Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: cherry-pick 3 changes from Release-1-M117 #40078

Merged
merged 2 commits into from
Oct 6, 2023
Merged

chore: cherry-pick 3 changes from Release-1-M117 #40078

merged 2 commits into from
Oct 6, 2023

Conversation

ppontes
Copy link
Member

@ppontes ppontes commented Oct 3, 2023

electron/security#409 - b0ad701a609a from v8 Merged: [builtins] Clear FixedArray slot in Promise builtins

(cherry picked from commit f1884222ad56734e56d80f9707e0e8279af9049e)

Bug: chromium:1479104
Change-Id: Iddc16d8add4dc6bf6f55f537da44770bea6f4bc3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4862980
Auto-Submit: Shu-yu Guo syg@chromium.org
Reviewed-by: Adam Klein adamk@chromium.org
Commit-Queue: Adam Klein adamk@chromium.org
Cr-Commit-Position: refs/branch-heads/11.6@{#36}
Cr-Branched-From: e29c028f391389a7a60ee37097e3ca9e396d6fa4-refs/heads/11.6.189@{#3}
Cr-Branched-From: 95cbef20e2aa556a1ea75431a48b36c4de6b9934-refs/heads/main@{#88340}

electron/security#408 - b11e7d07a6f4 from chromium M117: Check for object destruction in PdfViewWebPlugin::UpdateFocus()

PdfViewWebPlugin::UpdateFocus() can potentially triggers its own
destruction. Add a check for this and bail out.

(cherry picked from commit cacf485a202b342526374d444375b80a044add76)

Bug: 1480184
Change-Id: I5e7760ed541a2bffb9dd1ebeb522f10650049033
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4852346
Reviewed-by: Tom Sepez tsepez@chromium.org
Code-Coverage: findit-for-me@appspot.gserviceaccount.com findit-for-me@appspot.gserviceaccount.com
Commit-Queue: Lei Zhang thestig@chromium.org
Cr-Original-Commit-Position: refs/heads/main@{#1194210}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4863395
Bot-Commit: Rubber Stamper rubber-stamper@appspot.gserviceaccount.com
Cr-Commit-Position: refs/branch-heads/5938@{#1286}
Cr-Branched-From: 2b50cb4bcc2318034581a816714d9535dc38966d-refs/heads/main@{#1181205}

electron/security#411 - 309b604c4e88 from chromium [M114-LTS] Fix DataPipeDrainer usage in ExtensionLocalizationURLLoader

There is a bug that when ExtensionLocalizationURLLoader is destructed
by canceling the CSS requests from extensions, DataPipeProducer may
cause UAF.
This is because DataPipeProducer is not correctly used in
ExtensionLocalizationURLLoader. DataPipeProducer and the data must be
kept alive until notified of completion.

This CL fix this by changing ExtensionLocalizationURLLoader to keep
DataPipeProducer and the data even if ExtensionLocalizationURLLoader
itself is destructed.

(cherry picked from commit b6e060e17ed9e46b3043a3c369fc10cbbe2245d8)

Bug: 1475798
Change-Id: I013396f2c49f4712914b917c3330b99a1be791b8
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4821086
Commit-Queue: Tsuyoshi Horo horo@chromium.org
Cr-Original-Commit-Position: refs/heads/main@{#1191115}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4872577
Commit-Queue: Zakhar Voit voit@google.com
Owners-Override: Victor Gabriel Savu vsavu@google.com
Reviewed-by: Victor Gabriel Savu vsavu@google.com
Cr-Commit-Position: refs/branch-heads/5735@{#1611}
Cr-Branched-From: 2f562e4ddbaf79a3f3cb338b4d1bd4398d49eb67-refs/heads/main@{#1135570}

Notes:

  • Security: backported fix for 1479104.
  • Security: backported fix for 1480184.
  • Security: backported fix for CVE-2023-5187.

@ppontes
chore: [25-x-y] cherry-pick 3 changes from Release-1-M117
09556c3 
* b0ad701a609a from v8
* b11e7d07a6f4 from chromium
* 309b604c4e88 from chromium
@ppontes ppontes requested a review from a team as a code owner October 3, 2023 16:21
@ppontes ppontes added security 🔒 semver/patch backwards-compatible bug fixes backport-check-skip Skip trop's backport validity checking 25-x-y labels Oct 3, 2023
@electron-cation electron-cation bot added new-pr 🌱 PR opened in the last 24 hours and removed new-pr 🌱 PR opened in the last 24 hours labels Oct 3, 2023
@ppontes ppontes marked this pull request as draft October 3, 2023 16:24
@ppontes ppontes marked this pull request as ready for review October 3, 2023 16:26
@jkleinsc jkleinsc merged commit bd43e65 into 25-x-y Oct 6, 2023
13 checks passed
@jkleinsc jkleinsc deleted the cherry-pick/security/25-x-y/release-1-m117 branch October 6, 2023 13:54
@release-clerk
Copy link

release-clerk bot commented Oct 6, 2023

Release Notes Persisted

  • Security: backported fix for 1479104.
  • Security: backported fix for 1480184.
  • Security: backported fix for CVE-2023-5187.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jkleinsc jkleinsc jkleinsc approved these changes

Assignees
No one assigned
Labels
25-x-y backport-check-skip Skip trop's backport validity checking security 🔒 semver/patch backwards-compatible bug fixes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ppontes @jkleinsc