Bug#969348: buster-pu: package node-bl/1.1.2-1+deb10u1

To: Xavier Guimard <yadd@debian.org>, 969348@bugs.debian.org
Subject: Bug#969348: buster-pu: package node-bl/1.1.2-1+deb10u1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sat, 19 Sep 2020 14:55:41 +0100
Message-id: <[🔎] 938e82c6a93c55ee3d392fe709627407934edbd8.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 969348@bugs.debian.org
In-reply-to: <159890099810.183974.9792477676824955070.reportbug@deb007.xnr.fr>
References: <159890099810.183974.9792477676824955070.reportbug@deb007.xnr.fr> <159890099810.183974.9792477676824955070.reportbug@deb007.xnr.fr>

Control: tags -1 + confirmed

On Mon, 2020-08-31 at 21:09 +0200, Xavier Guimard wrote:
> node-bl is vunerable to CVE-2020-8244 (#969309): A buffer over-read
> vulnerability exists which could allow an attacker to supply user
> input (even typed) that if it ends up in consume() argument and can
> become negative, the BufferList state can be corrupted, tricking it
> into exposing uninitialized memory via regular .slice() calls.
> 

Please go ahead.

Regards,

Adam

Reply to:

Prev by Date: Processed: Re: Bug#970569: buster-pu: package pyzmq/17.1.2-2+deb10u1
Next by Date: Bug#969366: buster-pu: package node-url-parse/1.2.0-2+deb10u1
Previous by thread: Uploading linux (5.8.10-1)
Next by thread: Processed: Re: Bug#969348: buster-pu: package node-bl/1.1.2-1+deb10u1
Index(es):
- Date
- Thread