Tags: chakra-core/ChakraCore
Tags
[MERGE #6531 @MikeHolman] December 2020 Security Update Merge pull request #6531 from MikeHolman:servicing/2012 December 2020 Security Update that addresses the following issue in ChakraCore: CVE-2020-17131
[MERGE #6528 @akroshg] ChakraCore Servicing update for 2020.11B Merge pull request #6528 from akroshg:servicing_2011 Fixing - [CVE-2020-17054] [CVE-2020-17048]
[MERGE #6500 @boingoing] ChakraCore Servicing update for 2020.09B Merge pull request #6500 from boingoing:servicing/2009 [CVE-2020-0878] [CVE-2020-1180] [CVE-2020-1057] [CVE-2020-1172]
[MERGE #6464 @rajeshpeter] ChakraCore Servicing Update for 2020.06B Merge pull request #6464 from rajeshpeter:servicing/2006 CVE-2020-1219] Js::PathTypeHandlerBase::SetPrototype should protect against the case where the instance's type is changed as a side-effect of calling newPrototype->GetInternalProperty. Intl.js should not refer directly to the global Intl property, as this may have been modified by the user in such a way that Intl initialization has side-effects. Created an Intl property on the interface object whose value is the built-in Intl object and refer to that in Intl.js instead. [CVE-2020-1073] Non-optimized StFld that may change the object's type may be undetected in the loop prepass, resulting in bad AdjustObjType downstream. If the dead store pass detects a final type that's live across a non-optimized StFld, mark the StFld to use a helper that will return true if the object's type is changed, and bail out if the helper returns true. Also ensures there is no type transition live across InitClassMember.
[MERGE #6447 @rajeshpeter] ChakraCore Servicing Update for 2020.05B Merge pull request #6447 from rajeshpeter:servicing/2005 **Changes to address the following issues:** **[CVE-2020-1037]** Ensure JIT bails out when there is an object marked as temporary during an implicit call, to prevent objects stored on the stack to be used outside of the function. This is done by preventing removal of the Bailout instruction for that case during the DeadStore pass of GlobOpt. **[CVE-2020-1065]** A previous MSRC fix removes the body scope of an enclosing function when a nested function is declared in the param scope of that enclosing function. This an result in us calculating incorrect envIndex for any symbols captured from enclosing scopes if this skipped body scope appears in the frameDisplay being passed to the nested function. This fix addresses the issue by marking the parameter scope also as mustInstantiate = true so we end up computing the correct envIndex. This problem and the fix only triggers when the enclosing function's param and body scopes are merged so the param and body scopes will never appear together in the scope stack and as such will not mess up the envIndex.
[MERGE #6420 @boingoing] ChakraCore Servicing Update for 2020.04B Merge pull request #6420 from boingoing:servicing_2004_b ChakraCore Servicing Update for 2020.04B Changes to address the following issues: [CVE-2020-0970] [CVE-2020-0969]
[MERGE #6375 @akroshg] ChakraCore servicing fixes for Feb release Merge pull request #6375 from akroshg:servicing/2002 Fixes following CVEs [CVE-2020-0710] [CVE-2020-0711] [CVE-2020-0712] [CVE-2020-0713] [CVE-2020-0767]
PreviousNext