Bug 1577722

Summary: nodejs-concat-stream: Uninitialized memory disclosure when user input passed to index.js:write()
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ahardin, bleanhar, ccoleman, dedgar, dffrench, drusso, hhorak, jgoulding, jmadigan, jokerman, jorton, jshepherd, kseifried, lgriffin, mchappel, ngough, pwright, rhel8-maint, rrajasek, sfowler, tchollingsworth, thrcka, tjay, trepel, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-14 04:01:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1577723, 1577724    
Bug Blocks: 1577727    

Description Sam Fowler 2018-05-14 03:56:29 UTC 
Versions of concat-stream before 1.5.2 are vulnerable to memory exposure if user provided input is passed into write().

Versions <1.3.0 are not affected due to not using unguarded Buffer constructor.


External Reference:

https://nodesecurity.io/advisories/597


Upstream patch:

https://github.com/maxogden/concat-stream/pull/47/commits/3e285ba5e5b10b7c98552217f5c1023829efe69e
Comment 1 Sam Fowler 2018-05-14 03:57:00 UTC 
Created nodejs-concat-stream tracking bugs for this issue:

Affects: epel-all [bug 1577723]
Affects: fedora-26 [bug 1577724]
Comment 2 Sam Fowler 2018-05-14 04:01:58 UTC 

*** This bug has been marked as a duplicate of bug 1432987 ***