Re: node.js out of band write

[Mark Felder <feld () feld me>]

On Mon, Jul 6, 2015, at 02:34, Florian Weimer wrote:
> On 07/06/2015 01:51 AM, Mark Felder wrote:
> > Node has resolved a security vulnerability in their most recent release
> > but do not appear to have requested a CVE ID.
> >
> > http://blog.nodejs.org/2015/07/03/node-v0-12-6-stable/
> >
> > Node v0.12.6 (Stable)
> > Sat, 04 Jul 2015 02:34:23 UTC - release
> >
> > This release of Node.js fixes a bug that triggers an out-of-band write
> > in V8's utf-8 decoder. This bug impacts all Buffer to String
> > conversions. This is an important security update as this bug can be
> > used to cause a denial of service attack.
>
> I have trouble reconciling this description with the fix in this commit:
>
> <https://github.com/joyent/node/commit/78b0e30954111cfaba0edbeee85450d8cbc6fdf6>
>
> Upstream v8 lacks this change.  Is it required in Node.js because
> Node.js pokes at v8 internals in unsupported ways?

I'm not sure; I'm not very familiar with node. I became aware as it was
reported to the FreeBSD Ports Security team. I've also recently been
made aware that the same vulnerability exists in io.js

https://github.com/nodejs/io.js