Hi Moritz Mühlenhoff schrieb am 21.03.2025, 14:21 +0100: >The following vulnerability was published for quickjs. [reordered] >This was reported by a quickjs fork, but I suppose it also affects >the original quickjs packaged in Debian?
This is hard to tell. The commit contains unrelated changes and for the
mentioned quickjs.c, the diff says:
>diff --git a/quickjs.c b/quickjs.c
>index d0ca6268f..984ab4539 100644
>--- a/quickjs.c
>+++ b/quickjs.c
>@@ -2517,7 +2517,7 @@ JSRuntime *JS_GetRuntime(JSContext *ctx)
>
> static void update_stack_limit(JSRuntime *rt)
> {
>-#if defined(__wasi__) || (defined(__ASAN__) && !defined(NDEBUG))
>+#if defined(__wasi__)
> rt->stack_limit = 0; /* no limit */
> #else
>
Given that `JS_GetRuntime` is:
>JSRuntime *JS_GetRuntime(JSContext *ctx)
>{
> return ctx->rt;
>}
I cannot see immediately whether quickjs is affected. Due to a lack of time in
the coming weeks, I would appreciate help.
Cheers
Sebastian
signature.asc
Description: PGP signature
