Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

mruby: CVE-2021-46020 CVE-2022-0240 CVE-2022-0481 CVE-2022-0890 CVE-2022-1071 CVE-2022-1427 CVE-2022-1201

Related Vulnerabilities: CVE-2021-46020   CVE-2022-0240   CVE-2022-0481   CVE-2022-0890   CVE-2022-1071   CVE-2022-1427   CVE-2022-1201  

Source

Debian Bug report logs - #1014968
mruby: CVE-2021-46020 CVE-2022-0240 CVE-2022-0481 CVE-2022-0890 CVE-2022-1071 CVE-2022-1427 CVE-2022-1201

Package: src:mruby; Maintainer for src:mruby is Nobuhiro Iwamatsu <iwamatsu@debian.org>;

Reported by: Moritz Mühlenhoff <jmm@inutil.org>

Date: Fri, 15 Jul 2022 12:30:04 UTC

Severity: grave

Tags: security, upstream

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Nobuhiro Iwamatsu <iwamatsu@debian.org>:
Bug#1014968; Package src:mruby. (Fri, 15 Jul 2022 12:30:06 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Nobuhiro Iwamatsu <iwamatsu@debian.org>. (Fri, 15 Jul 2022 12:30:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: submit@bugs.debian.org
Subject: mruby: CVE-2021-46020 CVE-2022-0240 CVE-2022-0481 CVE-2022-0890 CVE-2022-1071 CVE-2022-1427 CVE-2022-1201
Date: Fri, 15 Jul 2022 14:28:00 +0200
Source: mruby
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for mruby.

CVE-2021-46020[0]:
| An untrusted pointer dereference in mrb_vm_exec() of mruby v3.0.0 can
| lead to a segmentation fault or application crash.

https://github.com/mruby/mruby/issues/5613
https://github.com/mruby/mruby/commit/a137ef12f981b517f1e6b64e39edc7ac15d7e1eb
https://github.com/mruby/mruby/commit/d3b7601af96c9e0eeba4c89359289661c755a74a

CVE-2022-0240[1]:
| mruby is vulnerable to NULL Pointer Dereference

https://huntr.dev/bounties/5857eced-aad9-417d-864e-0bdf17226cbb/
https://github.com/mruby/mruby/commit/31fa3304049fc406a201a72293cce140f0557dca

CVE-2022-0481[2]:
| NULL Pointer Dereference in Homebrew mruby prior to 3.2.

https://huntr.dev/bounties/54725c8c-87f4-41b6-878c-01d8e0ee7027
https://github.com/mruby/mruby/commit/ae3c99767a27f5c6c584162e2adc6a5d0eb2c54e

CVE-2022-0890[3]:
| NULL Pointer Dereference in GitHub repository mruby/mruby prior to
| 3.2.

https://huntr.dev/bounties/68e09ec1-6cc7-48b8-981d-30f478c70276/
https://github.com/mruby/mruby/commit/da48e7dbb20024c198493b8724adae1b842083aa

CVE-2022-1071[4]:
| User after free in mrb_vm_exec in GitHub repository mruby/mruby prior
| to 3.2.

https://huntr.dev/bounties/6597ece9-07af-415b-809b-919ce0a17cf3
https://github.com/mruby/mruby/commit/aaa28a508903041dd7399d4159a8ace9766b022f

CVE-2022-1427[5]:
| Out-of-bounds Read in mrb_obj_is_kind_of in in GitHub repository
| mruby/mruby prior to 3.2. # Impact: Possible arbitrary code execution
| if being exploited.

https://huntr.dev/bounties/23b6f0a9-64f5-421e-a55f-b5b7a671f301
https://github.com/mruby/mruby/commit/a4d97934d51cb88954cc49161dc1d151f64afb6b

CVE-2022-1201[6]:
| NULL Pointer Dereference in mrb_vm_exec with super in GitHub
| repository mruby/mruby prior to 3.2. This vulnerability is capable of
| making the mruby interpreter crash, thus affecting the availability of
| the system.

https://huntr.dev/bounties/6f930add-c9d8-4870-ae56-d4bd8354703b
https://github.com/mruby/mruby/commit/00acae117da1b45b318dc36531a7b0021b8097ae

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-46020
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46020
[1] https://security-tracker.debian.org/tracker/CVE-2022-0240
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0240
[2] https://security-tracker.debian.org/tracker/CVE-2022-0481
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0481
[3] https://security-tracker.debian.org/tracker/CVE-2022-0890
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0890
[4] https://security-tracker.debian.org/tracker/CVE-2022-1071
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1071
[5] https://security-tracker.debian.org/tracker/CVE-2022-1427
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1427
[6] https://security-tracker.debian.org/tracker/CVE-2022-1201
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1201

Please adjust the affected versions in the BTS as needed.

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 15 Jul 2022 15:00:04 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Jul 16 13:16:54 2022; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started