Bug 987919 (CVE-2016-1669) - VUL-0: CVE-2016-1669: v8,nodejs: Buffer overflow in V8
Summary: VUL-0: CVE-2016-1669: v8,nodejs: Buffer overflow in V8
Status: RESOLVED FIXED
Alias: CVE-2016-1669
Product: SUSE Security Incidents
Classification: Novell Products
Component: General (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-07-06 18:13 UTC by Jordi Massaguer
Modified: 2017-09-18 15:48 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jordi Massaguer 2016-07-06 18:13:20 UTC 
Under certain conditions, V8 may improperly expand memory allocations in the Zone::New function. This could potentially be used to cause a Denial of Service via buffer overflow or as a trigger for a remote code execution.

Although this bug is marked as high severity in the corresponding Chromium release (50.0.2661.102), our assessment is that this is low severity for Node.js users due to the level of difficulty in making use of this vulnerability. However, users are encouraged to upgrade their Node.js installation to ensure they are properly protected.

    Node.js v6 (Current) is not affected as of v6.2.0 due to an update to V8 5.0.71.47, versions prior to v6.2.0 are affected
    Node.js v5 is affected
    Node.js v4 (LTS "Argon") is affected
    Node.js v0.12 (Maintenance) is affected
    Node.js v0.10 (Maintenance) is affected
Comment 1 Jordi Massaguer 2016-07-06 18:16:30 UTC 
Portus is not affected since it uses v8 for building but it is not a runtime dependency.
Comment 2 Jordi Massaguer 2016-07-06 18:16:50 UTC 
be aware that v8 can be included in nodejs package.
Comment 3 Marcus Meissner 2016-07-08 07:40:32 UTC 
(maintainer unclear)
Comment 4 Adam Majer 2016-07-08 08:54:14 UTC 
For NodeJS, this is already fixed in Factory (6.2.2) and pending FATE package (v4.4.7)

I'll prepare a maintenance request for Leap 42.1 and 13.2 since this is a mostly trivial patch (it's a signed overflow)
Comment 6 Bernhard Wiedemann 2016-07-08 10:01:10 UTC 
This is an autogenerated message for OBS integration:
This bug (987919) was mentioned in
https://build.opensuse.org/request/show/407248 13.2+42.1 / nodejs
Comment 7 Swamp Workflow Management 2016-07-08 22:00:16 UTC 
bugbot adjusting priority
Comment 8 Swamp Workflow Management 2016-07-20 10:22:25 UTC 
openSUSE-SU-2016:1834-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 987919
CVE References: CVE-2016-1669
Sources used:
openSUSE Leap 42.1 (src):    nodejs-4.4.5-30.2
openSUSE 13.2 (src):    nodejs-4.4.5-21.1
Comment 9 Karl Cheng 2017-09-18 02:56:51 UTC 
This has been long fixed in Node.js on supported openSUSE versions.

The "v8" packages in Leap 42.2/42.3 are unaffected, since it was already fixed upstream[1].

[1]: https://chromium.googlesource.com/v8/v8/+log/5.3.171/src/zone.cc
Comment 10 Marcus Meissner 2017-09-18 15:48:52 UTC 
then close