Version in base suite: 1.1.0-1+deb11u1

Base version: mujs_1.1.0-1+deb11u1
Target version: mujs_1.1.0-1+deb11u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/m/mujs/mujs_1.1.0-1+deb11u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/m/mujs/mujs_1.1.0-1+deb11u2.dsc

 changelog                                                    |    6 +
 patches/Check-stack-overflow-during-regexp-compilation.patch |   60 ++++++++++
 patches/Cope-with-empty-programs-in-mujs-pp.patch            |   51 ++++++++
 patches/Dont-fclose-a-FILE-that-is-NULL.patch                |   22 +++
 patches/Fix-use-after-free-in-getOwnPropertyDescriptor.patch |   66 +++++++++++
 patches/series                                               |    4 
 6 files changed, 209 insertions(+)

diff -Nru mujs-1.1.0/debian/changelog mujs-1.1.0/debian/changelog
--- mujs-1.1.0/debian/changelog	2022-02-25 20:18:16.000000000 +0000
+++ mujs-1.1.0/debian/changelog	2022-11-21 12:10:02.000000000 +0000
@@ -1,3 +1,9 @@
+mujs (1.1.0-1+deb11u2) bullseye-security; urgency=medium
+
+  * Fix CVE-2022-44789, CVE-2022-30974, and CVE-2022-30975 via upstream patches
+
+ -- Bastian Germann <bage@debian.org>  Mon, 21 Nov 2022 13:10:02 +0100
+
 mujs (1.1.0-1+deb11u1) bullseye; urgency=high
 
   * Clear jump list after patching jump addresses (CVE-2021-45005)
diff -Nru mujs-1.1.0/debian/patches/Check-stack-overflow-during-regexp-compilation.patch mujs-1.1.0/debian/patches/Check-stack-overflow-during-regexp-compilation.patch
--- mujs-1.1.0/debian/patches/Check-stack-overflow-during-regexp-compilation.patch	1970-01-01 00:00:00.000000000 +0000
+++ mujs-1.1.0/debian/patches/Check-stack-overflow-during-regexp-compilation.patch	2022-07-05 12:32:57.000000000 +0000
@@ -0,0 +1,60 @@
+Origin: upstream, http://git.ghostscript.com/?p=mujs.git;a=commit;h=160ae29578054dc09fd91e5401ef040d52797e61
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Tue, 17 May 2022 15:31:50 +0200
+Subject: Issue #162: Check stack overflow during regexp compilation.
+
+Only bother checking during the first compilation pass that counts
+the size of the program.
+---
+ regexp.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/regexp.c b/regexp.c
+index 9d16867..8a43fef 100644
+--- a/regexp.c
++++ b/regexp.c
+@@ -622,25 +622,26 @@ struct Reinst {
+ 	Reinst *y;
+ };
+ 
+-static int count(struct cstate *g, Renode *node)
++static int count(struct cstate *g, Renode *node, int depth)
+ {
+ 	int min, max, n;
+ 	if (!node) return 0;
++	if (++depth > REG_MAXREC) die(g, "stack overflow");
+ 	switch (node->type) {
+ 	default: return 1;
+-	case P_CAT: return count(g, node->x) + count(g, node->y);
+-	case P_ALT: return count(g, node->x) + count(g, node->y) + 2;
++	case P_CAT: return count(g, node->x, depth) + count(g, node->y, depth);
++	case P_ALT: return count(g, node->x, depth) + count(g, node->y, depth) + 2;
+ 	case P_REP:
+ 		min = node->m;
+ 		max = node->n;
+-		if (min == max) n = count(g, node->x) * min;
+-		else if (max < REPINF) n = count(g, node->x) * max + (max - min);
+-		else n = count(g, node->x) * (min + 1) + 2;
++		if (min == max) n = count(g, node->x, depth) * min;
++		else if (max < REPINF) n = count(g, node->x, depth) * max + (max - min);
++		else n = count(g, node->x, depth) * (min + 1) + 2;
+ 		if (n < 0 || n > REG_MAXPROG) die(g, "program too large");
+ 		return n;
+-	case P_PAR: return count(g, node->x) + 2;
+-	case P_PLA: return count(g, node->x) + 2;
+-	case P_NLA: return count(g, node->x) + 2;
++	case P_PAR: return count(g, node->x, depth) + 2;
++	case P_PLA: return count(g, node->x, depth) + 2;
++	case P_NLA: return count(g, node->x, depth) + 2;
+ 	}
+ }
+ 
+@@ -903,7 +904,7 @@ Reprog *regcompx(void *(*alloc)(void *ctx, void *p, int n), void *ctx,
+ 	putchar('\n');
+ #endif
+ 
+-	n = 6 + count(&g, node);
++	n = 6 + count(&g, node, 0);
+ 	if (n < 0 || n > REG_MAXPROG)
+ 		die(&g, "program too large");
+ 
diff -Nru mujs-1.1.0/debian/patches/Cope-with-empty-programs-in-mujs-pp.patch mujs-1.1.0/debian/patches/Cope-with-empty-programs-in-mujs-pp.patch
--- mujs-1.1.0/debian/patches/Cope-with-empty-programs-in-mujs-pp.patch	1970-01-01 00:00:00.000000000 +0000
+++ mujs-1.1.0/debian/patches/Cope-with-empty-programs-in-mujs-pp.patch	2022-07-05 12:32:57.000000000 +0000
@@ -0,0 +1,51 @@
+Origin: upstream, http://git.ghostscript.com/?p=mujs.git;a=commit;h=f5b3c703e18725e380b83427004632e744f85a6f
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Tue, 17 May 2022 15:57:00 +0200
+Subject: Issue #161: Cope with empty programs in mujs-pp.
+
+---
+ jsdump.c | 24 ++++++++++++++----------
+ 1 file changed, 14 insertions(+), 10 deletions(-)
+
+diff --git a/jsdump.c b/jsdump.c
+index 86361e6..42c9f0f 100644
+--- a/jsdump.c
++++ b/jsdump.c
+@@ -682,11 +682,13 @@ static void pstmlist(int d, js_Ast *list)
+ void jsP_dumpsyntax(js_State *J, js_Ast *prog, int dominify)
+ {
+ 	minify = dominify;
+-	if (prog->type == AST_LIST)
+-		pstmlist(-1, prog);
+-	else {
+-		pstm(0, prog);
+-		nl();
++	if (prog) {
++		if (prog->type == AST_LIST)
++			pstmlist(-1, prog);
++		else {
++			pstm(0, prog);
++			nl();
++		}
+ 	}
+ 	if (minify > 1)
+ 		putchar('\n');
+@@ -768,11 +770,13 @@ static void sblock(int d, js_Ast *list)
+ void jsP_dumplist(js_State *J, js_Ast *prog)
+ {
+ 	minify = 0;
+-	if (prog->type == AST_LIST)
+-		sblock(0, prog);
+-	else
+-		snode(0, prog);
+-	nl();
++	if (prog) {
++		if (prog->type == AST_LIST)
++			sblock(0, prog);
++		else
++			snode(0, prog);
++		nl();
++	}
+ }
+ 
+ /* Compiled code */
diff -Nru mujs-1.1.0/debian/patches/Dont-fclose-a-FILE-that-is-NULL.patch mujs-1.1.0/debian/patches/Dont-fclose-a-FILE-that-is-NULL.patch
--- mujs-1.1.0/debian/patches/Dont-fclose-a-FILE-that-is-NULL.patch	1970-01-01 00:00:00.000000000 +0000
+++ mujs-1.1.0/debian/patches/Dont-fclose-a-FILE-that-is-NULL.patch	2022-07-05 12:32:57.000000000 +0000
@@ -0,0 +1,22 @@
+Origin: upstream, http://git.ghostscript.com/?p=mujs.git;a=commit;h=910acc807c3c057e1c0726160808f3a9f37b40ec
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Tue, 17 May 2022 15:53:30 +0200
+Subject: Issue #161: Don't fclose a FILE that is NULL.
+
+---
+ pp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pp.c b/pp.c
+index bf6000c..2657369 100644
+--- a/pp.c
++++ b/pp.c
+@@ -34,7 +34,7 @@ void js_ppfile(js_State *J, const char *filename, int minify)
+ 
+ 	if (js_try(J)) {
+ 		js_free(J, s);
+-		fclose(f);
++		if (f) fclose(f);
+ 		js_throw(J);
+ 	}
+ 
diff -Nru mujs-1.1.0/debian/patches/Fix-use-after-free-in-getOwnPropertyDescriptor.patch mujs-1.1.0/debian/patches/Fix-use-after-free-in-getOwnPropertyDescriptor.patch
--- mujs-1.1.0/debian/patches/Fix-use-after-free-in-getOwnPropertyDescriptor.patch	1970-01-01 00:00:00.000000000 +0000
+++ mujs-1.1.0/debian/patches/Fix-use-after-free-in-getOwnPropertyDescriptor.patch	2022-11-21 12:10:02.000000000 +0000
@@ -0,0 +1,66 @@
+Origin: upstream, http://git.ghostscript.com/?p=mujs.git;a=commit;h=edb50ad66f7601ca9a3544a0e9045e8a8c60561f
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Mon, 7 Nov 2022 12:52:05 +0100
+Subject: Bug 706057: Fix use-after-free in getOwnPropertyDescriptor.
+
+getOwnPropertyDescriptor should create the descriptor object by
+using [[DefineOwnProperty]], and not by looking through the prototype
+chain where it may invoke getters and setters on the Object.prototype.
+
+If there exists an Object.prototype.get property with a setter, that method is
+invoked when it shouldn't. A malicious getter here can delete the property
+currently being processed in getOwnPropertyDescriptor, and we'll end up
+with a use-after-free bug.
+
+Avoid this problem by following the spec and use js_defproperty rather than
+js_setproperty to define own properties in getOwnPropertyDescriptor and
+related functions.
+---
+ jsobject.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/jsobject.c b/jsobject.c
+index 78ea344..a58fc3a 100644
+--- a/jsobject.c
++++ b/jsobject.c
+@@ -134,25 +134,25 @@ static void O_getOwnPropertyDescriptor(js_State *J)
+ 		js_newobject(J);
+ 		if (!ref->getter && !ref->setter) {
+ 			js_pushvalue(J, ref->value);
+-			js_setproperty(J, -2, "value");
++			js_defproperty(J, -2, "value", 0);
+ 			js_pushboolean(J, !(ref->atts & JS_READONLY));
+-			js_setproperty(J, -2, "writable");
++			js_defproperty(J, -2, "writable", 0);
+ 		} else {
+ 			if (ref->getter)
+ 				js_pushobject(J, ref->getter);
+ 			else
+ 				js_pushundefined(J);
+-			js_setproperty(J, -2, "get");
++			js_defproperty(J, -2, "get", 0);
+ 			if (ref->setter)
+ 				js_pushobject(J, ref->setter);
+ 			else
+ 				js_pushundefined(J);
+-			js_setproperty(J, -2, "set");
++			js_defproperty(J, -2, "set", 0);
+ 		}
+ 		js_pushboolean(J, !(ref->atts & JS_DONTENUM));
+-		js_setproperty(J, -2, "enumerable");
++		js_defproperty(J, -2, "enumerable", 0);
+ 		js_pushboolean(J, !(ref->atts & JS_DONTCONF));
+-		js_setproperty(J, -2, "configurable");
++		js_defproperty(J, -2, "configurable", 0);
+ 	}
+ }
+ 
+@@ -248,7 +248,7 @@ static void ToPropertyDescriptor(js_State *J, js_Object *obj, const char *name,
+ 	}
+ 	if (js_hasproperty(J, -1, "value")) {
+ 		hasvalue = 1;
+-		js_setproperty(J, -3, name);
++		js_defproperty(J, -3, name, 0);
+ 	}
+ 
+ 	if (!writable) atts |= JS_READONLY;
diff -Nru mujs-1.1.0/debian/patches/series mujs-1.1.0/debian/patches/series
--- mujs-1.1.0/debian/patches/series	2022-02-25 20:17:24.000000000 +0000
+++ mujs-1.1.0/debian/patches/series	2022-11-21 12:10:02.000000000 +0000
@@ -1,3 +1,7 @@
 Install-versioned-shared-library.patch
 Set-the-right-.pc-version.patch
 Clear-jump-list-after-patching-jump-addresses.patch
+Check-stack-overflow-during-regexp-compilation.patch
+Cope-with-empty-programs-in-mujs-pp.patch
+Dont-fclose-a-FILE-that-is-NULL.patch
+Fix-use-after-free-in-getOwnPropertyDescriptor.patch