Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 07 Jul 2015 10:11:02 +0200
From: Luca Bruno <>
Subject: Re: node.js out of band write

On Monday 06 July 2015 09:34:24 Florian Weimer wrote:

> > This release of Node.js fixes a bug that triggers an out-of-band write
> > in V8's utf-8 decoder. This bug impacts all Buffer to String
> > conversions. This is an important security update as this bug can be
> > used to cause a denial of service attack.
> I have trouble reconciling this description with the fix in this commit:
> <
> df6>
> Upstream v8 lacks this change.  Is it required in Node.js because
> Node.js pokes at v8 internals in unsupported ways?

This should be the corresponding fix (plus testcases) on upstream v8:!/#F2

Cheers, Luca

 .''`.  ** Debian GNU/Linux **  | Luca Bruno (kaeso)
: :'  :   The Universal O.S.    | lucab (AT)
`. `'`                          | GPG Key ID: 0xBB1A3A854F3BBEBF
  `- 	| Debian GNU/Linux Developer

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ