Bug 1591023 (CVE-2018-7164)

Summary: CVE-2018-7164 nodejs: uncontrolled memory consumption when using the net.Socket as a stream
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahardin, alessandro.polidori, athmanem, avibelli, bgeorges, bleanhar, ccoleman, dbeveniu, dedgar, hesilva, hhorak, jbalunas, jgoulding, jokerman, jorton, jpallich, jshepherd, krathod, lthon, mchappel, mrunge, mszynkie, nodejs-sig, pgallagh, rruss, sgallagh, tchollingsworth, thrcka, trogers, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs 10.4.1, nodejs 9.11.2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:29:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1591024    
Bug Blocks: 1591010    

Description Laura Pardo 2018-06-13 22:37:05 UTC 
A flaw was found in Node.js versions 9.7.0 and later and 10.x. A bug introduced in 9.7.0 increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream. An attacker could use this cause a denial of service by sending tiny chunks of data in short succession.


References:
https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/
Comment 1 Laura Pardo 2018-06-13 22:37:47 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 1591024]
Comment 2 Stephen Gallagher 2018-06-14 12:31:28 UTC 
Where is the Fedora tracking bug for this?
Comment 3 Cedric Buissart 2018-06-29 09:37:24 UTC 
In reply to comment 2:
> Where is the Fedora tracking bug for this?

Fedora-28 is shipped with nodejs-8.11.3-1.fc28, thus not affected. f-29 & rawhide are currently on nodejs-10.5.0 (https://apps.fedoraproject.org/packages/nodejs), which contains the fix, thus not affected either.
Is there really a need for a fedora tracking bug ?
Comment 4 Cedric Buissart 2018-06-29 09:50:37 UTC 
's/really/still/'
Comment 5 Cedric Buissart 2018-06-29 11:37:27 UTC 
upstream fix:
https://github.com/nodejs/node/commit/3217e8e66fa81e
Comment 8 Jason Shepherd 2018-09-04 04:16:09 UTC 
This issue doesn't affect NodeJS 6, or 0.10 used by openshift-enterprise-10/logging-kibana and logging-auth-proxy respectively.