Debian Bug report logs -
#977736
iotjs: CVE-2020-29657
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#977736; Package src:iotjs.
(Sat, 19 Dec 2020 20:06:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Sat, 19 Dec 2020 20:06:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: iotjs
Version: 1.0+715-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/jerryscript-project/jerryscript/issues/4244
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 1.0-1
Hi,
The following vulnerability was published for iotjs. Actually for
embedded jerryscript, which seem still affected in up to the version
included in 1.0+715-1.
CVE-2020-29657[0]:
| In JerryScript 2.3.0, there is an out-of-bounds read in
| main_print_unhandled_exception in the main-utils.c file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-29657
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29657
[1] https://github.com/jerryscript-project/jerryscript/issues/4244
Regards,
Salvatore
Marked as found in versions iotjs/1.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Sat, 19 Dec 2020 20:06:04 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Thu, 24 Dec 2020 17:45:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#977736; Package src:iotjs.
(Fri, 08 Jan 2021 10:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to rzr@users.sf.net:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Fri, 08 Jan 2021 10:54:03 GMT) (full text, mbox, link).
Message #14 received at 977736@bugs.debian.org (full text, mbox, reply):
Package: iotjs
Followup-For: Bug #977736
Dear Maintainer,
As iotjs's Debian maintainer,
I have forwarded this issue to upstream tracker:
https://github.com/jerryscript-project/iotjs/issues/1955
But, It looks like that "main_print_unhandled_exception" function is in
jerryscript CLI program not in the library that iotjs link with
It can be easily verified using:
readelf -Wsa /usr/bin/iotjs | grep print_
610: 0000000000020030 1 FUNC GLOBAL DEFAULT 14 print_stacktrace
776: 000000000006afa0 16 FUNC GLOBAL DEFAULT 14 jerry_port_print_char
So I think this scanner is a false positive.
I don't know if upstream iotjs plan to jerryscript soon
and IMHO, it is not worthy of backporting the related patch
because it wont be compiled.
Regards
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#977736; Package src:iotjs.
(Sat, 09 Jan 2021 08:36:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Sat, 09 Jan 2021 08:36:02 GMT) (full text, mbox, link).
Message #19 received at 977736@bugs.debian.org (full text, mbox, reply):
Control: severity -1 minor
Hi
On Thu, Jan 07, 2021 at 10:58:03PM +0100, Philippe Coval wrote:
> Package: iotjs
> Followup-For: Bug #977736
>
> Dear Maintainer,
>
> As iotjs's Debian maintainer,
> I have forwarded this issue to upstream tracker:
>
> https://github.com/jerryscript-project/iotjs/issues/1955
>
> But, It looks like that "main_print_unhandled_exception" function is in
> jerryscript CLI program not in the library that iotjs link with
>
> It can be easily verified using:
>
> readelf -Wsa /usr/bin/iotjs | grep print_
>
> 610: 0000000000020030 1 FUNC GLOBAL DEFAULT 14 print_stacktrace
> 776: 000000000006afa0 16 FUNC GLOBAL DEFAULT 14 jerry_port_print_char
>
> So I think this scanner is a false positive.
>
> I don't know if upstream iotjs plan to jerryscript soon
> and IMHO, it is not worthy of backporting the related patch
> because it wont be compiled.
Okay indeed, while it might affect the source code itself it seems not
for th binary package, in particular so as you found for the iotjs use
(and it does not compile main-utils.c).
I'm doing two things. Downgrade the severity to minor, I think the bug
just can be closed once upstream rebased the JerryScripts copy to the
version including the fix.
Marking it as unimportant in the security-tracker indicating it does
not affect at all the iotjs produced binary packages.
I do agree that there is no sense in backporting the related patch to
iotjs.
Regards,
Salvatore
Severity set to 'minor' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 977736-submit@bugs.debian.org.
(Sat, 09 Jan 2021 08:36:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jan 9 12:55:54 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon