Bug#1036314: bullseye-pu: package mujs/1.1.0-1+deb11u3

Fri, 19 May 2023 02:00:16 -0700 

Package: release.debian.org
Control: affects -1 + src:mujs
X-Debbugs-Cc: m...@packages.debian.org
User: release.debian....@packages.debian.org
Usertags: pu
Tags: bullseye
Severity: normal

[ Reason ]
https://security-tracker.debian.org/tracker/CVE-2021-33797
Buffer-overflow via integer overflow.

[ Impact ]
Vulnerability to that CVE.

[ Tests ]
I have only tested for functionality (did not exploit the bug).

[ Risks ]
Code is trivial (extension of two while conditions).

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Upstream patch.
diff -Nru mujs-1.1.0/debian/changelog mujs-1.1.0/debian/changelog
--- mujs-1.1.0/debian/changelog 2022-11-21 13:10:02.000000000 +0100
+++ mujs-1.1.0/debian/changelog 2023-05-19 10:44:27.000000000 +0200
@@ -1,3 +1,9 @@
+mujs (1.1.0-1+deb11u3) bullseye; urgency=medium
+
+  * Fix CVE-2021-33797 via upstream patch
+
+ -- Bastian Germann <b...@debian.org>  Fri, 19 May 2023 10:44:27 +0200
+
 mujs (1.1.0-1+deb11u2) bullseye-security; urgency=medium
 
   * Fix CVE-2022-44789, CVE-2022-30974, and CVE-2022-30975 via upstream patches
diff -Nru mujs-1.1.0/debian/patches/CVE-2021-33797.patch 
mujs-1.1.0/debian/patches/CVE-2021-33797.patch
--- mujs-1.1.0/debian/patches/CVE-2021-33797.patch      1970-01-01 
01:00:00.000000000 +0100
+++ mujs-1.1.0/debian/patches/CVE-2021-33797.patch      2023-05-19 
10:44:14.000000000 +0200
@@ -0,0 +1,31 @@
+Origin: upstream, 
https://git.ghostscript.com/?p=mujs.git;a=patch;h=833b6f1672b4f2991a63c4d05318f0b84ef4d550
+From: Tor Andersson <tor.anders...@artifex.com>
+Date: Wed, 21 Apr 2021 12:25:48 +0200
+Subject: Issue #148: Check for overflow when reading floating point exponent.
+
+GCC with -O2 optimizes away the if(exp<-maxExponent) branch completely,
+so we don't end up with the expected '512' value for overflowing
+exponents. Limit the exponent parsing to MAX_INT instead to prevent
+signed overflow from tripping up over-eager optimizing compilers.
+---
+ jsdtoa.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/jsdtoa.c b/jsdtoa.c
+index 858017d..97cac11 100644
+--- a/jsdtoa.c
++++ b/jsdtoa.c
+@@ -691,10 +691,12 @@ js_strtod(const char *string, char **endPtr)
+                       }
+                       expSign = FALSE;
+               }
+-              while ((*p >= '0') && (*p <= '9')) {
++              while ((*p >= '0') && (*p <= '9') && exp < INT_MAX/10) {
+                       exp = exp * 10 + (*p - '0');
+                       p += 1;
+               }
++              while ((*p >= '0') && (*p <= '9'))
++                      p += 1;
+       }
+       if (expSign) {
+               exp = fracExp - exp;
diff -Nru mujs-1.1.0/debian/patches/series mujs-1.1.0/debian/patches/series
--- mujs-1.1.0/debian/patches/series    2022-11-21 13:10:02.000000000 +0100
+++ mujs-1.1.0/debian/patches/series    2023-05-19 10:43:04.000000000 +0200
@@ -5,3 +5,4 @@
 Cope-with-empty-programs-in-mujs-pp.patch
 Dont-fclose-a-FILE-that-is-NULL.patch
 Fix-use-after-free-in-getOwnPropertyDescriptor.patch
+CVE-2021-33797.patch

Reply via email to