[Pkg-javascript-devel] Bug#773623: nodejs: CVE-2014-7192
Jérémy Lal
kapouer at melix.org
Sun Dec 21 21:36:55 UTC 2014
reassign 773623 libv8-3.14
thanks
Le dimanche 21 décembre 2014 à 12:43 -0500, Michael Gilbert a écrit :
> On Sun, Dec 21, 2014 at 5:31 AM, Jérémy Lal wrote:
> > Le samedi 20 décembre 2014 à 22:07 -0500, Michael Gilbert a écrit :
> >> package: src:nodejs
> >> CVE-2014-7192[0],[1]:
> >> | Eval injection vulnerability in index.js in the syntax-error package
> >> | before 1.1.1 for Node.js 0.10.x, as used in IBM Rational Application
> >> | Developer and other products, allows remote attackers to execute
> >> | arbitrary code via a crafted file.
> >
> > This doesn't affect nodejs, but the "syntax-error" module, a dependency
> > of browserify - both not packaged in debian.
> >
> > Cannot reassign, then. Maybe close ?
>
> The advisories seem to indicate that the origin of the flaw lies
> within nodejs, not the libraries using it. That may be right or
> wrong, but it should be checked.
Right, two hours of skimming through v8 issues later, here is a proper
report of the issue with a link to the patch fixing it.
https://code.google.com/p/v8/issues/detail?id=2470
I confirm the issue is real, reproducible in v8-3.14, and serious (since
it is so easy to reproduce).
Side note: any javascript code using "eval" directly, or indirectly
through Function(str), in nodejs, in browser, whereever, will have
security issues today or tomorrow... there are several developers still
using eval for checking syntax errors and it is wrong.
Jérémy.
More information about the Pkg-javascript-devel
mailing list