fix CVE-2022-44789

0004-Bug-706057-Fix-use-after-free-in-getOwnPropertyDescr.patch

@@ -0,0 +1,69 @@
+From edb50ad66f7601ca9a3544a0e9045e8a8c60561f Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Mon, 7 Nov 2022 12:52:05 +0100
+Subject: [PATCH] Bug 706057: Fix use-after-free in getOwnPropertyDescriptor.
+
+getOwnPropertyDescriptor should create the descriptor object by
+using [[DefineOwnProperty]], and not by looking through the prototype
+chain where it may invoke getters and setters on the Object.prototype.
+
+If there exists an Object.prototype.get property with a setter, that method is
+invoked when it shouldn't. A malicious getter here can delete the property
+currently being processed in getOwnPropertyDescriptor, and we'll end up
+with a use-after-free bug.
+
+Avoid this problem by following the spec and use js_defproperty rather than
+js_setproperty to define own properties in getOwnPropertyDescriptor and
+related functions.
+---
+ jsobject.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/jsobject.c b/jsobject.c
+index 78ea344..a58fc3a 100644
+--- a/jsobject.c
++++ b/jsobject.c
+@@ -134,25 +134,25 @@ static void O_getOwnPropertyDescriptor(js_State *J)
+ 		js_newobject(J);
+ 		if (!ref->getter && !ref->setter) {
+ 			js_pushvalue(J, ref->value);
+-			js_setproperty(J, -2, "value");
++			js_defproperty(J, -2, "value", 0);
+ 			js_pushboolean(J, !(ref->atts & JS_READONLY));
+-			js_setproperty(J, -2, "writable");
++			js_defproperty(J, -2, "writable", 0);
+ 		} else {
+ 			if (ref->getter)
+ 				js_pushobject(J, ref->getter);
+ 			else
+ 				js_pushundefined(J);
+-			js_setproperty(J, -2, "get");
++			js_defproperty(J, -2, "get", 0);
+ 			if (ref->setter)
+ 				js_pushobject(J, ref->setter);
+ 			else
+ 				js_pushundefined(J);
+-			js_setproperty(J, -2, "set");
++			js_defproperty(J, -2, "set", 0);
+ 		}
+ 		js_pushboolean(J, !(ref->atts & JS_DONTENUM));
+-		js_setproperty(J, -2, "enumerable");
++		js_defproperty(J, -2, "enumerable", 0);
+ 		js_pushboolean(J, !(ref->atts & JS_DONTCONF));
+-		js_setproperty(J, -2, "configurable");
++		js_defproperty(J, -2, "configurable", 0);
+ 	}
+ }
+ 
+@@ -248,7 +248,7 @@ static void ToPropertyDescriptor(js_State *J, js_Object *obj, const char *name,
+ 	}
+ 	if (js_hasproperty(J, -1, "value")) {
+ 		hasvalue = 1;
+-		js_setproperty(J, -3, name);
++		js_defproperty(J, -3, name, 0);
+ 	}
+ 
+ 	if (!writable) atts |= JS_READONLY;
+-- 
+2.20.1
+

mujs.spec

@@ -1,6 +1,6 @@
 Name:           mujs
 Version:        1.2.0
-Release:        2
+Release:        3
 Summary:        An embeddable Javascript interpreter
 License:        ISC
 URL:            http://mujs.com/
@@ -13,6 +13,8 @@ Patch0001:      0001-Issue-162-Check-stack-overflow-during-regexp-compila.patch
 Patch0002:      0002-Issue-161-Don-t-fclose-a-FILE-that-is-NULL.patch
 # CVE-2022-30975
 Patch0003:      0003-Issue-161-Cope-with-empty-programs-in-mujs-pp.patch
+# CVE-2022-44789
+Patch0004:      0004-Bug-706057-Fix-use-after-free-in-getOwnPropertyDescr.patch
 
 BuildRequires:  coreutils
 BuildRequires:  gcc
@@ -38,6 +40,7 @@ chmod a-x -v docs/*
 %patch0001 -p1
 %patch0002 -p1
 %patch0003 -p1
+%patch0004 -p1
 
 %build
 make debug %{?_smp_mflags} XCFLAGS="%{optflags} -fPIC" LDFLAGS="%{?__global_ldflags}"
@@ -59,6 +62,9 @@ make install DESTDIR=%{buildroot} prefix="%{_prefix}" libdir="%{_libdir}" \
 %{_libdir}/lib%{name}.a
 
 %changelog
+* Tue Feb 21 2023 liweiganga <liweiganga@uniontech.com> - 1.2.0-3
+- fix: fix CVE-2022-44789
+
 * Tue Sep 27 2022 liweiganga <liweiganga@uniontech.com> - 1.2.0-2
 - fix: fix CVE-2022-30974 CVE-2022-30974