package/webkitgtk: security bump to version 2.42.5

Fixes the following security issues:

https://webkitgtk.org/security/WSA-2024-0001.html

- CVE-2024-23222: Processing maliciously crafted web content may lead to
  arbitrary code execution.  Apple is aware of a report that this issue may
  have been exploited.  Description: A type confusion issue was addressed
  with improved checks.

- CVE-2024-23206: A maliciously crafted webpage may be able to fingerprint
  the user.  Description: An access issue was addressed with improved access
  restrictions.

- CVE-2024-23213: Processing web content may lead to arbitrary code execution.
  Description: The issue was addressed with improved memory handling.

- CVE-2023-40414: Processing web content may lead to arbitrary code
  execution.  Description: A use-after-free issue was addressed with
  improved memory management.

- CVE-2023-42833: Processing web content may lead to arbitrary code execution.
  Description: A correctness issue was addressed with improved checks.

- CVE-2014-1745: Processing a file may lead to a denial-of-service or
  potentially disclose memory contents.  Description: The issue was
  addressed with improved checks.

https://webkitgtk.org/security/WSA-2023-0012.html

- CVE-2023-42883: Processing a SVG image may lead to a denial-of-service.
  Description: The issue was addressed with improved memory handling.

- CVE-2023-42890: Processing web content may lead to arbitrary code
  execution.  Description: The issue was addressed with improved memory
  handling.

https://webkitgtk.org/security/WSA-2023-0011.html

- CVE-2023-42916: Processing web content may disclose sensitive information.
  Apple is aware of a report that this issue may have been actively
  exploited.  Description: An out-of-bounds read was addressed with improved
  input validation.

- CVE-2023-42917: Processing web content may lead to arbitrary code
  execution.  Apple is aware of a report that this issue may have been
  actively exploited.  Description: A memory corruption vulnerability was
  addressed with improved locking.

Add an upstream post-2.42.5 patch to fix an issue with an invalid backport
causing a build issue.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Acked-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/webkitgtk/0001-GTK-2.42.5-LowLevelInterpreter.cpp-339-21-error-t6-w.patch

@@ -0,0 +1,39 @@
+From 3d5373575695b293b8559155431d0079a6153aff Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Mon, 5 Feb 2024 11:00:49 -0600
+Subject: [PATCH] =?UTF-8?q?[GTK]=20[2.42.5]=20LowLevelInterpreter.cpp:339:?=
+ =?UTF-8?q?21:=20error:=20=E2=80=98t6=E2=80=99=20was=20not=20declared=20in?=
+ =?UTF-8?q?=20this=20scope=20https://bugs.webkit.org/show=5Fbug.cgi=3Fid?=
+ =?UTF-8?q?=3D268739?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Unreviewed build fix. Seems a backport went badly, and we didn't notice
+because the code is architecture-specific.
+
+* Source/JavaScriptCore/llint/LowLevelInterpreter.cpp:
+(JSC::CLoop::execute):
+
+Upstream: https://github.com/WebKit/WebKit/commit/3d5373575695b293b8559155431d0079a6153aff
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ Source/JavaScriptCore/llint/LowLevelInterpreter.cpp | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter.cpp b/Source/JavaScriptCore/llint/LowLevelInterpreter.cpp
+index 5064ead6cd2e..9a2e2653b121 100644
+--- a/Source/JavaScriptCore/llint/LowLevelInterpreter.cpp
++++ b/Source/JavaScriptCore/llint/LowLevelInterpreter.cpp
+@@ -336,8 +336,6 @@ JSValue CLoop::execute(OpcodeID entryOpcodeID, void* executableAddress, VM* vm,
+     UNUSED_VARIABLE(t2);
+     UNUSED_VARIABLE(t3);
+     UNUSED_VARIABLE(t5);
+-    UNUSED_VARIABLE(t6);
+-    UNUSED_VARIABLE(t7);
+ 
+     struct StackPointerScope {
+         StackPointerScope(CLoopStack& stack)
+-- 
+2.39.2
+

package/webkitgtk/webkitgtk.hash

@@ -1,6 +1,6 @@
-# From https://www.webkitgtk.org/releases/webkitgtk-2.42.2.tar.xz.sums
-sha1  05bec6a824e46f043b865478735bc8395249510e  webkitgtk-2.42.2.tar.xz
-sha256  5720aa3e8627f1b9f63252187d4df0f8233ae71d697b1796ebfbe5ca750bd118  webkitgtk-2.42.2.tar.xz
+# From https://www.webkitgtk.org/releases/webkitgtk-2.42.5.tar.xz.sums
+sha1  c3ffb2beaac56f1089029f2254482f48d9e3db37  webkitgtk-2.42.5.tar.xz
+sha256  b64278c1f20b8cfdbfb5ff573c37d871aba74a1db26d9b39f74e8953fe61e749  webkitgtk-2.42.5.tar.xz
 
 # Hashes for license files:
 sha256  0b5d3a7cc325942567373b0ecd757d07c132e0ebd7c97bfc63f7e1a76094edb4  Source/WebCore/LICENSE-APPLE

package/webkitgtk/webkitgtk.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-WEBKITGTK_VERSION = 2.42.2
+WEBKITGTK_VERSION = 2.42.5
 WEBKITGTK_SITE = https://www.webkitgtk.org/releases
 WEBKITGTK_SOURCE = webkitgtk-$(WEBKITGTK_VERSION).tar.xz
 WEBKITGTK_INSTALL_STAGING = YES