Tags: protection6/ChakraCore
Tags
[MERGE chakra-core#6531 @MikeHolman] December 2020 Security Update Merge pull request chakra-core#6531 from MikeHolman:servicing/2012 December 2020 Security Update that addresses the following issue in ChakraCore: CVE-2020-17131
[MERGE chakra-core#6528 @akroshg] ChakraCore Servicing update for 202… …0.11B Merge pull request chakra-core#6528 from akroshg:servicing_2011 Fixing - [CVE-2020-17054] [CVE-2020-17048]
[MERGE chakra-core#6500 @boingoing] ChakraCore Servicing update for 2… …020.09B Merge pull request chakra-core#6500 from boingoing:servicing/2009 [CVE-2020-0878] [CVE-2020-1180] [CVE-2020-1057] [CVE-2020-1172]
[MERGE chakra-core#6491 @akroshg] ChakraCore Servicing update for 202… …0.08B Merge pull request chakra-core#6491 from akroshg:servicing_2008 [CVE-2020-1555]
[MERGE chakra-core#6464 @rajeshpeter] ChakraCore Servicing Update for… … 2020.06B Merge pull request chakra-core#6464 from rajeshpeter:servicing/2006 CVE-2020-1219] Js::PathTypeHandlerBase::SetPrototype should protect against the case where the instance's type is changed as a side-effect of calling newPrototype->GetInternalProperty. Intl.js should not refer directly to the global Intl property, as this may have been modified by the user in such a way that Intl initialization has side-effects. Created an Intl property on the interface object whose value is the built-in Intl object and refer to that in Intl.js instead. [CVE-2020-1073] Non-optimized StFld that may change the object's type may be undetected in the loop prepass, resulting in bad AdjustObjType downstream. If the dead store pass detects a final type that's live across a non-optimized StFld, mark the StFld to use a helper that will return true if the object's type is changed, and bail out if the helper returns true. Also ensures there is no type transition live across InitClassMember.
[MERGE chakra-core#6447 @rajeshpeter] ChakraCore Servicing Update for… … 2020.05B Merge pull request chakra-core#6447 from rajeshpeter:servicing/2005 **Changes to address the following issues:** **[CVE-2020-1037]** Ensure JIT bails out when there is an object marked as temporary during an implicit call, to prevent objects stored on the stack to be used outside of the function. This is done by preventing removal of the Bailout instruction for that case during the DeadStore pass of GlobOpt. **[CVE-2020-1065]** A previous MSRC fix removes the body scope of an enclosing function when a nested function is declared in the param scope of that enclosing function. This an result in us calculating incorrect envIndex for any symbols captured from enclosing scopes if this skipped body scope appears in the frameDisplay being passed to the nested function. This fix addresses the issue by marking the parameter scope also as mustInstantiate = true so we end up computing the correct envIndex. This problem and the fix only triggers when the enclosing function's param and body scopes are merged so the param and body scopes will never appear together in the scope stack and as such will not mess up the envIndex.
[MERGE chakra-core#6420 @boingoing] ChakraCore Servicing Update for 2… …020.04B Merge pull request chakra-core#6420 from boingoing:servicing_2004_b ChakraCore Servicing Update for 2020.04B Changes to address the following issues: [CVE-2020-0970] [CVE-2020-0969]
[MERGE chakra-core#6386 @pleath] Update version to 1.11.17 Merge pull request chakra-core#6386 from pleath:version1.11.17
[MERGE chakra-core#6375 @akroshg] ChakraCore servicing fixes for Feb … …release Merge pull request chakra-core#6375 from akroshg:servicing/2002 Fixes following CVEs [CVE-2020-0710] [CVE-2020-0711] [CVE-2020-0712] [CVE-2020-0713] [CVE-2020-0767]
PreviousNext