[Pkg-javascript-devel] Bug#863481: [node-concat-stream] Uninitialized Memory Exposure

Bastien ROUCARIÈS roucaries.bastien+debian at gmail.com
Sat May 27 14:51:52 UTC 2017


Package: node-concat-stream
Version: 1.5.1-1
Severity: grave
Tags: patch security fixed-upstream fixed-in-experimental
X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org
forwarded: https://snyk.io/vuln/npm:concat-stream:20160901

Overview

concat-stream is writable stream that concatenates strings or binary data and 
calls a callback with the result. Affected versions of the package are 
vulnerable to Uninitialized Memory Exposure.

A possible memory disclosure vulnerability exists when a value of type number 
is provided to the stringConcat() method and results in concatination of 
uninitialized memory to the stream collection.

This is a result of unobstructed use of the Buffer constructor, whose insecure 
default constructor increases the odds of memory leakage.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-javascript-devel/attachments/20170527/274b11ad/attachment.sig>


More information about the Pkg-javascript-devel mailing list