!19 fix CVE-2023-26081

From: @HelloWorld_lvcongqing Reviewed-by: @weidongkl Signed-off-by: @weidongkl
2023-02-27 09:26:26 +00:00 · 2023-02-27 09:26:26 +00:00 · 37ed62e53c
commit 37ed62e53c
parent 1f7b415a42 a649f83ff0
2 changed files with 90 additions and 1 deletions
--- a/CVE-2023-26081.patch
+++ b/CVE-2023-26081.patch
@ -0,0 +1,85 @@
+From 53363c3c8178bf9193dad9fa3516f4e10cff0ffd Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Fri, 3 Feb 2023 13:07:15 -0600
+Subject: [PATCH] Don't autofill passwords in sandboxed contexts
+
+If using the sandbox CSP or iframe tag, the web content is supposed to
+be not trusted by the main resource origin. Therefore, we'd better
+disable the password manager entirely so the untrusted web content
+cannot exfiltrate passwords.
+
+https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x
+
+Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1275>
+---
+ .../resources/js/ephy.js                      | 26 +++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+diff --git a/embed/web-process-extension/resources/js/ephy.js b/embed/web-process-extension/resources/js/ephy.js
+index 6fccd3d94..d1c42adbc 100644
+--- a/embed/web-process-extension/resources/js/ephy.js
+++ b/embed/web-process-extension/resources/js/ephy.js
+@@ -354,6 +354,12 @@ Ephy.hasModifiedForms = function()
+     }
+ };
+ 
+Ephy.isSandboxedWebContent = function()
+{
+    // https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x
+    return self.origin === null || self.origin === 'null';
+};
+
+ Ephy.PasswordManager = class PasswordManager
+ {
+     constructor(pageID, frameID)
+@@ -387,6 +393,11 @@ Ephy.PasswordManager = class PasswordManager
+ 
+     query(origin, targetOrigin, username, usernameField, passwordField)
+     {
+        if (Ephy.isSandboxedWebContent()) {
+            Ephy.log(`Not querying passwords for origin=${origin} because web content is sandboxed`);
+            return Promise.resolve(null);
+        }
+
+         Ephy.log(`Querying passwords for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}`);
+ 
+         return new Promise((resolver, reject) => {
+@@ -398,6 +409,11 @@ Ephy.PasswordManager = class PasswordManager
+ 
+     save(origin, targetOrigin, username, password, usernameField, passwordField, isNew)
+     {
+        if (Ephy.isSandboxedWebContent()) {
+            Ephy.log(`Not saving password for origin=${origin} because web content is sandboxed`);
+            return;
+        }
+
+         Ephy.log(`Saving password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`);
+ 
+         window.webkit.messageHandlers.passwordManagerSave.postMessage({
+@@ -409,6 +425,11 @@ Ephy.PasswordManager = class PasswordManager
+     // FIXME: Why is pageID a parameter here?
+     requestSave(origin, targetOrigin, username, password, usernameField, passwordField, isNew, pageID)
+     {
+        if (Ephy.isSandboxedWebContent()) {
+            Ephy.log(`Not requesting to save password for origin=${origin} because web content is sandboxed`);
+            return;
+        }
+
+         Ephy.log(`Requesting to save password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`);
+ 
+         window.webkit.messageHandlers.passwordManagerRequestSave.postMessage({
+@@ -428,6 +449,11 @@ Ephy.PasswordManager = class PasswordManager
+ 
+     queryUsernames(origin)
+     {
+        if (Ephy.isSandboxedWebContent()) {
+            Ephy.log(`Not querying usernames for origin=${origin} because web content is sandboxed`);
+            return Promise.resolve(null);
+        }
+
+         Ephy.log(`Requesting usernames for origin=${origin}`);
+ 
+         return new Promise((resolver, reject) => {
+-- 
+GitLab
+
--- a/epiphany.spec
+++ b/epiphany.spec
@ -5,12 +5,13 @@
 Name:                epiphany
 Epoch:               1
 Version:             43.0
-Release:             1
+Release:             2
 Summary:             Web browser for GNOME
 License:             GPLv3+
 URL:                 https://wiki.gnome.org/Apps/Web
 Source0:             https://download.gnome.org/sources/epiphany/43/%{name}-%{version}.tar.xz
 Patch0:              epiphany-default-bookmarks-openeuler.patch
+Patch1:              CVE-2023-26081.patch

 BuildRequires:       desktop-file-utils gcc gettext-devel iso-codes-devel itstool
 BuildRequires:       libappstream-glib-devel meson pkgconfig(cairo) pkgconfig(evince-document-3.0)
@ -105,6 +106,9 @@ desktop-file-validate $RPM_BUILD_ROOT%{_datadir}/applications/*.desktop
 #%config(noreplace)%{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf

 %changelog
+* Thu Feb 23 2023 liweiganga <liweiganga@uniontech.com> - 1:43.0-2
+- fix CVE-2023-26081
+
 * Mon Jan 2 2023 lin zhang <lin.zhang@turbolinux.com.cn> - 1:43.0-1
 - Update to 43.0