1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1100987: quickjs: CVE-2024-13903

    From =?UTF-8?Q?Moritz_M=C3=BChlenhoff?=@21:1/5 to All on Fri Mar 21 14:30:02 2025
    Source: quickjs
    X-Debbugs-CC: team@security.debian.org
    Severity: important
    Tags: security

    Hi,

    The following vulnerability was published for quickjs.

    CVE-2024-13903[0]:
    | A vulnerability was found in quickjs-ng QuickJS up to 0.8.0. It has
    | been declared as problematic. Affected by this vulnerability is the
    | function JS_GetRuntime of the file quickjs.c of the component qjs.
    | The manipulation leads to stack-based buffer overflow. The attack
    | can be launched remotely. Upgrading to version 0.9.0 is able to
    | address this issue. The patch is named
    | 99c02eb45170775a9a679c32b45dd4000ea67aff. It is recommended to
    | upgrade the affected component.

    This was reported by a quickjs fork, but I suppose it also affects
    the original quickjs packaged in Debian?

    https://github.com/quickjs-ng/quickjs/issues/775 https://github.com/quickjs-ng/quickjs/commit/99c02eb45170775a9a679c32b45dd4000ea67aff


    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2024-13903
    https://www.cve.org/CVERecord?id=CVE-2024-13903

    Please adjust the affected versions in the BTS as needed.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Sebastian Humenda@21:1/5 to the diff on Thu Apr 3 15:50:01 2025
    Hi

    Moritz Mühlenhoff schrieb am 21.03.2025, 14:21 +0100:
    The following vulnerability was published for quickjs.
    [reordered]
    This was reported by a quickjs fork, but I suppose it also affects
    the original quickjs packaged in Debian?

    This is hard to tell. The commit contains unrelated changes and for the mentioned quickjs.c, the diff says:

    diff --git a/quickjs.c b/quickjs.c
    index d0ca6268f..984ab4539 100644
    --- a/quickjs.c
    +++ b/quickjs.c
    @@ -2517,7 +2517,7 @@ JSRuntime *JS_GetRuntime(JSContext *ctx)

    static void update_stack_limit(JSRuntime *rt)
    {
    -#if defined(__wasi__) || (defined(__ASAN__) && !defined(NDEBUG))
    +#if defined(__wasi__)
    rt->stack_limit = 0; /* no limit */
    #else


    Given that `JS_GetRuntime` is:

    JSRuntime *JS_GetRuntime(JSContext *ctx)
    {
    return ctx->rt;
    }

    I cannot see immediately whether quickjs is affected. Due to a lack of time in the coming weeks, I would appreciate help.

    Cheers
    Sebastian

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEDdK8MMbHMms/+s0k2/EkeQsw7KUFAmfukKMACgkQ2/EkeQsw 7KUglxAAqz/gBzlm57cwtEItjkQLN5GpIsFrPIrS3aQmuxGNzoaOJMK9x4Js25CQ HrOvJYeMTN2A8XvWEfIz6SllRb5/CaAuY5p8wDMlwaLjXmkf6T7+0Ih/VeuBsBnE yqsh9t9uFB919nnIPviB6yAzgk2a6gT5z0Xx/G+/A88eQ4hggq4AFUAZlZPVlwYL dAuwIktxy/OgxQpvlkrblrKgY5sX/dWMErCVYCyMjI6Pv/LwSB4gRfqLxLBUzaxx duW2UDXVpmBdiPCXs3z4VOK5WAEDwMW9theziDWZDymy54h/QjkGOR3nHsaf8m8N EkOxIn2dnWk5tIskWRy8BK8OCqCq7CB+0vDnELaCFKm9v51lvEANsvxHX9KNzxvT 6oinGRj8P+Wc7fQBSTiPYNxAK2cpfX9XkQxIWaLqIBmSq5X4qi3kAiXI4ew7PMek vCUIIq/rahtB8rw1G4/z3ePk8otBMDQD8/4GW5Q+sQu9KB7ANBsD6m4O7VND72Qo 7vgS7sufuhFkWmFM4nsKie+qH+sSo236s6Sg3MKvDEUd2pfk53+yAnPwEw+9RSp0 c1Sy+6dbQjChyPDhTZJJ6xGv2itYCnsY8s8e0TFwZp3tmyDFr/FnDr9AsDr2ufU8 tghDm+mHGhEyqhK2xK4CAScj3WPzzuiJCn+d6PzOejRukJOZ/wQ=
    =i07d
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)