Date: Tue, 07 Jul 2015 10:11:02 +0200 From: Luca Bruno <lucab@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: node.js out of band write On Monday 06 July 2015 09:34:24 Florian Weimer wrote: > > This release of Node.js fixes a bug that triggers an out-of-band write > > in V8's utf-8 decoder. This bug impacts all Buffer to String > > conversions. This is an important security update as this bug can be > > used to cause a denial of service attack. > > I have trouble reconciling this description with the fix in this commit: > > <https://github.com/joyent/node/commit/78b0e30954111cfaba0edbeee85450d8cbc6f > df6> > > Upstream v8 lacks this change. Is it required in Node.js because > Node.js pokes at v8 internals in unsupported ways? This should be the corresponding fix (plus testcases) on upstream v8: https://chromium.googlesource.com/v8/v8.git/+/b199bcdd47ae97ec116b430e34ab42001c8f04c0%5E!/#F2 Cheers, Luca -- .''`. ** Debian GNU/Linux ** | Luca Bruno (kaeso) : :' : The Universal O.S. | lucab (AT) debian.org `. `'` | GPG Key ID: 0xBB1A3A854F3BBEBF `- http://www.debian.org | Debian GNU/Linux Developer Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ