Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
The attached debdiff for duktape fixes CVE-2021-46322 in Bullseye. This CVE has been marked as no-dsa by thesecurity team.
The same fixes have been already uploaded to Unstable. Thorsten
diff -Nru duktape-2.5.0/debian/changelog duktape-2.5.0/debian/changelog --- duktape-2.5.0/debian/changelog 2020-03-14 16:44:16.000000000 +0100 +++ duktape-2.5.0/debian/changelog 2023-03-26 14:03:02.000000000 +0200 @@ -1,3 +1,11 @@ +duktape (2.5.0-2+deb11u1) bullseye; urgency=medium + + * upload by the LTS Team. + * CVE-2021-46322 + a SEGV issue was discovered when some stack limits are reached + + -- Thorsten Alteholz <deb...@alteholz.de> Sun, 26 Mar 2023 14:03:02 +0200 + duktape (2.5.0-2) unstable; urgency=medium * debian/copyright: update file (Closes: #951903) diff -Nru duktape-2.5.0/debian/patches/CVE-2021-46322.patch duktape-2.5.0/debian/patches/CVE-2021-46322.patch --- duktape-2.5.0/debian/patches/CVE-2021-46322.patch 1970-01-01 01:00:00.000000000 +0100 +++ duktape-2.5.0/debian/patches/CVE-2021-46322.patch 2023-03-26 14:03:02.000000000 +0200 @@ -0,0 +1,80 @@ +commit a851d8a5687356b1d6ad0f8f39d6226947f17b27 +Author: Sami Vaarala <sami.vaar...@iki.fi> +Date: Tue Jan 11 01:34:02 2022 +0200 + + Fix segfault in call setup when valstack limit hit + +Index: duktape-2.5.0/src-input/duk_js_call.c +=================================================================== +--- duktape-2.5.0.orig/src-input/duk_js_call.c 2023-03-27 19:32:09.275869100 +0200 ++++ duktape-2.5.0/src-input/duk_js_call.c 2023-03-27 19:32:09.275869100 +0200 +@@ -2151,6 +2151,15 @@ + /* [ ... func this arg1 ... argN ] */ + + /* ++ * Grow value stack to required size before env setup. This ++ * must happen before env setup to handle some corner cases ++ * correctly, e.g. test-bug-scope-segv-gh2448.js. ++ */ ++ ++ duk_valstack_grow_check_throw(thr, vs_min_bytes); ++ act->reserve_byteoff = (duk_size_t) ((duk_uint8_t *) thr->valstack_end - (duk_uint8_t *) thr->valstack); ++ ++ /* + * Environment record creation and 'arguments' object creation. + * Named function expression name binding is handled by the + * compiler; the compiled function's parent env will contain +@@ -2171,13 +2180,8 @@ + * Setup value stack: clamp to 'nargs', fill up to 'nregs', + * ensure value stack size matches target requirements, and + * switch value stack bottom. Valstack top is kept. +- * +- * Value stack can only grow here. + */ + +- duk_valstack_grow_check_throw(thr, vs_min_bytes); +- act->reserve_byteoff = (duk_size_t) ((duk_uint8_t *) thr->valstack_end - (duk_uint8_t *) thr->valstack); +- + if (use_tailcall) { + DUK_ASSERT(nregs >= 0); + DUK_ASSERT(nregs >= nargs); +Index: duktape-2.5.0/tests/ecmascript/test-bug-scope-segv-gh2448.js +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ duktape-2.5.0/tests/ecmascript/test-bug-scope-segv-gh2448.js 2023-03-27 19:32:09.275869100 +0200 +@@ -0,0 +1,35 @@ ++// https://github.com/svaarala/duktape/issues/2448 ++ ++/*=== ++RangeError ++===*/ ++ ++function JSEtest() { ++ var src = []; ++ var i; ++ ++ src.push('(function test() {'); ++ for (i = 0; i < 1e4; i++) { ++ src.push('var x' + i + ' = ' + i + ';'); ++ } ++ src.push('var arguments = test(); return "dummy"; })'); ++ src = src.join(''); ++ //print(src); ++ ++ var f = eval(src)(src); ++ ++ try { ++ f(); ++ } catch (e) { ++ print(e.name + ': ' + e.message); ++ } ++ ++ print('still here'); ++} ++ ++try { ++ JSEtest(); ++} catch (e) { ++ //print(e.stack || e); ++ print(e.name); ++} diff -Nru duktape-2.5.0/debian/patches/series duktape-2.5.0/debian/patches/series --- duktape-2.5.0/debian/patches/series 2020-03-13 21:44:00.000000000 +0100 +++ duktape-2.5.0/debian/patches/series 2023-03-26 14:03:02.000000000 +0200 @@ -1,3 +1,5 @@ #XXX hardening.patch hardening.patch debug-symbols.patch + +CVE-2021-46322.patch