Bug#1007909: bullseye-pu: package mujs/1.1.0-1+deb11u1

Bastian Germann Fri, 18 Mar 2022 05:27:24 -0700

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu


[ Reason ]
mujs is affected by CVE-2021-45005 in bullseye. sid is already fixed.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Backport of unstable's changes to fix the CVE.

As the debdiff was acked by the security team but they wanted me to hand it in for the upcomingpoint release, I am uploading the package while filing this bug.


Cheers,
Bastian

diff -Nru mujs-1.1.0/debian/changelog mujs-1.1.0/debian/changelog
--- mujs-1.1.0/debian/changelog 2021-02-18 19:47:17.000000000 +0100
+++ mujs-1.1.0/debian/changelog 2022-02-25 21:18:16.000000000 +0100
@@ -1,3 +1,9 @@
+mujs (1.1.0-1+deb11u1) bullseye; urgency=high
+
+  * Clear jump list after patching jump addresses (CVE-2021-45005)
+
+ -- Bastian Germann <b...@debian.org>  Fri, 25 Feb 2022 21:18:16 +0100
+
 mujs (1.1.0-1) unstable; urgency=medium
 
   * Import new upstream version
diff -Nru 
mujs-1.1.0/debian/patches/Clear-jump-list-after-patching-jump-addresses.patch 
mujs-1.1.0/debian/patches/Clear-jump-list-after-patching-jump-addresses.patch
--- 
mujs-1.1.0/debian/patches/Clear-jump-list-after-patching-jump-addresses.patch   
    1970-01-01 01:00:00.000000000 +0100
+++ 
mujs-1.1.0/debian/patches/Clear-jump-list-after-patching-jump-addresses.patch   
    2022-02-25 21:17:24.000000000 +0100
@@ -0,0 +1,88 @@
+Origin: upstream, 
http://git.ghostscript.com/?p=mujs.git;a=patch;h=df8559e7bdbc6065276e786217eeee70f28fce66
+From: Tor Andersson <tor.anders...@artifex.com>
+Date: Mon, 6 Dec 2021 11:47:31 +0100
+Subject: Bug 704749: Clear jump list after patching jump addresses.
+
+Since we can emit a statement multiple times when compiling try/finally
+we have to use a new patch list for each instance.
+---
+ jscompile.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/jscompile.c b/jscompile.c
+index dcdee05..a915903 100644
+--- a/jscompile.c
++++ b/jscompile.c
+@@ -794,15 +794,19 @@ static void addjump(JF, enum js_AstType type, js_Ast 
*target, int inst)
+       target->jumps = jump;
+ }
+ 
+-static void labeljumps(JF, js_JumpList *jump, int baddr, int caddr)
++static void labeljumps(JF, js_Ast *stm, int baddr, int caddr)
+ {
++      js_JumpList *jump = stm->jumps;
+       while (jump) {
++              js_JumpList *next = jump->next;
+               if (jump->type == STM_BREAK)
+                       labelto(J, F, jump->inst, baddr);
+               if (jump->type == STM_CONTINUE)
+                       labelto(J, F, jump->inst, caddr);
+-              jump = jump->next;
++              js_free(J, jump);
++              jump = next;
+       }
++      stm->jumps = NULL;
+ }
+ 
+ static int isloop(enum js_AstType T)
+@@ -1121,7 +1125,7 @@ static void cstm(JF, js_Ast *stm)
+               cexp(J, F, stm->b);
+               emitline(J, F, stm);
+               emitjumpto(J, F, OP_JTRUE, loop);
+-              labeljumps(J, F, stm->jumps, here(J,F), cont);
++              labeljumps(J, F, stm, here(J,F), cont);
+               break;
+ 
+       case STM_WHILE:
+@@ -1133,7 +1137,7 @@ static void cstm(JF, js_Ast *stm)
+               emitline(J, F, stm);
+               emitjumpto(J, F, OP_JUMP, loop);
+               label(J, F, end);
+-              labeljumps(J, F, stm->jumps, here(J,F), loop);
++              labeljumps(J, F, stm, here(J,F), loop);
+               break;
+ 
+       case STM_FOR:
+@@ -1164,7 +1168,7 @@ static void cstm(JF, js_Ast *stm)
+               emitjumpto(J, F, OP_JUMP, loop);
+               if (end)
+                       label(J, F, end);
+-              labeljumps(J, F, stm->jumps, here(J,F), cont);
++              labeljumps(J, F, stm, here(J,F), cont);
+               break;
+ 
+       case STM_FOR_IN:
+@@ -1189,12 +1193,12 @@ static void cstm(JF, js_Ast *stm)
+                       emitjumpto(J, F, OP_JUMP, loop);
+               }
+               label(J, F, end);
+-              labeljumps(J, F, stm->jumps, here(J,F), loop);
++              labeljumps(J, F, stm, here(J,F), loop);
+               break;
+ 
+       case STM_SWITCH:
+               cswitch(J, F, stm->a, stm->b);
+-              labeljumps(J, F, stm->jumps, here(J,F), 0);
++              labeljumps(J, F, stm, here(J,F), 0);
+               break;
+ 
+       case STM_LABEL:
+@@ -1204,7 +1208,7 @@ static void cstm(JF, js_Ast *stm)
+                       stm = stm->b;
+               /* loops and switches have already been labelled */
+               if (!isloop(stm->type) && stm->type != STM_SWITCH)
+-                      labeljumps(J, F, stm->jumps, here(J,F), 0);
++                      labeljumps(J, F, stm, here(J,F), 0);
+               break;
+ 
+       case STM_BREAK:
diff -Nru mujs-1.1.0/debian/patches/series mujs-1.1.0/debian/patches/series
--- mujs-1.1.0/debian/patches/series    2021-02-18 19:41:21.000000000 +0100
+++ mujs-1.1.0/debian/patches/series    2022-02-25 21:17:24.000000000 +0100
@@ -1,2 +1,3 @@
 Install-versioned-shared-library.patch
 Set-the-right-.pc-version.patch
+Clear-jump-list-after-patching-jump-addresses.patch

Bug#1007909: bullseye-pu: package mujs/1.1.0-1+deb11u1

Reply via email to