Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1550772 - (CVE-2018-13863) CVE-2018-13863 nodejs-bson: Regular expression denial of service in decimal128.js
CVE-2018-13863 nodejs-bson: Regular expression denial of service in decimal12...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20180227,reported=2...
: Security
Depends On: 1550773 1550774 1600003 1600004 1554497
Blocks: 1550775
  Show dependency treegraph
 
Reported: 2018-03-01 20:18 EST by Sam Fowler
Modified: 2018-07-11 04:02 EDT (History)
20 users (show)

See Also:
Fixed In Version: nodejs-bson 1.0.5
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Sam Fowler 2018-03-01 20:18:48 EST 
nodejs-bson before version 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDos) in decimal128.js. 


Upstream Commit:

https://github.com/mongodb/js-bson/commit/bd61c45157c53a1698ff23770160cf4783e9ea4a


Additional References:

https://snyk.io/vuln/npm:bson:20180225
Comment 1 Sam Fowler 2018-03-01 20:19:14 EST 
Created nodejs-bson tracking bugs for this issue:

Affects: fedora-all [bug 1550774]
Affects: epel-all [bug 1550773]
Comment 4 Tomas Hoger 2018-07-09 04:12:25 EDT 
The support for the Decimal128 data type was only introduce in bson module version 0.5.0.  The problematic regular expression was introduced via the following commit:

https://github.com/mongodb/js-bson/commit/e14b4d081a2704b86b8c3407382e107f23ad0da6

Note that the nodejs-bson packages in Fedora and Fedora EPEL are based upstream versions prior to 0.5.0 (0.4.23 in Fedora, and 0.2.x in EPEL), they were not affected by this flaw.
Comment 5 Tomas Hoger 2018-07-09 05:34:20 EDT 
Note that this flaw is not triggered when deserializing data from the BSON format.  It is only triggered when preparing objects for serialization to BSON if those objects need to contain fields with decimal128 type, and the value is constructed using Decimal128.fromString() from a long untrusted string.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.