Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
The attached debdiff for duktape fixes CVE-2021-46322 in Bullseye. This
CVE has been marked as no-dsa by thesecurity team.
The same fixes have been already uploaded to Unstable.
Thorsten
diff -Nru duktape-2.5.0/debian/changelog duktape-2.5.0/debian/changelog
--- duktape-2.5.0/debian/changelog 2020-03-14 16:44:16.000000000 +0100
+++ duktape-2.5.0/debian/changelog 2023-03-26 14:03:02.000000000 +0200
@@ -1,3 +1,11 @@
+duktape (2.5.0-2+deb11u1) bullseye; urgency=medium
+
+ * upload by the LTS Team.
+ * CVE-2021-46322
+ a SEGV issue was discovered when some stack limits are reached
+
+ -- Thorsten Alteholz <deb...@alteholz.de> Sun, 26 Mar 2023 14:03:02 +0200
+
duktape (2.5.0-2) unstable; urgency=medium
* debian/copyright: update file (Closes: #951903)
diff -Nru duktape-2.5.0/debian/patches/CVE-2021-46322.patch
duktape-2.5.0/debian/patches/CVE-2021-46322.patch
--- duktape-2.5.0/debian/patches/CVE-2021-46322.patch 1970-01-01
01:00:00.000000000 +0100
+++ duktape-2.5.0/debian/patches/CVE-2021-46322.patch 2023-03-26
14:03:02.000000000 +0200
@@ -0,0 +1,80 @@
+commit a851d8a5687356b1d6ad0f8f39d6226947f17b27
+Author: Sami Vaarala <sami.vaar...@iki.fi>
+Date: Tue Jan 11 01:34:02 2022 +0200
+
+ Fix segfault in call setup when valstack limit hit
+
+Index: duktape-2.5.0/src-input/duk_js_call.c
+===================================================================
+--- duktape-2.5.0.orig/src-input/duk_js_call.c 2023-03-27 19:32:09.275869100
+0200
++++ duktape-2.5.0/src-input/duk_js_call.c 2023-03-27 19:32:09.275869100
+0200
+@@ -2151,6 +2151,15 @@
+ /* [ ... func this arg1 ... argN ] */
+
+ /*
++ * Grow value stack to required size before env setup. This
++ * must happen before env setup to handle some corner cases
++ * correctly, e.g. test-bug-scope-segv-gh2448.js.
++ */
++
++ duk_valstack_grow_check_throw(thr, vs_min_bytes);
++ act->reserve_byteoff = (duk_size_t) ((duk_uint8_t *) thr->valstack_end
- (duk_uint8_t *) thr->valstack);
++
++ /*
+ * Environment record creation and 'arguments' object creation.
+ * Named function expression name binding is handled by the
+ * compiler; the compiled function's parent env will contain
+@@ -2171,13 +2180,8 @@
+ * Setup value stack: clamp to 'nargs', fill up to 'nregs',
+ * ensure value stack size matches target requirements, and
+ * switch value stack bottom. Valstack top is kept.
+- *
+- * Value stack can only grow here.
+ */
+
+- duk_valstack_grow_check_throw(thr, vs_min_bytes);
+- act->reserve_byteoff = (duk_size_t) ((duk_uint8_t *) thr->valstack_end
- (duk_uint8_t *) thr->valstack);
+-
+ if (use_tailcall) {
+ DUK_ASSERT(nregs >= 0);
+ DUK_ASSERT(nregs >= nargs);
+Index: duktape-2.5.0/tests/ecmascript/test-bug-scope-segv-gh2448.js
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ duktape-2.5.0/tests/ecmascript/test-bug-scope-segv-gh2448.js
2023-03-27 19:32:09.275869100 +0200
+@@ -0,0 +1,35 @@
++// https://github.com/svaarala/duktape/issues/2448
++
++/*===
++RangeError
++===*/
++
++function JSEtest() {
++ var src = [];
++ var i;
++
++ src.push('(function test() {');
++ for (i = 0; i < 1e4; i++) {
++ src.push('var x' + i + ' = ' + i + ';');
++ }
++ src.push('var arguments = test(); return "dummy"; })');
++ src = src.join('');
++ //print(src);
++
++ var f = eval(src)(src);
++
++ try {
++ f();
++ } catch (e) {
++ print(e.name + ': ' + e.message);
++ }
++
++ print('still here');
++}
++
++try {
++ JSEtest();
++} catch (e) {
++ //print(e.stack || e);
++ print(e.name);
++}
diff -Nru duktape-2.5.0/debian/patches/series
duktape-2.5.0/debian/patches/series
--- duktape-2.5.0/debian/patches/series 2020-03-13 21:44:00.000000000 +0100
+++ duktape-2.5.0/debian/patches/series 2023-03-26 14:03:02.000000000 +0200
@@ -1,3 +1,5 @@
#XXX hardening.patch
hardening.patch
debug-symbols.patch
+
+CVE-2021-46322.patch
