Bug 1412967 (CVE-2016-10132, CVE-2016-10133, CVE-2016-10141, CVE-2017-5627, CVE-2017-5628) - CVE-2016-10132 CVE-2016-10133 CVE-2016-10141 CVE-2017-5627 CVE-2017-5628 mujs: Multiple security issues
Summary: CVE-2016-10132 CVE-2016-10133 CVE-2016-10141 CVE-2017-5627 CVE-2017-5628 mujs...
Alias: CVE-2016-10132, CVE-2016-10133, CVE-2016-10141, CVE-2017-5627, CVE-2017-5628
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1412968
TreeView+ depends on / blocked
Reported: 2017-01-13 09:50 UTC by Andrej Nemec
Modified: 2019-09-29 14:04 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-06-08 03:05:30 UTC

Attachments (Terms of Use)

Description Andrej Nemec 2017-01-13 09:50:33 UTC
Two security issues received CVEs on oss-security.

1. Null pointer dereference in regexp.c - CVE-2016-10132

The return value from malloc is not properly checked before dereferencing it which can result in a crash.


2. Heap buffer overflow write in jsrun.c: js_stackoverflow() - CVE-2016-10133

There was a logical error in the code which can be used to trigger a heap overflow write.


Comment 1 Andrej Nemec 2017-01-13 09:50:53 UTC
Created mujs tracking bugs for this issue:

Affects: fedora-all [bug 1412968]

Comment 2 Andrej Nemec 2017-01-13 10:15:07 UTC
One more issue came via CVENEW

3. Integer overflow in the regemit function - CVE-2016-10141

An integer overflow vulnerability was observed in the regemit function
in regexp.c in Artifex Software, Inc. MuJS before
fa3d30fd18c348bb4b1f3858fb860f4fcd4b2045. The attack requires a regular
expression with nested repetition. A successful exploitation of this
issue can lead to code execution or a denial of service (buffer
overflow) condition.

Upstream bug:


Upstream patch:


Comment 3 Andrej Nemec 2017-01-30 11:23:36 UTC
Two more issues came via CVENEW

4. Integer overflow in the js_pushstring function - CVE-2017-5627

An issue was discovered in Artifex Software, Inc. MuJS before
4006739a28367c708dea19aeb19b8a1a9326ce08. The jsR_setproperty function
in jsrun.c lacks a check for a negative array length. This leads to an
integer overflow in the js_pushstring function in jsrun.c when parsing
a specially crafted JS file.

5. Integer overflow in the MakeDay function - CVE-2017-5628

An issue was discovered in Artifex Software, Inc. MuJS before
8f62ea10a0af68e56d5c00720523ebcba13c2e6a. The MakeDay function in
jsdate.c does not validate the month, leading to an integer overflow
when parsing a specially crafted JS file.

Comment 4 Product Security DevOps Team 2019-06-08 03:05:30 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

Note You need to log in before you can comment on or make changes to this bug.