Date: Wed, 03 Sep 2014 10:40:00 -0600 From: "Vincent Danen" <vdanen@...hat.com> To: "OSS Security List" <oss-security@...ts.openwall.com> Subject: Re: CVE request for nodejs/v8 On 09/03/2014, at 10:32 AM, Vincent Danen wrote: > I don't see a CVE mentioned for this issue anywhere. Can one be assigned if it has not already been? > > Described on the nodejs blog as: > > A memory corruption vulnerability, which results in a denial-of-service, was identified in the versions of V8 that ship with Node.js 0.8 and 0.10. In certain circumstances, a particularly deep recursive workload that may trigger a GC and receive an interrupt may overflow the stack and result in a segmentation fault. For instance, if your work load involves successive JSON.parse calls and the parsed objects are significantly deep, you may experience the process aborting while parsing. > > This issue was identified by Tom Steele of ^Lift Security and Fedor Indunty, Node.js Core Team member worked closely with the V8 team to find our resolution. > > > https://codereview.chromium.org/339883002 > http://blog.nodejs.org/2014/07/31/v8-memory-corruption-stack-overflow/ > https://github.com/joyent/node/commit/530af9cb8e700e7596b3ec812bad123c9fa06356 > https://bugzilla.redhat.com/show_bug.cgi?id=1125464 Sorry, just realized that Tomas asked the same question a few hours ago: "CVE request: V8 Memory Corruption and Stack Overflow" They're the same thing. -- Vincent Danen / Red Hat Product Security Download attachment "signature.asc" of type "application/pgp-signature" (711 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.