user/node: multiple vulnerabilities
| Bugzilla ID | 300 |
| Alias(es) | CVE-2020-7598, CVE-2020-8174 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-06-09 19:23:03 -0500 |
| Modified | 2020-06-16 16:00:04 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nodejs.org/en/blog/vulnerability/june-2020-security-releases |
| See also |
https://bts.adelielinux.org/show_bug.cgi?id=299 https://bts.adelielinux.org/show_bug.cgi?id=306 |
Description
CVE-2020-8174
Calling napi_get_value_string_latin1(), napi_get_value_string_utf8(),
or napi_get_value_string_utf16() with a non-NULL buf, and a bufsize of
0 will cause the entire string value to be written to buf, probably
overrunning the length of the buffer.
Fixed in >= 10.21.0
See #299 (closed) for CVE-2020-11080.
CVE-2020-8172 does not apply to 10.x.
CVE-2020-10531 does not apply, already fixed in system/icu
https://code.foxkit.us/adelie/packages/commit/4457bb5bf106a91ed131a506269c5e09606c6f57
CVE-2020-7598
minimist before 1.2.2 could be tricked into adding or modifying
properties of Object.prototype using a "constructor" or "proto"
payload.
Fixed in >= 1.2.2
https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
Unclear if this is fixed in node 10.21.0
https://github.com/nodejs/node/commit/04cd67f85e5fafec2630f4e165516e712d7c3a7a