[Pkg-javascript-devel] Bug#977736: iotjs: CVE-2020-29657 : False positive ?
Salvatore Bonaccorso
carnil at debian.org
Sat Jan 9 08:32:03 GMT 2021
Control: severity -1 minor
Hi
On Thu, Jan 07, 2021 at 10:58:03PM +0100, Philippe Coval wrote:
> Package: iotjs
> Followup-For: Bug #977736
>
> Dear Maintainer,
>
> As iotjs's Debian maintainer,
> I have forwarded this issue to upstream tracker:
>
> https://github.com/jerryscript-project/iotjs/issues/1955
>
> But, It looks like that "main_print_unhandled_exception" function is in
> jerryscript CLI program not in the library that iotjs link with
>
> It can be easily verified using:
>
> readelf -Wsa /usr/bin/iotjs | grep print_
>
> 610: 0000000000020030 1 FUNC GLOBAL DEFAULT 14 print_stacktrace
> 776: 000000000006afa0 16 FUNC GLOBAL DEFAULT 14 jerry_port_print_char
>
> So I think this scanner is a false positive.
>
> I don't know if upstream iotjs plan to jerryscript soon
> and IMHO, it is not worthy of backporting the related patch
> because it wont be compiled.
Okay indeed, while it might affect the source code itself it seems not
for th binary package, in particular so as you found for the iotjs use
(and it does not compile main-utils.c).
I'm doing two things. Downgrade the severity to minor, I think the bug
just can be closed once upstream rebased the JerryScripts copy to the
version including the fix.
Marking it as unimportant in the security-tracker indicating it does
not affect at all the iotjs produced binary packages.
I do agree that there is no sense in backporting the related patch to
iotjs.
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list