oss-sec mailing list archives
Re: node.js out of band write
From: Florian Weimer <fweimer () redhat com>
Date: Mon, 06 Jul 2015 09:34:24 +0200
On 07/06/2015 01:51 AM, Mark Felder wrote:
Node has resolved a security vulnerability in their most recent release but do not appear to have requested a CVE ID. http://blog.nodejs.org/2015/07/03/node-v0-12-6-stable/ Node v0.12.6 (Stable) Sat, 04 Jul 2015 02:34:23 UTC - release This release of Node.js fixes a bug that triggers an out-of-band write in V8's utf-8 decoder. This bug impacts all Buffer to String conversions. This is an important security update as this bug can be used to cause a denial of service attack.
I have trouble reconciling this description with the fix in this commit: <https://github.com/joyent/node/commit/78b0e30954111cfaba0edbeee85450d8cbc6fdf6> Upstream v8 lacks this change. Is it required in Node.js because Node.js pokes at v8 internals in unsupported ways? -- Florian Weimer / Red Hat Product Security
Current thread:
- node.js out of band write Mark Felder (Jul 05)
- Re: node.js out of band write Florian Weimer (Jul 06)
- Re: node.js out of band write Mark Felder (Jul 06)
- Re: node.js out of band write Luca Bruno (Jul 07)
- Re: node.js out of band write cve-assign (Jul 09)
- Re: node.js out of band write Florian Weimer (Jul 06)