[Secure-testing-team] Bug#863481: [node-concat-stream] Uninitialized Memory Exposure
Bastien ROUCARIÈS
roucaries.bastien+debian at gmail.com
Sat May 27 14:51:52 UTC 2017
Package: node-concat-stream
Version: 1.5.1-1
Severity: grave
Tags: patch security fixed-upstream fixed-in-experimental
X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org
forwarded: https://snyk.io/vuln/npm:concat-stream:20160901
Overview
concat-stream is writable stream that concatenates strings or binary data and
calls a callback with the result. Affected versions of the package are
vulnerable to Uninitialized Memory Exposure.
A possible memory disclosure vulnerability exists when a value of type number
is provided to the stringConcat() method and results in concatination of
uninitialized memory to the stream collection.
This is a result of unobstructed use of the Buffer constructor, whose insecure
default constructor increases the odds of memory leakage.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20170527/274b11ad/attachment.sig>
More information about the Secure-testing-team
mailing list