[Pkg-javascript-devel] Bug#863481: Bug#863481: [node-concat-stream] Uninitialized Memory Exposure
Ross Gammon
rosco2 at ubuntu.com
Sat May 27 16:53:03 UTC 2017
Hi Bastien,
If you would like me to prepare an upload to unstable for this (&
unblock request), let me know. I have some time today & tomorrow - but
travelling with work next week. I have DM upload rights for it.
Only asking in case you are already working on it.
Cheers,
Ross
On 05/27/2017 04:51 PM, Bastien ROUCARIÈS wrote:
> Package: node-concat-stream
> Version: 1.5.1-1
> Severity: grave
> Tags: patch security fixed-upstream fixed-in-experimental
> X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org
> forwarded: https://snyk.io/vuln/npm:concat-stream:20160901
>
> Overview
>
> concat-stream is writable stream that concatenates strings or binary data and
> calls a callback with the result. Affected versions of the package are
> vulnerable to Uninitialized Memory Exposure.
>
> A possible memory disclosure vulnerability exists when a value of type number
> is provided to the stringConcat() method and results in concatination of
> uninitialized memory to the stream collection.
>
> This is a result of unobstructed use of the Buffer constructor, whose insecure
> default constructor increases the odds of memory leakage.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-javascript-devel/attachments/20170527/4f46a488/attachment.html>
More information about the Pkg-javascript-devel
mailing list