From 7faf4b2230e612681748eedc2ea835a13aed797a Mon Sep 17 00:00:00 2001 From: liweiganga Date: Tue, 21 Feb 2023 16:44:45 +0800 Subject: [PATCH] fix CVE-2022-44789 --- ...se-after-free-in-getOwnPropertyDescr.patch | 69 +++++++++++++++++++ mujs.spec | 8 ++- 2 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 0004-Bug-706057-Fix-use-after-free-in-getOwnPropertyDescr.patch diff --git a/0004-Bug-706057-Fix-use-after-free-in-getOwnPropertyDescr.patch b/0004-Bug-706057-Fix-use-after-free-in-getOwnPropertyDescr.patch new file mode 100644 index 0000000..fb2a845 --- /dev/null +++ b/0004-Bug-706057-Fix-use-after-free-in-getOwnPropertyDescr.patch @@ -0,0 +1,69 @@ +From edb50ad66f7601ca9a3544a0e9045e8a8c60561f Mon Sep 17 00:00:00 2001 +From: Tor Andersson +Date: Mon, 7 Nov 2022 12:52:05 +0100 +Subject: [PATCH] Bug 706057: Fix use-after-free in getOwnPropertyDescriptor. + +getOwnPropertyDescriptor should create the descriptor object by +using [[DefineOwnProperty]], and not by looking through the prototype +chain where it may invoke getters and setters on the Object.prototype. + +If there exists an Object.prototype.get property with a setter, that method is +invoked when it shouldn't. A malicious getter here can delete the property +currently being processed in getOwnPropertyDescriptor, and we'll end up +with a use-after-free bug. + +Avoid this problem by following the spec and use js_defproperty rather than +js_setproperty to define own properties in getOwnPropertyDescriptor and +related functions. +--- + jsobject.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/jsobject.c b/jsobject.c +index 78ea344..a58fc3a 100644 +--- a/jsobject.c ++++ b/jsobject.c +@@ -134,25 +134,25 @@ static void O_getOwnPropertyDescriptor(js_State *J) + js_newobject(J); + if (!ref->getter && !ref->setter) { + js_pushvalue(J, ref->value); +- js_setproperty(J, -2, "value"); ++ js_defproperty(J, -2, "value", 0); + js_pushboolean(J, !(ref->atts & JS_READONLY)); +- js_setproperty(J, -2, "writable"); ++ js_defproperty(J, -2, "writable", 0); + } else { + if (ref->getter) + js_pushobject(J, ref->getter); + else + js_pushundefined(J); +- js_setproperty(J, -2, "get"); ++ js_defproperty(J, -2, "get", 0); + if (ref->setter) + js_pushobject(J, ref->setter); + else + js_pushundefined(J); +- js_setproperty(J, -2, "set"); ++ js_defproperty(J, -2, "set", 0); + } + js_pushboolean(J, !(ref->atts & JS_DONTENUM)); +- js_setproperty(J, -2, "enumerable"); ++ js_defproperty(J, -2, "enumerable", 0); + js_pushboolean(J, !(ref->atts & JS_DONTCONF)); +- js_setproperty(J, -2, "configurable"); ++ js_defproperty(J, -2, "configurable", 0); + } + } + +@@ -248,7 +248,7 @@ static void ToPropertyDescriptor(js_State *J, js_Object *obj, const char *name, + } + if (js_hasproperty(J, -1, "value")) { + hasvalue = 1; +- js_setproperty(J, -3, name); ++ js_defproperty(J, -3, name, 0); + } + + if (!writable) atts |= JS_READONLY; +-- +2.20.1 + diff --git a/mujs.spec b/mujs.spec index 5a23a9b..21104e9 100644 --- a/mujs.spec +++ b/mujs.spec @@ -1,6 +1,6 @@ Name: mujs Version: 1.2.0 -Release: 2 +Release: 3 Summary: An embeddable Javascript interpreter License: ISC URL: http://mujs.com/ @@ -13,6 +13,8 @@ Patch0001: 0001-Issue-162-Check-stack-overflow-during-regexp-compila.patch Patch0002: 0002-Issue-161-Don-t-fclose-a-FILE-that-is-NULL.patch # CVE-2022-30975 Patch0003: 0003-Issue-161-Cope-with-empty-programs-in-mujs-pp.patch +# CVE-2022-44789 +Patch0004: 0004-Bug-706057-Fix-use-after-free-in-getOwnPropertyDescr.patch BuildRequires: coreutils BuildRequires: gcc @@ -38,6 +40,7 @@ chmod a-x -v docs/* %patch0001 -p1 %patch0002 -p1 %patch0003 -p1 +%patch0004 -p1 %build make debug %{?_smp_mflags} XCFLAGS="%{optflags} -fPIC" LDFLAGS="%{?__global_ldflags}" @@ -59,6 +62,9 @@ make install DESTDIR=%{buildroot} prefix="%{_prefix}" libdir="%{_libdir}" \ %{_libdir}/lib%{name}.a %changelog +* Tue Feb 21 2023 liweiganga - 1.2.0-3 +- fix: fix CVE-2022-44789 + * Tue Sep 27 2022 liweiganga - 1.2.0-2 - fix: fix CVE-2022-30974 CVE-2022-30974