1412967 – (CVE-2016-10132, CVE-2016-10133, CVE-2016-10141, CVE-2017-5627, CVE-2017-5628) CVE-2016-10132 CVE-2016-10133 CVE-2016-10141 CVE-2017-5627 CVE-2017-5628 mujs: Multiple security issues

Bug 1412967 (CVE-2016-10132, CVE-2016-10133, CVE-2016-10141, CVE-2017-5627, CVE-2017-5628) - CVE-2016-10132 CVE-2016-10133 CVE-2016-10141 CVE-2017-5627 CVE-2017-5628 mujs: Multiple security issues

Summary: CVE-2016-10132 CVE-2016-10133 CVE-2016-10141 CVE-2017-5627 CVE-2017-5628 mujs...

Keywords:
Status:	CLOSED UPSTREAM
Alias:	CVE-2016-10132, CVE-2016-10133, CVE-2016-10141, CVE-2017-5627, CVE-2017-5628
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1412968
Blocks:
TreeView+	depends on / blocked

Reported:	2017-01-13 09:50 UTC by Andrej Nemec
Modified:	2019-09-29 14:04 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-06-08 03:05:30 UTC
Embargoed:

Attachments	(Terms of Use)

Description Andrej Nemec 2017-01-13 09:50:33 UTC

Two security issues received CVEs on oss-security.

1. Null pointer dereference in regexp.c - CVE-2016-10132

The return value from malloc is not properly checked before dereferencing it which can result in a crash.

https://bugs.ghostscript.com/show_bug.cgi?id=697381
http://git.ghostscript.com/?p=mujs.git;h=fd003eceda531e13fbdd1aeb6e9c73156496e569

2. Heap buffer overflow write in jsrun.c: js_stackoverflow() - CVE-2016-10133

There was a logical error in the code which can be used to trigger a heap overflow write.

https://bugs.ghostscript.com/show_bug.cgi?id=697401
http://git.ghostscript.com/?p=mujs.git;a=commit;h=77ab465f1c394bb77f00966cd950650f3f53cb24

Comment 1 Andrej Nemec 2017-01-13 09:50:53 UTC

Created mujs tracking bugs for this issue:

Affects: fedora-all [bug 1412968]

Comment 2 Andrej Nemec 2017-01-13 10:15:07 UTC

One more issue came via CVENEW

3. Integer overflow in the regemit function - CVE-2016-10141

An integer overflow vulnerability was observed in the regemit function
in regexp.c in Artifex Software, Inc. MuJS before
fa3d30fd18c348bb4b1f3858fb860f4fcd4b2045. The attack requires a regular
expression with nested repetition. A successful exploitation of this
issue can lead to code execution or a denial of service (buffer
overflow) condition.

Upstream bug:

https://bugs.ghostscript.com/show_bug.cgi?id=697448

Upstream patch:

http://git.ghostscript.com/?p=mujs.git;h=fa3d30fd18c348bb4b1f3858fb860f4fcd4b2045

Comment 3 Andrej Nemec 2017-01-30 11:23:36 UTC

Two more issues came via CVENEW

4. Integer overflow in the js_pushstring function - CVE-2017-5627

An issue was discovered in Artifex Software, Inc. MuJS before
4006739a28367c708dea19aeb19b8a1a9326ce08. The jsR_setproperty function
in jsrun.c lacks a check for a negative array length. This leads to an
integer overflow in the js_pushstring function in jsrun.c when parsing
a specially crafted JS file.

5. Integer overflow in the MakeDay function - CVE-2017-5628

An issue was discovered in Artifex Software, Inc. MuJS before
8f62ea10a0af68e56d5c00720523ebcba13c2e6a. The MakeDay function in
jsdate.c does not validate the month, leading to an integer overflow
when parsing a specially crafted JS file.

Comment 4 Product Security DevOps Team 2019-06-08 03:05:30 UTC

This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

Note You need to log in before you can comment on or make changes to this bug.