|
Message-ID: <504ACB59-093F-4240-896A-3FEEA2F1CE78@redhat.com>
Date: Wed, 03 Sep 2014 10:40:00 -0600
From: "Vincent Danen" <vdanen@...hat.com>
To: "OSS Security List" <oss-security@...ts.openwall.com>
Subject: Re: CVE request for nodejs/v8
On 09/03/2014, at 10:32 AM, Vincent Danen wrote:
> I don't see a CVE mentioned for this issue anywhere. Can one be assigned if it has not already been?
>
> Described on the nodejs blog as:
>
> A memory corruption vulnerability, which results in a denial-of-service, was identified in the versions of V8 that ship with Node.js 0.8 and 0.10. In certain circumstances, a particularly deep recursive workload that may trigger a GC and receive an interrupt may overflow the stack and result in a segmentation fault. For instance, if your work load involves successive JSON.parse calls and the parsed objects are significantly deep, you may experience the process aborting while parsing.
>
> This issue was identified by Tom Steele of ^Lift Security and Fedor Indunty, Node.js Core Team member worked closely with the V8 team to find our resolution.
>
>
> https://codereview.chromium.org/339883002
> http://blog.nodejs.org/2014/07/31/v8-memory-corruption-stack-overflow/
> https://github.com/joyent/node/commit/530af9cb8e700e7596b3ec812bad123c9fa06356
> https://bugzilla.redhat.com/show_bug.cgi?id=1125464
Sorry, just realized that Tomas asked the same question a few hours ago:
"CVE request: V8 Memory Corruption and Stack Overflow"
They're the same thing.
--
Vincent Danen / Red Hat Product Security
Download attachment "signature.asc" of type "application/pgp-signature" (711 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.