Re: CVE request for nodejs/v8

["Vincent Danen" <vdanen () redhat com>]

On 09/03/2014, at 10:32 AM, Vincent Danen wrote:

> I don't see a CVE mentioned for this issue anywhere.  Can one be assigned if it has not already been?
>
> Described on the nodejs blog as:
>
> A memory corruption vulnerability, which results in a denial-of-service, was identified in the versions of V8 that 
> ship with Node.js 0.8 and 0.10. In certain circumstances, a particularly deep recursive workload that may trigger a 
> GC and receive an interrupt may overflow the stack and result in a segmentation fault. For instance, if your work 
> load involves successive JSON.parse calls and the parsed objects are significantly deep, you may experience the 
> process aborting while parsing.
>
> This issue was identified by Tom Steele of ^Lift Security and Fedor Indunty, Node.js Core Team member worked closely 
> with the V8 team to find our resolution.
>
>
> https://codereview.chromium.org/339883002
> http://blog.nodejs.org/2014/07/31/v8-memory-corruption-stack-overflow/
> https://github.com/joyent/node/commit/530af9cb8e700e7596b3ec812bad123c9fa06356
> https://bugzilla.redhat.com/show_bug.cgi?id=1125464

Sorry, just realized that Tomas asked the same question a few hours ago:

"CVE request: V8 Memory Corruption and Stack Overflow"

They're the same thing.

-- 
Vincent Danen / Red Hat Product Security

Attachment: signature.asc
Description: OpenPGP digital signature