Bug 1412967 (CVE-2016-10132, CVE-2016-10133, CVE-2016-10141, CVE-2017-5627, CVE-2017-5628)

Summary:	CVE-2016-10132 CVE-2016-10133 CVE-2016-10141 CVE-2017-5627 CVE-2017-5628 mujs: Multiple security issues
Product:	[Other] Security Response	Reporter:	Andrej Nemec <anemec>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED UPSTREAM	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	psabata
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-06-08 03:05:30 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1412968
Bug Blocks:

Description Andrej Nemec 2017-01-13 09:50:33 UTC

Two security issues received CVEs on oss-security.

1. Null pointer dereference in regexp.c - CVE-2016-10132

The return value from malloc is not properly checked before dereferencing it which can result in a crash.

https://bugs.ghostscript.com/show_bug.cgi?id=697381
http://git.ghostscript.com/?p=mujs.git;h=fd003eceda531e13fbdd1aeb6e9c73156496e569

2. Heap buffer overflow write in jsrun.c: js_stackoverflow() - CVE-2016-10133

There was a logical error in the code which can be used to trigger a heap overflow write.

https://bugs.ghostscript.com/show_bug.cgi?id=697401
http://git.ghostscript.com/?p=mujs.git;a=commit;h=77ab465f1c394bb77f00966cd950650f3f53cb24

Comment 1 Andrej Nemec 2017-01-13 09:50:53 UTC

Created mujs tracking bugs for this issue:

Affects: fedora-all [bug 1412968]

Comment 2 Andrej Nemec 2017-01-13 10:15:07 UTC

One more issue came via CVENEW

3. Integer overflow in the regemit function - CVE-2016-10141

An integer overflow vulnerability was observed in the regemit function
in regexp.c in Artifex Software, Inc. MuJS before
fa3d30fd18c348bb4b1f3858fb860f4fcd4b2045. The attack requires a regular
expression with nested repetition. A successful exploitation of this
issue can lead to code execution or a denial of service (buffer
overflow) condition.

Upstream bug:

https://bugs.ghostscript.com/show_bug.cgi?id=697448

Upstream patch:

http://git.ghostscript.com/?p=mujs.git;h=fa3d30fd18c348bb4b1f3858fb860f4fcd4b2045

Comment 3 Andrej Nemec 2017-01-30 11:23:36 UTC

Two more issues came via CVENEW

4. Integer overflow in the js_pushstring function - CVE-2017-5627

An issue was discovered in Artifex Software, Inc. MuJS before
4006739a28367c708dea19aeb19b8a1a9326ce08. The jsR_setproperty function
in jsrun.c lacks a check for a negative array length. This leads to an
integer overflow in the js_pushstring function in jsrun.c when parsing
a specially crafted JS file.

5. Integer overflow in the MakeDay function - CVE-2017-5628

An issue was discovered in Artifex Software, Inc. MuJS before
8f62ea10a0af68e56d5c00720523ebcba13c2e6a. The MakeDay function in
jsdate.c does not validate the month, leading to an integer overflow
when parsing a specially crafted JS file.

Comment 4 Product Security DevOps Team 2019-06-08 03:05:30 UTC

This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.