Package: release.debian.org
Control: affects -1 + src:mujs
X-Debbugs-Cc: m...@packages.debian.org
User: release.debian....@packages.debian.org
Usertags: pu
Tags: bullseye
Severity: normal
[ Reason ]
https://security-tracker.debian.org/tracker/CVE-2021-33797
Buffer-overflow via integer overflow.
[ Impact ]
Vulnerability to that CVE.
[ Tests ]
I have only tested for functionality (did not exploit the bug).
[ Risks ]
Code is trivial (extension of two while conditions).
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Upstream patch.
diff -Nru mujs-1.1.0/debian/changelog mujs-1.1.0/debian/changelog
--- mujs-1.1.0/debian/changelog 2022-11-21 13:10:02.000000000 +0100
+++ mujs-1.1.0/debian/changelog 2023-05-19 10:44:27.000000000 +0200
@@ -1,3 +1,9 @@
+mujs (1.1.0-1+deb11u3) bullseye; urgency=medium
+
+ * Fix CVE-2021-33797 via upstream patch
+
+ -- Bastian Germann <b...@debian.org> Fri, 19 May 2023 10:44:27 +0200
+
mujs (1.1.0-1+deb11u2) bullseye-security; urgency=medium
* Fix CVE-2022-44789, CVE-2022-30974, and CVE-2022-30975 via upstream patches
diff -Nru mujs-1.1.0/debian/patches/CVE-2021-33797.patch
mujs-1.1.0/debian/patches/CVE-2021-33797.patch
--- mujs-1.1.0/debian/patches/CVE-2021-33797.patch 1970-01-01
01:00:00.000000000 +0100
+++ mujs-1.1.0/debian/patches/CVE-2021-33797.patch 2023-05-19
10:44:14.000000000 +0200
@@ -0,0 +1,31 @@
+Origin: upstream,
https://git.ghostscript.com/?p=mujs.git;a=patch;h=833b6f1672b4f2991a63c4d05318f0b84ef4d550
+From: Tor Andersson <tor.anders...@artifex.com>
+Date: Wed, 21 Apr 2021 12:25:48 +0200
+Subject: Issue #148: Check for overflow when reading floating point exponent.
+
+GCC with -O2 optimizes away the if(exp<-maxExponent) branch completely,
+so we don't end up with the expected '512' value for overflowing
+exponents. Limit the exponent parsing to MAX_INT instead to prevent
+signed overflow from tripping up over-eager optimizing compilers.
+---
+ jsdtoa.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/jsdtoa.c b/jsdtoa.c
+index 858017d..97cac11 100644
+--- a/jsdtoa.c
++++ b/jsdtoa.c
+@@ -691,10 +691,12 @@ js_strtod(const char *string, char **endPtr)
+ }
+ expSign = FALSE;
+ }
+- while ((*p >= '0') && (*p <= '9')) {
++ while ((*p >= '0') && (*p <= '9') && exp < INT_MAX/10) {
+ exp = exp * 10 + (*p - '0');
+ p += 1;
+ }
++ while ((*p >= '0') && (*p <= '9'))
++ p += 1;
+ }
+ if (expSign) {
+ exp = fracExp - exp;
diff -Nru mujs-1.1.0/debian/patches/series mujs-1.1.0/debian/patches/series
--- mujs-1.1.0/debian/patches/series 2022-11-21 13:10:02.000000000 +0100
+++ mujs-1.1.0/debian/patches/series 2023-05-19 10:43:04.000000000 +0200
@@ -5,3 +5,4 @@
Cope-with-empty-programs-in-mujs-pp.patch
Dont-fclose-a-FILE-that-is-NULL.patch
Fix-use-after-free-in-getOwnPropertyDescriptor.patch
+CVE-2021-33797.patch