CVE-2022-44789: 
NixOS vulnerability analysis and mitigation

A logical issue was discovered in O_getOwnPropertyDescriptor() function in Artifex MuJS versions 1.0.0 through 1.3.x before 1.3.2. The vulnerability was disclosed on November 23, 2022, and affects the MuJS JavaScript interpreter, which is designed for embedding in other software to extend them with scripting capabilities (NVD, Debian Security).

The vulnerability exists in the O_getOwnPropertyDescriptor() function where getOwnPropertyDescriptor should create the descriptor object by using [[DefineOwnProperty]], and not by looking through the prototype chain where it may invoke getters and setters on the Object.prototype. If there exists an Object.prototype.get property with a setter, that method is invoked when it shouldn't. A malicious getter can delete the property currently being processed in getOwnPropertyDescriptor, leading to a use-after-free bug (GitHub Commit).

The vulnerability allows an attacker to achieve Remote Code Execution through memory corruption by loading a crafted JavaScript file. This can lead to potential execution of arbitrary code and compromise of the affected system (Public Reference).

The vulnerability has been fixed in MuJS version 1.3.2. The fix involves using jsdefproperty rather than jssetproperty to define own properties in getOwnPropertyDescriptor and related functions. Various Linux distributions have also released security updates to address this vulnerability, including Debian (version 1.1.0-1+deb11u2) and Fedora 37 (version 1.3.2-1.fc37) (Debian Security, Fedora Update).