Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 03 Sep 2014 10:40:00 -0600
From: "Vincent Danen" <vdanen@...hat.com>
To: "OSS Security List" <oss-security@...ts.openwall.com>
Subject: Re: CVE request for nodejs/v8

On 09/03/2014, at 10:32 AM, Vincent Danen wrote:

> I don't see a CVE mentioned for this issue anywhere.  Can one be assigned if it has not already been?
>
> Described on the nodejs blog as:
>
> A memory corruption vulnerability, which results in a denial-of-service, was identified in the versions of V8 that ship with Node.js 0.8 and 0.10. In certain circumstances, a particularly deep recursive workload that may trigger a GC and receive an interrupt may overflow the stack and result in a segmentation fault. For instance, if your work load involves successive JSON.parse calls and the parsed objects are significantly deep, you may experience the process aborting while parsing.
>
> This issue was identified by Tom Steele of ^Lift Security and Fedor Indunty, Node.js Core Team member worked closely with the V8 team to find our resolution.
>
>
> https://codereview.chromium.org/339883002
> http://blog.nodejs.org/2014/07/31/v8-memory-corruption-stack-overflow/
> https://github.com/joyent/node/commit/530af9cb8e700e7596b3ec812bad123c9fa06356
> https://bugzilla.redhat.com/show_bug.cgi?id=1125464

Sorry, just realized that Tomas asked the same question a few hours ago:

"CVE request: V8 Memory Corruption and Stack Overflow"

They're the same thing.

-- 
Vincent Danen / Red Hat Product Security

Download attachment "signature.asc" of type "application/pgp-signature" (711 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ