpp-339-21-error-t6-w.patch
> 
> diff --git a/package/wpewebkit/0002-GTK-2.42.5-LowLevelInterpreter.cpp-339-21-error-t6-w.patch b/package/wpewebkit/0002-GTK-2.42.5-LowLevelInterpreter.cpp-339-21-error-t6-w.patch
> new file mode 100644
> index 0000000000..a15d9e647f
> --- /dev/null
> +++ b/package/wpewebkit/0002-GTK-2.42.5-LowLevelInterpreter.cpp-339-21-error-t6-w.patch
> @@ -0,0 +1,39 @@
> +From 3d5373575695b293b8559155431d0079a6153aff Mon Sep 17 00:00:00 2001
> +From: Michael Catanzaro <mcatanzaro@redhat.com>
> +Date: Mon, 5 Feb 2024 11:00:49 -0600
> +Subject: [PATCH] =?UTF-8?q?[GTK]=20[2.42.5]=20LowLevelInterpreter.cpp:339:?=
> + =?UTF-8?q?21:=20error:=20=E2=80=98t6=E2=80=99=20was=20not=20declared=20in?=
> + =?UTF-8?q?=20this=20scope=20https://bugs.webkit.org/show=5Fbug.cgi=3Fid?=
> + =?UTF-8?q?=3D268739?=
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Unreviewed build fix. Seems a backport went badly, and we didn't notice
> +because the code is architecture-specific.
> +
> +* Source/JavaScriptCore/llint/LowLevelInterpreter.cpp:
> +(JSC::CLoop::execute):
> +
> +Upstream: https://github.com/WebKit/WebKit/commit/3d5373575695b293b8559155431d0079a6153aff
> +Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
> +---
> + Source/JavaScriptCore/llint/LowLevelInterpreter.cpp | 2 --
> + 1 file changed, 2 deletions(-)
> +
> +diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter.cpp b/Source/JavaScriptCore/llint/LowLevelInterpreter.cpp
> +index 5064ead6cd2e..9a2e2653b121 100644
> +--- a/Source/JavaScriptCore/llint/LowLevelInterpreter.cpp
> ++++ b/Source/JavaScriptCore/llint/LowLevelInterpreter.cpp
> +@@ -336,8 +336,6 @@ JSValue CLoop::execute(OpcodeID entryOpcodeID, void* executableAddress, VM* vm,
> +     UNUSED_VARIABLE(t2);
> +     UNUSED_VARIABLE(t3);
> +     UNUSED_VARIABLE(t5);
> +-    UNUSED_VARIABLE(t6);
> +-    UNUSED_VARIABLE(t7);
> +
> +     struct StackPointerScope {
> +         StackPointerScope(CLoopStack& stack)
> +--
> +2.43.1
> +
> diff --git a/package/wpewebkit/wpewebkit.hash b/package/wpewebkit/wpewebkit.hash
> index 322e494c36..71e41bb1dd 100644
> --- a/package/wpewebkit/wpewebkit.hash
> +++ b/package/wpewebkit/wpewebkit.hash
> @@ -1,6 +1,6 @@
> -# From https://wpewebkit.org/releases/wpewebkit-2.42.4.tar.xz.sums
> -sha1  34da38e9554586154c83fdbb5c20e353b6d97277  wpewebkit-2.42.4.tar.xz
> -sha256  8836040a3687581970b47a232b713e7023c080d5613427f52db619c29fb253a4  wpewebkit-2.42.4.tar.xz
> +# From https://wpewebkit.org/releases/wpewebkit-2.42.5.tar.xz.sums
> +sha1  50a18f43452520e9f34f84c04bc0166af655ffff  wpewebkit-2.42.5.tar.xz
> +sha256  4dbab6c5e6dc0c65a3d7dffc1c2390be5f9abd423faf983fe3a55fe081df0532  wpewebkit-2.42.5.tar.xz
>  
>  # Hashes for license files:
>  sha256  0b5d3a7cc325942567373b0ecd757d07c132e0ebd7c97bfc63f7e1a76094edb4  Source/WebCore/LICENSE-APPLE
> diff --git a/package/wpewebkit/wpewebkit.mk b/package/wpewebkit/wpewebkit.mk
> index e54ec2952f..60a45b13b1 100644
> --- a/package/wpewebkit/wpewebkit.mk
> +++ b/package/wpewebkit/wpewebkit.mk
> @@ -4,7 +4,8 @@
>  #
>  ################################################################################
>  
> -WPEWEBKIT_VERSION = 2.42.4
> +# The middle number is even for stable releases, odd for development ones.
> +WPEWEBKIT_VERSION = 2.42.5
>  WPEWEBKIT_SITE = https://wpewebkit.org/releases
>  WPEWEBKIT_SOURCE = wpewebkit-$(WPEWEBKIT_VERSION).tar.xz
>  WPEWEBKIT_INSTALL_STAGING = YES
> -- 
> 2.43.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

>>>>> "Adrian" == Adrian Perez de Castro <aperez@igalia.com> writes:

 > Fixes the following security issues:
 > https://wpewebkit.org/security/WSA-2024-0001.html

 > - CVE-2024-23222: Processing maliciously crafted web content may lead to
 >   arbitrary code execution. Apple is aware of a report that this issue
 >   may have been exploited. Description: A type confusion issue was
 >   addressed with improved checks.

 > - CVE-2024-23206: A maliciously crafted webpage may be able to
 >   fingerprint the user. Description: An access issue was addressed with
 >   improved access restrictions.

 > - CVE-2024-23213: Processing web content may lead to arbitrary code
 >   execution. Description: The issue was addressed with improved memory
 >   handling.

 > Add an upstream post-2.42.5 patch to fix an issue with an invalid
 > backport causing a build issue.

 > Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>

Committed to 2023.02.x and 2023.11.x, thanks.