oss-sec mailing list archives
Re: node.js out of band write
From: Luca Bruno <lucab () debian org>
Date: Tue, 07 Jul 2015 10:11:02 +0200
On Monday 06 July 2015 09:34:24 Florian Weimer wrote:
This release of Node.js fixes a bug that triggers an out-of-band write in V8's utf-8 decoder. This bug impacts all Buffer to String conversions. This is an important security update as this bug can be used to cause a denial of service attack.I have trouble reconciling this description with the fix in this commit: <https://github.com/joyent/node/commit/78b0e30954111cfaba0edbeee85450d8cbc6f df6> Upstream v8 lacks this change. Is it required in Node.js because Node.js pokes at v8 internals in unsupported ways?
This should be the corresponding fix (plus testcases) on upstream v8: https://chromium.googlesource.com/v8/v8.git/+/b199bcdd47ae97ec116b430e34ab42001c8f04c0%5E!/#F2 Cheers, Luca -- .''`. ** Debian GNU/Linux ** | Luca Bruno (kaeso) : :' : The Universal O.S. | lucab (AT) debian.org `. `'` | GPG Key ID: 0xBB1A3A854F3BBEBF `- http://www.debian.org | Debian GNU/Linux Developer
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- node.js out of band write Mark Felder (Jul 05)
- Re: node.js out of band write Florian Weimer (Jul 06)
- Re: node.js out of band write Mark Felder (Jul 06)
- Re: node.js out of band write Luca Bruno (Jul 07)
- Re: node.js out of band write cve-assign (Jul 09)
- Re: node.js out of band write Florian Weimer (Jul 06)