Bug 937416 (CVE-2015-5380) - VUL-0: CVE-2015-5380: v8: out of band write in utf-8 decoder
Summary: VUL-0: CVE-2015-5380: v8: out of band write in utf-8 decoder
Status: RESOLVED FIXED
Alias: CVE-2015-5380
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.2
: P3 - Medium : Major
Target Milestone: ---
Assignee: Forgotten User sM9JzehKpy
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-07-08 15:56 UTC by Andreas Stieger
Modified: 2017-08-10 13:07 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-07-08 15:56:47 UTC 
+++ This bug was initially created as a clone of Bug #937414 +++

via oss-sec http://seclists.org/oss-sec/2015/q3/29

> Node has resolved a security vulnerability in their most recent release
> but do not appear to have requested a CVE ID.
> 
> http://blog.nodejs.org/2015/07/03/node-v0-12-6-stable/
> 
> Node v0.12.6 (Stable)
> Sat, 04 Jul 2015 02:34:23 UTC - release
> 
> This release of Node.js fixes a bug that triggers an out-of-band write
> in V8's utf-8 decoder. This bug impacts all Buffer to String
> conversions. This is an important security update as this bug can be
> used to cause a denial of service attack..

This should be the corresponding fix (plus testcases) on upstream v8:
https://chromium.googlesource.com/v8/v8.git/+/b199bcdd47ae97ec116b430e34ab42001c8f04c0%5E!/#F2
Comment 1 Swamp Workflow Management 2015-07-08 22:00:23 UTC 
bugbot adjusting priority
Comment 2 Andreas Stieger 2015-07-09 11:44:25 UTC 
CVE assigned http://seclists.org/oss-sec/2015/q3/72
Comment 3 Johannes Segitz 2017-08-10 13:07:13 UTC 
fixed in current Leaps