Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 665656 (CVE-2018-12115) - <net-libs/nodejs-{6.14.4,8.12.0}: out-of-bounds (OOB) write (CVE-2018-12115)
Summary: <net-libs/nodejs-{6.14.4,8.12.0}: out-of-bounds (OOB) write (CVE-2018-12115)
Status: RESOLVED FIXED
Alias: CVE-2018-12115
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://nodejs.org/en/blog/vulnerabil...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on: CVE-2019-15604, CVE-2019-15605, CVE-2019-15606
Blocks:
  Show dependency tree
 
Reported: 2018-09-10 19:52 UTC by Mike Gilbert
Modified: 2020-03-20 19:23 UTC (History)
3 users (show)

See Also:
Package list:
=net-libs/nodejs-6.14.4 =net-libs/nodejs-8.12.0 =net-libs/http-parser-2.8.1
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Gilbert gentoo-dev 2018-09-10 19:52:21 UTC 
From the security release blog:

Out of bounds (OOB) write (CVE-2018-12115)
All actively supported release lines of Node.js are impacted by this flaw.

Node.js TSC member Сковорода Никита Андреевич (Nikita Skovoroda / @ChALkeR) discovered an OOB write in Buffer that can be used to write to memory outside of a Buffer's memory space. This can corrupt unrelated Buffer objects or cause the Node.js process to crash.

When used with UCS-2 encoding (recognized by Node.js under the names 'ucs2', 'ucs-2', 'utf16le' and 'utf-16le'), Buffer#write() can be abused to write outside of the bounds of a single Buffer. Writes that start from the second-to-last position of a buffer cause a miscalculation of the maximum length of the input bytes to be written.

Impact:

All previous versions of Node.js 6.x (LTS "Boron") are vulnerable
All previous versions of Node.js 8.x (LTS "Carbon") are vulnerable
All previous versions of Node.js 10.x (Current) are vulnerable
Comment 1 Mike Gilbert gentoo-dev 2018-09-11 14:08:04 UTC 
Let go ahead and stabilize 6.14.4 and 8.11.4.
Comment 2 Stabilization helper bot gentoo-dev 2018-09-11 15:03:52 UTC 
An automated check of this bug failed - repoman reported dependency errors (626 lines truncated): 

> dependency.bad net-libs/nodejs/nodejs-6.14.4.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=net-libs/http-parser-2.7.0:=']
> dependency.bad net-libs/nodejs/nodejs-6.14.4.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=net-libs/http-parser-2.7.0:=']
> dependency.bad net-libs/nodejs/nodejs-6.14.4.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=net-libs/http-parser-2.7.0:=']
> dependency.bad net-libs/nodejs/nodejs-6.14.4.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=net-libs/http-parser-2.7.0:=']
> dependency.bad net-libs/nodejs/nodejs-6.14.4.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=net-libs/http-parser-2.7.0:=']
> dependency.bad net-libs/nodejs/nodejs-6.14.4.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=net-libs/http-parser-2.7.0:=']
Comment 3 Stabilization helper bot gentoo-dev 2018-09-11 16:02:30 UTC 
An automated check of this bug failed - repoman reported dependency errors (254 lines truncated): 

> dependency.bad net-libs/nodejs/nodejs-8.12.0.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['>=net-libs/nghttp2-1.32.0']
> dependency.bad net-libs/nodejs/nodejs-8.12.0.ebuild: RDEPEND: amd64(default/linux/amd64/17.0) ['>=net-libs/nghttp2-1.32.0']
> dependency.bad net-libs/nodejs/nodejs-8.12.0.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=net-libs/nghttp2-1.32.0']
> dependency.bad net-libs/nodejs/nodejs-8.12.0.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['>=net-libs/nghttp2-1.32.0']
> dependency.bad net-libs/nodejs/nodejs-8.12.0.ebuild: RDEPEND: amd64(default/linux/amd64/17.0) ['>=net-libs/nghttp2-1.32.0']
> dependency.bad net-libs/nodejs/nodejs-8.12.0.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=net-libs/nghttp2-1.32.0']
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2018-09-12 20:48:49 UTC 
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2018-09-14 09:40:51 UTC 
amd64 stable
Comment 6 Matt Turner gentoo-dev 2018-09-17 18:34:01 UTC 
ppc/ppc64 stable. I dropped keywords on older versions of nodejs including version 6 since it fails tests and doesn't seem to be required for anything.
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-11-17 15:28:31 UTC 
arm stable
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-19 23:38:16 UTC 
Tree is clean.
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2020-03-20 04:43:08 UTC 
Added to an existing GLSA Request.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2020-03-20 19:21:47 UTC 
This issue was resolved and addressed in
 GLSA 202003-48 at https://security.gentoo.org/glsa/202003-48
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-20 19:23:11 UTC 
Superseded by bug 708458.