8000 chore: cherry-pick 6 changes from Release-1-M120 by ppontes · Pull Request #40803 · electron/electron · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

chore: cherry-pick 6 changes from Release-1-M120 #40803

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Dec 21, 2023
Merged

chore: cherry-pick 6 changes from Release-1-M120 #40803

merged 2 commits into from
Dec 21, 2023

Conversation

ppontes
Copy link
Member
@ppontes ppontes commented Dec 20, 2023
edited
Loading
electron/security#442 - 998e947b265f from chromium [FedCM] Check API permission before showing accounts UI

The accounts fetch could be delayed for legitimate reasons. A user may be
able to disable FedCM API (e.g. via settings or dismissing another FedCM
UI on the same RP origin) before the browser receives the accounts
response.

This patch checks the API permission before showing the accounts UI.

(cherry picked from commit 98676a2f66c4b4b802316eef70f4aab77e631f85)

Change-Id: Idbbe88912941113ec3f54d7f222845cd774dc897
Bug: 1500921
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5064052
Commit-Queue: Yi Gu yigu@chromium.org
Reviewed-by: Christian Biesinger cbiesinger@chromium.org
Cr-Original-Commit-Position: refs/heads/main@{#1229912}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5074630
Auto-Submit: Yi Gu yigu@chromium.org
Cr-Commit-Position: refs/branch-heads/6099@{#1255}
Cr-Branched-From: e6ee4500f7d6549a9ac1354f8d056da49ef406be-refs/heads/main@{#1217362}

electron/security#437 - 021598ea43c1 from chromium [InsertableStreams] Drop frames received on the wrong task runner

It can happen during transfer that a frame is posted from the
background media thread to the task runner of the old execution
context, which can lead to races and UAF.

This CL makes underlying sources drop frames received on the
wrong task runner to avoid the problem.

(cherry picked from commit 9d042e0d498356185fe9eb33c53b69fab33d06bf)

Bug: 1505708
Change-Id: I686228d88cb1c48bdf8c0b6bf85edd280a54300a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5077845
Commit-Queue: Guido Urdaneta guidou@chromium.org
Reviewed-by: Tony Herre toprice@chromium.org
Cr-Original-Commit-Position: refs/heads/main@{#1231802}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5082444
Commit-Queue: Rubber Stamper rubber-stamper@appspot.gserviceaccount.com
Bot-Commit: Rubber Stamper rubber-stamper@appspot.gserviceaccount.com
Auto-Submit: Guido Urdaneta guidou@chromium.org
Cr-Commit-Position: refs/branch-heads/6099@{#1370}
Cr-Branched-From: e6ee4500f7d6549a9ac1354f8d056da49ef406be-refs/heads/main@{#1217362}

electron/security#440 - 76340163a820 from chromium [M120] ImageBitmapFactory: fix empty context dcheck

Approved by:
https://bugs.chromium.org/p/chromium/issues/detail?id=1502102#c34

(cherry picked from commit c4d2f15b8f97076c8fd0f9aa5814b94db698b75c)

Fixed: 1502102
Change-Id: Ib42d2897d62136ae835561bcf56884b5624060a5
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5071252
Commit-Queue: Paul Semel paulsemel@chromium.org
Reviewed-by: Jean-Philippe Gravel jpgravel@chromium.org
Cr-Original-Commit-Position: refs/heads/main@{#1230617}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5088373
Auto-Submit: Arthur Sonzogni arthursonzogni@google.com
Reviewed-by: Paul Semel paulsemel@chromium.org
Cr-Commit-Position: refs/branch-heads/6099@{#1416}
Cr-Branched-From: e6ee4500f7d6549a9ac1354f8d056da49ef406be-refs/heads/main@{#1217362}

electron/security#438 - f15cfb9371c4 from chromium Fix reinit order in ContextProviderCommandBuffer::BindToCurrentSequence

See comments for explanation.

(cherry picked from commit 7d8400ceb56db5fd97249f787251fe8b3928e6fd)

Bug: 1505632
Change-Id: I0f43821a9708af91303048332e9fae5e100deee5
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5069480
Reviewed-by: Saifuddin Hitawala hitawala@chromium.org
Commit-Queue: Kai Ninomiya kainino@chromium.org
Reviewed-by: Brendon Tiszka tiszka@chromium.org
Cr-Original-Commit-Position: refs/heads/main@{#1230735}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5095795
Bot-Commit: Rubber Stamper rubber-stamper@appspot.gserviceaccount.com
Commit-Queue: Saifuddin Hitawala hitawala@chromium.org
Auto-Submit: Kai Ninomiya kainino@chromium.org
Cr-Commit-Position: refs/branch-heads/6099@{#1424}
Cr-Branched-From: e6ee4500f7d6549a9ac1354f8d056da49ef406be-refs/heads/main@{#1217362}

electron/security#436 - 4ca62c7a8b88 from chromium Check for slugs count before deserializing Slugs in DrawSlugOp

Count is part of serialized data and while we never serialize values
less then 1, it can be any value when coming over IPC, we should check
that it's positive before substacting one.

(cherry picked from commit 0527e0d5b08a13d63f4f1eeefa1b86ecfd0cb63b)

Bug: 1506726
Change-Id: I244f50a682f2e852b22ba88f1e9cddddb0fdfcb9
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5078779
Reviewed-by: Peng Huang penghuang@chromium.org
Commit-Queue: Vasiliy Telezhnikov vasilyt@chromium.org
Cr-Original-Commit-Position: refs/heads/main@{#1232013}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5096809
Bot-Commit: Rubber Stamper rubber-stamper@appspot.gserviceaccount.com
Cr-Commit-Position: refs/branch-heads/6099@{#1428}
Cr-Branched-From: e6ee4500f7d6549a9ac1354f8d056da49ef406be-refs/heads/main@{#1217362}

electron/security#441 - cbd09b2ca928 from v8 Merged: [promises, async stack traces] Fix the case when the closure has run

We were using the closure pointing to NativeContext as a marker that the
closure has run, but async stack trace code was confused about it.

(cherry picked from commit bde3d360097607f36cd1d17cbe8412b84eae0a7f)

Bug: chromium:1501326
Change-Id: I30d438f3b2e3fdd7562ea9a79dde4561ce9b0083
Cr-Original-Commit-Position: refs/heads/main@{#90949}
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5110982
Commit-Queue: Marja Hölttä marja@chromium.org
Reviewed-by: Shu-yu Guo syg@chromium.org
Reviewed-by: Igor Sheludko ishell@chromium.org
Auto-Submit: Marja Hölttä marja@chromium.org
Cr-Commit-Position: refs/branch-heads/12.0@{#18}
Cr-Branched-From: ed7b4caf1fb8184ad9e24346c84424055d4d430a-refs/heads/12.0.267@{#1}
Cr-Branched-From: 210e75b19db4352c9b78dce0bae11c2dc3077df4-refs/heads/main@{#90651}

Notes:

@ppontes ppontes requested a review from a team as a code owner December 20, 2023 22:58
@ppontes ppontes added security 🔒 semver/patch backwards-compatible bug fixes backport-check-skip Skip trop's backport validity checking 26-x-y labels Dec 20, 2023
@ppontes ppontes marked this pull request as draft December 20, 2023 23:12
@ppontes ppontes marked this pull request as ready for review December 21, 2023 00:22
@ppontes ppontes marked this pull request as draft December 21, 2023 00:22
@ppontes ppontes force-pushed the cherry-pick/security/26-x-y/release-1-m120 branch 2 times, most recently from 8f9651a to bbd29ed Compare December 21, 2023 02:03
@ppontes ppontes marked this pull request as ready for review December 21, 2023 02:13
@ppontes ppontes marked this pull request as draft December 21, 2023 10:35
@ppontes ppontes force-pushed the cherry-pick/security/26-x-y/release-1-m120 branch from c73e56c to ad84dc2 Compare December 21, 2023 17:19
@ppontes ppontes marked this pull request as ready for review December 21, 2023 17:20
@ppontes
chore: [26-x-y] cherry-pick 6 changes from Release-1-M120
e3c10a7 
* 58bc7b8bb840 from libavif
* 021598ea43c1 from chromium
* 76340163a820 from chromium
* f15cfb9371c4 from chromium
* 4ca62c7a8b88 from chromium
* cbd09b2ca928 from v8
@ppontes ppontes force-pushed the cherry-pick/security/26-x-y/release-1-m120 branch from 386fbac to e3c10a7 Compare December 21, 2023 19:15
ckerr
ckerr approved these changes Dec 21, 2023
View reviewed changes
Copy link
Member
@ckerr ckerr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All of these LGTM

@MarshallOfSound MarshallOfSound merged commit 783f23b into 26-x-y Dec 21, 2023
@MarshallOfSound MarshallOfSound deleted the cherry-pick/security/26-x-y/release-1-m120 branch December 21, 2023 23:55
@release-clerk
Copy link
release-clerk bot commented Dec 21, 2023

Release Notes Persisted

  • Security: backported fix for CVE-2023-6704.
  • Security: backported fix for CVE-2023-6705.
  • Security: backported fix for CVE-2023-6703.
  • Security: backported fix for 1505632.
  • Security: backported fix for 1506726.
  • Security: backported fix for CVE-2023-6702.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ckerr ckerr ckerr approved these changes

Assignees
No one assigned
Labels
26-x-y backport-check-skip Skip trop's backport validity checking security 🔒 semver/patch backwards-compatible bug fixes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ppontes @ckerr @MarshallOfSound
0