Bug 1588833 (CVE-2017-16026)

Summary: CVE-2017-16026 nodejs-request: Remote Memory Exposure when a multipart request is made
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ahardin, bleanhar, ccoleman, dedgar, dffrench, drusso, hhorak, jgoulding, jmadigan, jokerman, jorton, jshepherd, lgriffin, mchappel, ngough, nodejs-sig, pwright, rrajasek, tchollingsworth, thrcka, trepel, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs-request 2.68.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:28:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1588834, 1588835, 1588836    
Bug Blocks: 1588837    

Description Laura Pardo 2018-06-07 23:21:07 UTC 
A flaw was found in Request >=2.2.6 <2.47.0 || >2.51.0 <=2.67.0. Affected versions of request will disclose local system memory to remote systems in certain circumstances. When a multipart request is made, and the type of body is number, then a buffer of that size will be allocated and sent to the remote server as the body.


References:
https://github.com/request/request/issues/1904
https://nodesecurity.io/advisories/309

Patch:
https://github.com/request/request/pull/2018
Comment 1 Laura Pardo 2018-06-07 23:21:39 UTC 
Created nodejs-request tracking bugs for this issue:

Affects: epel-all [bug 1588834]
Affects: fedora-all [bug 1588836]
Comment 3 Pedro YĆ³ssis Silva Barbosa 2018-06-13 15:15:04 UTC 
The current version (2.75.0) of request shipped in Red Hat Software Collections is not affected.