Debian Bug report logs -
#1014968
mruby: CVE-2021-46020 CVE-2022-0240 CVE-2022-0481 CVE-2022-0890 CVE-2022-1071 CVE-2022-1427 CVE-2022-1201
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Nobuhiro Iwamatsu <iwamatsu@debian.org>
:
Bug#1014968
; Package src:mruby
.
(Fri, 15 Jul 2022 12:30:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Nobuhiro Iwamatsu <iwamatsu@debian.org>
.
(Fri, 15 Jul 2022 12:30:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: mruby
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for mruby.
CVE-2021-46020[0]:
| An untrusted pointer dereference in mrb_vm_exec() of mruby v3.0.0 can
| lead to a segmentation fault or application crash.
https://github.com/mruby/mruby/issues/5613
https://github.com/mruby/mruby/commit/a137ef12f981b517f1e6b64e39edc7ac15d7e1eb
https://github.com/mruby/mruby/commit/d3b7601af96c9e0eeba4c89359289661c755a74a
CVE-2022-0240[1]:
| mruby is vulnerable to NULL Pointer Dereference
https://huntr.dev/bounties/5857eced-aad9-417d-864e-0bdf17226cbb/
https://github.com/mruby/mruby/commit/31fa3304049fc406a201a72293cce140f0557dca
CVE-2022-0481[2]:
| NULL Pointer Dereference in Homebrew mruby prior to 3.2.
https://huntr.dev/bounties/54725c8c-87f4-41b6-878c-01d8e0ee7027
https://github.com/mruby/mruby/commit/ae3c99767a27f5c6c584162e2adc6a5d0eb2c54e
CVE-2022-0890[3]:
| NULL Pointer Dereference in GitHub repository mruby/mruby prior to
| 3.2.
https://huntr.dev/bounties/68e09ec1-6cc7-48b8-981d-30f478c70276/
https://github.com/mruby/mruby/commit/da48e7dbb20024c198493b8724adae1b842083aa
CVE-2022-1071[4]:
| User after free in mrb_vm_exec in GitHub repository mruby/mruby prior
| to 3.2.
https://huntr.dev/bounties/6597ece9-07af-415b-809b-919ce0a17cf3
https://github.com/mruby/mruby/commit/aaa28a508903041dd7399d4159a8ace9766b022f
CVE-2022-1427[5]:
| Out-of-bounds Read in mrb_obj_is_kind_of in in GitHub repository
| mruby/mruby prior to 3.2. # Impact: Possible arbitrary code execution
| if being exploited.
https://huntr.dev/bounties/23b6f0a9-64f5-421e-a55f-b5b7a671f301
https://github.com/mruby/mruby/commit/a4d97934d51cb88954cc49161dc1d151f64afb6b
CVE-2022-1201[6]:
| NULL Pointer Dereference in mrb_vm_exec with super in GitHub
| repository mruby/mruby prior to 3.2. This vulnerability is capable of
| making the mruby interpreter crash, thus affecting the availability of
| the system.
https://huntr.dev/bounties/6f930add-c9d8-4870-ae56-d4bd8354703b
https://github.com/mruby/mruby/commit/00acae117da1b45b318dc36531a7b0021b8097ae
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-46020
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46020
[1] https://security-tracker.debian.org/tracker/CVE-2022-0240
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0240
[2] https://security-tracker.debian.org/tracker/CVE-2022-0481
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0481
[3] https://security-tracker.debian.org/tracker/CVE-2022-0890
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0890
[4] https://security-tracker.debian.org/tracker/CVE-2022-1071
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1071
[5] https://security-tracker.debian.org/tracker/CVE-2022-1427
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1427
[6] https://security-tracker.debian.org/tracker/CVE-2022-1201
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1201
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 15 Jul 2022 15:00:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jul 16 13:16:54 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.