Bug 1432987 - nodejs-concat-stream: Uninitialized memory disclosure in stringConcat()
Summary: nodejs-concat-stream: Uninitialized memory disclosure in stringConcat()
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1577722 (view as bug list)
Depends On: 1460133 1460134 1471345 1582593
Blocks: 1432988 1577727
TreeView+ depends on / blocked
 
Reported: 2017-03-16 14:02 UTC by Adam Mariš
Modified: 2021-02-17 02:27 UTC (History)
26 users (show)

Fixed In Version: nodejs-concat-stream 1.5.2
Clone Of:
Environment:
Last Closed: 2017-06-09 08:43:56 UTC
Embargoed:

Attachments (Terms of Use)

Description Adam Mariš 2017-03-16 14:02:59 UTC 
Possible uninitialized memory disclosure was found when value of type `number` is provided to `stringConcat()`.

Upstream patch:

https://github.com/maxogden/concat-stream/pull/47/commits/3e285ba5e5b10b7c98552217f5c1023829efe69e

Upstream bug:

https://github.com/maxogden/concat-stream/pull/47

External Reference:

https://snyk.io/vuln/npm:concat-stream:20160901
Comment 1 Cedric Buissart 2017-06-09 08:18:42 UTC 
Created nodejs-concat-stream tracking bugs for this issue:

Affects: epel-all [bug 1460133]
Comment 2 Cedric Buissart 2017-06-09 08:19:12 UTC 
Created nodejs-concat-stream tracking bugs for this issue:

Affects: fedora-all [bug 1460134]
Comment 4 Sam Fowler 2018-05-14 04:01:58 UTC 
*** Bug 1577722 has been marked as a duplicate of this bug. ***
Comment 6 Jason Shepherd 2018-06-13 21:32:19 UTC 
NodeJS is shipped in Openshift Enterprise 3.9 as ImageStreams. Those ImageStreams are the RH Software Collection images. Setting Openshift Enterprise 3 as not affected.
Note You need to log in before you can comment on or make changes to this bug.