Bug#1007909: bullseye-pu: package mujs/1.1.0-1+deb11u1

To: submit@bugs.debian.org
Subject: Bug#1007909: bullseye-pu: package mujs/1.1.0-1+deb11u1
From: Bastian Germann <bage@debian.org>
Date: Fri, 18 Mar 2022 13:22:24 +0100
Message-id: <[🔎] 4f9c5d69-8274-0ec2-bbc7-8dbd313fac38@debian.org>
Reply-to: Bastian Germann <bage@debian.org>, 1007909@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
mujs is affected by CVE-2021-45005 in bullseye. sid is already fixed.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Backport of unstable's changes to fix the CVE.

As the debdiff was acked by the security team but they wanted me to hand it in for the upcomingpoint release, I am uploading the package while filing this bug.


Cheers,
Bastian

diff -Nru mujs-1.1.0/debian/changelog mujs-1.1.0/debian/changelog
--- mujs-1.1.0/debian/changelog	2021-02-18 19:47:17.000000000 +0100
+++ mujs-1.1.0/debian/changelog	2022-02-25 21:18:16.000000000 +0100
@@ -1,3 +1,9 @@
+mujs (1.1.0-1+deb11u1) bullseye; urgency=high
+
+  * Clear jump list after patching jump addresses (CVE-2021-45005)
+
+ -- Bastian Germann <bage@debian.org>  Fri, 25 Feb 2022 21:18:16 +0100
+
 mujs (1.1.0-1) unstable; urgency=medium
 
   * Import new upstream version
diff -Nru mujs-1.1.0/debian/patches/Clear-jump-list-after-patching-jump-addresses.patch mujs-1.1.0/debian/patches/Clear-jump-list-after-patching-jump-addresses.patch
--- mujs-1.1.0/debian/patches/Clear-jump-list-after-patching-jump-addresses.patch	1970-01-01 01:00:00.000000000 +0100
+++ mujs-1.1.0/debian/patches/Clear-jump-list-after-patching-jump-addresses.patch	2022-02-25 21:17:24.000000000 +0100
@@ -0,0 +1,88 @@
+Origin: upstream, http://git.ghostscript.com/?p=mujs.git;a=patch;h=df8559e7bdbc6065276e786217eeee70f28fce66
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Mon, 6 Dec 2021 11:47:31 +0100
+Subject: Bug 704749: Clear jump list after patching jump addresses.
+
+Since we can emit a statement multiple times when compiling try/finally
+we have to use a new patch list for each instance.
+---
+ jscompile.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/jscompile.c b/jscompile.c
+index dcdee05..a915903 100644
+--- a/jscompile.c
++++ b/jscompile.c
+@@ -794,15 +794,19 @@ static void addjump(JF, enum js_AstType type, js_Ast *target, int inst)
+ 	target->jumps = jump;
+ }
+ 
+-static void labeljumps(JF, js_JumpList *jump, int baddr, int caddr)
++static void labeljumps(JF, js_Ast *stm, int baddr, int caddr)
+ {
++	js_JumpList *jump = stm->jumps;
+ 	while (jump) {
++		js_JumpList *next = jump->next;
+ 		if (jump->type == STM_BREAK)
+ 			labelto(J, F, jump->inst, baddr);
+ 		if (jump->type == STM_CONTINUE)
+ 			labelto(J, F, jump->inst, caddr);
+-		jump = jump->next;
++		js_free(J, jump);
++		jump = next;
+ 	}
++	stm->jumps = NULL;
+ }
+ 
+ static int isloop(enum js_AstType T)
+@@ -1121,7 +1125,7 @@ static void cstm(JF, js_Ast *stm)
+ 		cexp(J, F, stm->b);
+ 		emitline(J, F, stm);
+ 		emitjumpto(J, F, OP_JTRUE, loop);
+-		labeljumps(J, F, stm->jumps, here(J,F), cont);
++		labeljumps(J, F, stm, here(J,F), cont);
+ 		break;
+ 
+ 	case STM_WHILE:
+@@ -1133,7 +1137,7 @@ static void cstm(JF, js_Ast *stm)
+ 		emitline(J, F, stm);
+ 		emitjumpto(J, F, OP_JUMP, loop);
+ 		label(J, F, end);
+-		labeljumps(J, F, stm->jumps, here(J,F), loop);
++		labeljumps(J, F, stm, here(J,F), loop);
+ 		break;
+ 
+ 	case STM_FOR:
+@@ -1164,7 +1168,7 @@ static void cstm(JF, js_Ast *stm)
+ 		emitjumpto(J, F, OP_JUMP, loop);
+ 		if (end)
+ 			label(J, F, end);
+-		labeljumps(J, F, stm->jumps, here(J,F), cont);
++		labeljumps(J, F, stm, here(J,F), cont);
+ 		break;
+ 
+ 	case STM_FOR_IN:
+@@ -1189,12 +1193,12 @@ static void cstm(JF, js_Ast *stm)
+ 			emitjumpto(J, F, OP_JUMP, loop);
+ 		}
+ 		label(J, F, end);
+-		labeljumps(J, F, stm->jumps, here(J,F), loop);
++		labeljumps(J, F, stm, here(J,F), loop);
+ 		break;
+ 
+ 	case STM_SWITCH:
+ 		cswitch(J, F, stm->a, stm->b);
+-		labeljumps(J, F, stm->jumps, here(J,F), 0);
++		labeljumps(J, F, stm, here(J,F), 0);
+ 		break;
+ 
+ 	case STM_LABEL:
+@@ -1204,7 +1208,7 @@ static void cstm(JF, js_Ast *stm)
+ 			stm = stm->b;
+ 		/* loops and switches have already been labelled */
+ 		if (!isloop(stm->type) && stm->type != STM_SWITCH)
+-			labeljumps(J, F, stm->jumps, here(J,F), 0);
++			labeljumps(J, F, stm, here(J,F), 0);
+ 		break;
+ 
+ 	case STM_BREAK:
diff -Nru mujs-1.1.0/debian/patches/series mujs-1.1.0/debian/patches/series
--- mujs-1.1.0/debian/patches/series	2021-02-18 19:41:21.000000000 +0100
+++ mujs-1.1.0/debian/patches/series	2022-02-25 21:17:24.000000000 +0100
@@ -1,2 +1,3 @@
 Install-versioned-shared-library.patch
 Set-the-right-.pc-version.patch
+Clear-jump-list-after-patching-jump-addresses.patch

Reply to:

Follow-Ups:
- Bug#1007909: mujs 1.1.0-1+deb11u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>
- Bug#1007909: marked as done (bullseye-pu: package mujs/1.1.0-1+deb11u1)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#1007905: transition: icu
Next by Date: Bug#1007905: transition: icu
Previous by thread: Processed: Re: Bug#1007906: transition: mutter
Next by thread: Bug#1007909: mujs 1.1.0-1+deb11u1 flagged for acceptance
Index(es):
- Date
- Thread