Bug#1014968: mruby: CVE-2021-46020 CVE-2022-0240 CVE-2022-0481 CVE-2022-0890 CVE-2022-1071 CVE-2022-1427 CVE-2022-1201

[Moritz Mühlenhoff]

Source: mruby
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for mruby.

CVE-2021-46020[0]:
| An untrusted pointer dereference in mrb_vm_exec() of mruby v3.0.0 can
| lead to a segmentation fault or application crash.

https://github.com/mruby/mruby/issues/5613
https://github.com/mruby/mruby/commit/a137ef12f981b517f1e6b64e39edc7ac15d7e1eb
https://github.com/mruby/mruby/commit/d3b7601af96c9e0eeba4c89359289661c755a74a

CVE-2022-0240[1]:
| mruby is vulnerable to NULL Pointer Dereference

https://huntr.dev/bounties/5857eced-aad9-417d-864e-0bdf17226cbb/
https://github.com/mruby/mruby/commit/31fa3304049fc406a201a72293cce140f0557dca

CVE-2022-0481[2]:
| NULL Pointer Dereference in Homebrew mruby prior to 3.2.

https://huntr.dev/bounties/54725c8c-87f4-41b6-878c-01d8e0ee7027
https://github.com/mruby/mruby/commit/ae3c99767a27f5c6c584162e2adc6a5d0eb2c54e

CVE-2022-0890[3]:
| NULL Pointer Dereference in GitHub repository mruby/mruby prior to
| 3.2.

https://huntr.dev/bounties/68e09ec1-6cc7-48b8-981d-30f478c70276/
https://github.com/mruby/mruby/commit/da48e7dbb20024c198493b8724adae1b842083aa

CVE-2022-1071[4]:
| User after free in mrb_vm_exec in GitHub repository mruby/mruby prior
| to 3.2.

https://huntr.dev/bounties/6597ece9-07af-415b-809b-919ce0a17cf3
https://github.com/mruby/mruby/commit/aaa28a508903041dd7399d4159a8ace9766b022f

CVE-2022-1427[5]:
| Out-of-bounds Read in mrb_obj_is_kind_of in in GitHub repository
| mruby/mruby prior to 3.2. # Impact: Possible arbitrary code execution
| if being exploited.

https://huntr.dev/bounties/23b6f0a9-64f5-421e-a55f-b5b7a671f301
https://github.com/mruby/mruby/commit/a4d97934d51cb88954cc49161dc1d151f64afb6b

CVE-2022-1201[6]:
| NULL Pointer Dereference in mrb_vm_exec with super in GitHub
| repository mruby/mruby prior to 3.2. This vulnerability is capable of
| making the mruby interpreter crash, thus affecting the availability of
| the system.

https://huntr.dev/bounties/6f930add-c9d8-4870-ae56-d4bd8354703b
https://github.com/mruby/mruby/commit/00acae117da1b45b318dc36531a7b0021b8097ae

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-46020
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46020
[1] https://security-tracker.debian.org/tracker/CVE-2022-0240
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0240
[2] https://security-tracker.debian.org/tracker/CVE-2022-0481
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0481
[3] https://security-tracker.debian.org/tracker/CVE-2022-0890
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0890
[4] https://security-tracker.debian.org/tracker/CVE-2022-1071
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1071
[5] https://security-tracker.debian.org/tracker/CVE-2022-1427
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1427
[6] https://security-tracker.debian.org/tracker/CVE-2022-1201
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1201

Please adjust the affected versions in the BTS as needed.