Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 658074 (CVE-2018-7161, CVE-2018-7162, CVE-2018-7164, CVE-2018-7167) - <net-libs/nodejs-{6.14.4,8.12.0}: multiple vulnerabilities (CVE-2018-{7161,7162,7164,7167})
Summary: <net-libs/nodejs-{6.14.4,8.12.0}: multiple vulnerabilities (CVE-2018-{7161,71...
Status: RESOLVED FIXED
Alias: CVE-2018-7161, CVE-2018-7162, CVE-2018-7164, CVE-2018-7167
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://nodejs.org/en/blog/vulnerabil...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on: CVE-2019-15604, CVE-2019-15605, CVE-2019-15606
Blocks:
  Show dependency tree
 
Reported: 2018-06-13 22:24 UTC by Florian Schuhmacher
Modified: 2020-03-20 19:23 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Schuhmacher 2018-06-13 22:24:27 UTC
A flaw was found in Node.js 6.x (LTS "Boron"), 8.x (LTS "Carbon"), and 9.x. Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service.


Gentoo Security Scout
Florian Schuhmacher
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2018-09-15 14:10:48 UTC
CVE-2018-7167 (https://nvd.nist.gov/vuln/detail/CVE-2018-7167):
  Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a
  hang which could result in a Denial of Service. In order to address this
  vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were
  updated so that they zero fill instead of hanging in these cases. All
  versions of Node.js 6.x (LTS "Boron"), 8.x (LTS "Carbon"), and 9.x are
  vulnerable. All versions of Node.js 10.x (Current) are NOT vulnerable.

CVE-2018-7164 (https://nvd.nist.gov/vuln/detail/CVE-2018-7164):
  Node.js versions 9.7.0 and later and 10.x are vulnerable and the severity is
  MEDIUM. A bug introduced in 9.7.0 increases the memory consumed when reading
  from the network into JavaScript using the net.Socket object directly as a
  stream. An attacker could use this cause a denial of service by sending tiny
  chunks of data in short succession. This vulnerability was restored by
  reverting to the prior behaviour.

CVE-2018-7162 (https://nvd.nist.gov/vuln/detail/CVE-2018-7162):
  All versions of Node.js 9.x and 10.x are vulnerable and the severity is
  HIGH. An attacker can cause a denial of service (DoS) by causing a node
  process which provides an http server supporting TLS server to crash. This
  can be accomplished by sending duplicate/unexpected messages during the
  handshake. This vulnerability has been addressed by updating the TLS
  implementation.

CVE-2018-7161 (https://nvd.nist.gov/vuln/detail/CVE-2018-7161):
  All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the severity
  is HIGH. An attacker can cause a denial of service (DoS) by causing a node
  server providing an http2 server to crash. This can be accomplished by
  interacting with the http2 server in a manner that triggers a cleanup bug
  where objects are used in native code after they are no longer available.
  This has been addressed by updating the http2 implementation.
Comment 2 Thomas Stein 2018-12-17 07:51:28 UTC
Hi Devs.

There are already even more security releases available.

https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
Comment 3 Sam James gentoo-dev Security 2020-03-19 23:40:33 UTC
Tree is clean for original bug.

(In reply to Thomas Stein from comment #2)
> Hi Devs.
> 
> There are already even more security releases available.
> 
> https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

see bug 679132 which supercedes this
Comment 4 Thomas Deutschmann gentoo-dev Security 2020-03-20 18:54:13 UTC
Added to an existing GLSA.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2020-03-20 19:21:40 UTC
This issue was resolved and addressed in
 GLSA 202003-48 at https://security.gentoo.org/glsa/202003-48
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 6 Thomas Deutschmann gentoo-dev Security 2020-03-20 19:23:39 UTC
Superseded by bug 708458.