Bug 895262 (CVE-2014-5256) - VUL-0: CVE-2014-5256: v8: nodejs: Memory Corruption and Stack Overflow
Summary: VUL-0: CVE-2014-5256: v8: nodejs: Memory Corruption and Stack Overflow
Status: RESOLVED FIXED
Alias: CVE-2014-5256
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Marguerite Su
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/105563/
Whiteboard: CVSSv2:NVD:CVE-2014-5256:5.0:(AV:N/AC...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-09-05 08:26 UTC by Marcus Meissner
Modified: 2016-04-27 19:07 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-09-05 08:26:09 UTC 
via oss-sec

Described on the nodejs blog as:

A memory corruption vulnerability, which results in a denial-of-service, was identified in the versions of V8 that ship with Node.js 0.8 and 0.10. In certain circumstances, a particularly deep recursive workload that may trigger a GC and receive an interrupt may overflow the stack and result in a segmentation fault. For instance, if your work load involves successive JSON.parse calls and the parsed objects are significantly deep, you may experience the process aborting while parsing.

This issue was identified by Tom Steele of ^Lift Security and Fedor Indunty, Node.js Core Team member worked closely with the V8 team to find our resolution.

http://blog.nodejs.org/2014/07/31/v8-memory-corruption-stack-overflow/
is CVE-2014-5256.

https://codereview.chromium.org/339883002
http://blog.nodejs.org/2014/07/31/v8-memory-corruption-stack-overflow/
https://github.com/joyent/node/commit/530af9cb8e700e7596b3ec812bad123c9fa06356
https://bugzilla.redhat.com/show_bug.cgi?id=1125464
Comment 1 SMASH SMASH 2014-09-05 11:10:13 UTC 
Affected packages:

SLE-11-SP2-PRODUCTS: nodejs, v8
SLE-11-SP3: nodejs, v8
SLE-11-SP3-PRODUCTS: nodejs, v8
SLE-11-SP3-UPTU: nodejs, v8
Comment 2 Swamp Workflow Management 2014-09-05 22:00:13 UTC 
bugbot adjusting priority
Comment 3 Forgotten User sM9JzehKpy 2014-09-07 13:14:52 UTC 
Reassigning this to the maintainer of NodeJS.  As discussed some time ago, NodeJS is shipping with an internal V8 source and therefore would require a separate update. 

According to OBS the maintainer of NodeJS is Gregory Haskins (gregory.haskins@gmail.com), but he seems not to be known to bugzilla.  Resetting assignee therefore to default and copying Gregory on the bug. Which also doesn't work.
Comment 4 Marcus Meissner 2014-09-08 08:20:22 UTC 
marguerite su has updated nodejs the last times, perhaps she can help.
Comment 5 Marguerite Su 2014-09-09 14:14:43 UTC 
hi, which targets are we talking about?

I visited that blog, and its title is now "fixed in Node v0.8.28 and v0.10.30".

in devel:languages:nodejs, we have 0.10.31.

Marguerite
Comment 6 Andreas Stieger 2015-04-29 11:29:13 UTC 
(In reply to Marguerite Su from comment #5)
> hi, which targets are we talking about?
> 
> I visited that blog, and its title is now "fixed in Node v0.8.28 and
> v0.10.30".
> 
> in devel:languages:nodejs, we have 0.10.31.

openSUSE 13.1 has 0.10.5.
Comment 7 Swamp Workflow Management 2015-09-24 07:10:23 UTC 
openSUSE-OU-2015:1624-1: An update that fixes two vulnerabilities is now available.

Category: optional (low)
Bug References: 895262
CVE References: CVE-2013-4450,CVE-2014-5256
Sources used:
openSUSE 13.2 (src):    nodejs-4.0.0-2.3.1
openSUSE 13.1 (src):    nodejs-4.0.0-3.7.1
Comment 8 Vincent Untz 2015-10-16 23:36:44 UTC 
Seems like an update got released, should this be closed, or is there anything else to do?
Comment 9 Marguerite Su 2015-10-17 13:47:09 UTC 
yes, closed