Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 845399 (CVE-2022-30974, CVE-2022-30975) - <dev-lang/mujs-1.3.0: multiple vulnerabilities
Summary: <dev-lang/mujs-1.3.0: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2022-30974, CVE-2022-30975
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+]
Keywords:
Depends on: 889968
Blocks:
  Show dependency tree
 
Reported: 2022-05-18 17:34 UTC by John Helmert III
Modified: 2024-05-04 08:05 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-18 17:34:34 UTC 
CVE-2022-30974 (https://github.com/ccxvii/mujs/issues/162):

compile in regexp.c in Artifex MuJS through 1.2.0 results in stack consumption because of unlimited recursion, a different issue than CVE-2019-11413.

Patch: https://github.com/ccxvii/mujs/commit/160ae29578054dc09fd91e5401ef040d52797e61

CVE-2022-30975 (https://github.com/ccxvii/mujs/issues/161):

In Artifex MuJS through 1.2.0, jsP_dumpsyntax in jsdump.c has a NULL pointer dereference, as demonstrated by mujs-pp.

Patch: https://github.com/ccxvii/mujs/commit/910acc807c3c057e1c0726160808f3a9f37b40ec
https://github.com/ccxvii/mujs/commit/f5b3c703e18725e380b83427004632e744f85a6f
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-24 15:44:16 UTC 
These patches are in 1.3.0 onwards.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-08 17:04:23 UTC 
Please cleanup
Comment 3 Larry the Git Cow gentoo-dev 2024-05-04 08:04:29 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=f6828b989009fecf980c109dc2a5c5349edd6314

commit f6828b989009fecf980c109dc2a5c5349edd6314
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-05-04 08:04:01 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-05-04 08:04:23 +0000

    [ GLSA 202405-06 ] mujs: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/833453
    Bug: https://bugs.gentoo.org/845399
    Bug: https://bugs.gentoo.org/882775
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202405-06.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)