http://seclists.org/oss-sec/2017/q1/76

    1. Null pointer dereference in regexp.c

        The return value from malloc is not properly checked before
    dereferencing it which can result in a crash.

    https://bugs.ghostscript.com/show_bug.cgi?id=697381
   
http://git.ghostscript.com/?p=mujs.git;h=fd003eceda531e13fbdd1aeb6e9c73156496e569


Use CVE-2016-10132 for all of
fd003eceda531e13fbdd1aeb6e9c73156496e569.


    2. Heap buffer overflow write in jsrun.c: js_stackoverflow()

        There was a logical error in the code which can be used to trigger a
    heap overflow write.

    https://bugs.ghostscript.com/show_bug.cgi?id=697401
   
http://git.ghostscript.com/?p=mujs.git;a=commit;h=77ab465f1c394bb77f00966cd950650f3f53cb24


3. Integer overflow in the regemit function - CVE-2016-10141

An integer overflow vulnerability was observed in the regemit function
in regexp.c in Artifex Software, Inc. MuJS before
fa3d30fd18c348bb4b1f3858fb860f4fcd4b2045. The attack requires a regular
expression with nested repetition. A successful exploitation of this
issue can lead to code execution or a denial of service (buffer
overflow) condition.

Upstream bug:

https://bugs.ghostscript.com/show_bug.cgi?id=697448

Upstream patch:

http://git.ghostscript.com/?p=mujs.git;h=fa3d30fd18c348bb4b1f3858fb860f4fcd4b2045


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1412967
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10141
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10132
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10133
http://seclists.org/oss-sec/2017/q1/76
https://bugs.ghostscript.com/show_bug.cgi?id=697448
http://git.ghostscript.com/?p=mujs.git;h=fa3d30fd18c348bb4b1f3858fb860f4fcd4b2045