Bug#1100987: quickjs: CVE-2024-13903
Sebastian Humenda
shumenda at gmx.de
Thu Apr 3 14:44:06 BST 2025
Hi
Moritz Mühlenhoff schrieb am 21.03.2025, 14:21 +0100:
>The following vulnerability was published for quickjs.
[reordered]
>This was reported by a quickjs fork, but I suppose it also affects
>the original quickjs packaged in Debian?
This is hard to tell. The commit contains unrelated changes and for the
mentioned quickjs.c, the diff says:
>diff --git a/quickjs.c b/quickjs.c
>index d0ca6268f..984ab4539 100644
>--- a/quickjs.c
>+++ b/quickjs.c
>@@ -2517,7 +2517,7 @@ JSRuntime *JS_GetRuntime(JSContext *ctx)
>
> static void update_stack_limit(JSRuntime *rt)
> {
>-#if defined(__wasi__) || (defined(__ASAN__) && !defined(NDEBUG))
>+#if defined(__wasi__)
> rt->stack_limit = 0; /* no limit */
> #else
>
Given that `JS_GetRuntime` is:
>JSRuntime *JS_GetRuntime(JSContext *ctx)
>{
> return ctx->rt;
>}
I cannot see immediately whether quickjs is affected. Due to a lack of time in the coming weeks, I would appreciate help.
Cheers
Sebastian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-a11y-devel/attachments/20250403/cc0dbe46/attachment-0001.sig>
More information about the Pkg-a11y-devel
mailing list