Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • Adélie Package Tree Adélie Package Tree
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 384
    • Issues 384
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 20
    • Merge requests 20
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Releases
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • Adélie Linux
  • Adélie Package TreeAdélie Package Tree
  • Issues
  • #300
Closed
Open
Created Jun 10, 2020 by Emily@emily🤖

user/node: multiple vulnerabilities

Bugzilla ID 300
Alias(es) CVE-2020-7598, CVE-2020-8174
Reporter Max Rees (sroracle)
Assignee Max Rees (sroracle)
Reported 2020-06-09 19:23:03 -0500
Modified 2020-06-16 16:00:04 -0500
Status RESOLVED FIXED
Version 1.0-RC1
Hardware Adélie Linux / All
Importance --- / normal
URL https://nodejs.org/en/blog/vulnerability/june-2020-security-releases
See also https://bts.adelielinux.org/show_bug.cgi?id=299
https://bts.adelielinux.org/show_bug.cgi?id=306

Description

CVE-2020-8174

Calling napi_get_value_string_latin1(), napi_get_value_string_utf8(),
or napi_get_value_string_utf16() with a non-NULL buf, and a bufsize of
0 will cause the entire string value to be written to buf, probably
overrunning the length of the buffer.

Fixed in >= 10.21.0

See #299 (closed) for CVE-2020-11080.

CVE-2020-8172 does not apply to 10.x.

CVE-2020-10531 does not apply, already fixed in system/icu
https://code.foxkit.us/adelie/packages/commit/4457bb5bf106a91ed131a506269c5e09606c6f57

CVE-2020-7598

minimist before 1.2.2 could be tricked into adding or modifying
properties of Object.prototype using a "constructor" or "proto"
payload.

Fixed in >= 1.2.2
https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94

Unclear if this is fixed in node 10.21.0
https://github.com/nodejs/node/commit/04cd67f85e5fafec2630f4e165516e712d7c3a7a

Assignee
Assign to
Time tracking