Janet-lang Janet Heap-Based Buffer Overflow Vulnerability in Handleattr Handler

A heap-based buffer overflow vulnerability has been identified in Janet-lang's Janet programming language, specifically in versions through 1.40.1. The issue arises in the handleattr function within the janetc_varset method, located in src/core/specials.c. This vulnerability leads to an out-of-bounds read, where the program accesses memory beyond the allocated buffer, causing a heap-buffer-overflow. The problem occurs during the compilation phase when the function processes definition attributes. The vulnerability can be exploited locally, and a public exploit is available.

Impact

Exploitation of this vulnerability causes a heap-buffer-overflow, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by building Janet with release optimization and AddressSanitizer (ASan) enabled. After compiling Janet, the vulnerability can be triggered by running the Janit compiler with a specific input file that exploits the buffer overflow in the handleattr function. This can be done using a C program that loads the Janit file and passes it to the Janit compiler, simulating the compilation process that triggers the vulnerability.

Remediation

Users are advised to upgrade to Janet version 1.41.0 or later, where this vulnerability has been fixed.