Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x). Refernces: https://github.com/mhart/StringStream/issues/7
Created nodejs tracking bugs for this issue: Affects: epel-all [bug 1927294] Affects: fedora-all [bug 1927296] Created nodejs:10/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1927295] Created nodejs:12/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1927297] Created nodejs:13/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1927298] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1927299]
I have several questions here. Why is this reported against nodejs, when the flaw was found in a separate module? None of the current releases contain the module. Why is this reported against nodejs v13, which has been EOL for almost a year now? On top of that, latest build doesn't contain the module anyway. Why is this reported at all, when the package has been updated to 0.0.6 since May 2019? The module has been orphaned since F33 as well. Also, this flaw is related to nodejs v4.x, which has been EOL for years now. Why is CVE from 2018 reported in 2021?
(In reply to Zuzana Svetlikova from comment #3) > Why is this reported against nodejs v13, which has been EOL for almost a > year now? On top of that, latest build doesn't contain the module anyway. I can only answer this - it's because nodejs:13 can still be found in Fedora repos. See e.g.: ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/updates/33/Modular/x86_64/Packages/n/ I do not understand what you mean by "latest build doesn't contain the module" - Fedora Modular repos contain modules for nodejs 10, 12, 13, 14, and 15 (this one is a recent addition that was missed here).
(In reply to Tomas Hoger from comment #4) > (In reply to Zuzana Svetlikova from comment #3) > I do not understand what you mean by "latest build doesn't contain the > module" - Fedora Modular repos contain modules for nodejs 10, 12, 13, 14, > and 15 (this one is a recent addition that was missed here). I meant latest v13 build of nodejs https://koji.fedoraproject.org/koji/rpminfo?rpmID=21406997 https://koji.fedoraproject.org/koji/buildinfo?buildID=1504300
(In reply to Zuzana Svetlikova from comment #5) > (In reply to Tomas Hoger from comment #4) > > (In reply to Zuzana Svetlikova from comment #3) > > I do not understand what you mean by "latest build doesn't contain the > > module" - Fedora Modular repos contain modules for nodejs 10, 12, 13, 14, > > and 15 (this one is a recent addition that was missed here). > > I meant latest v13 build of nodejs Now I understand - I assumed "the module" there referred to modularity modules (e.g. nodejs:13), not the stringstream library/module. Do not assume those nodejs affects were added because of stringstream being bundled with nodejs/npm, but because this CVE was incorrectly assumed to affect nodejs instead of nodejs-stringstream.
Upstream fix: https://github.com/mhart/StringStream/commit/afbc7442220358419e330618e47f3a65fc265b1b
In reply to comment #3: > I have several questions here. > > Why is CVE from 2018 reported in 2021? agree that the CVE was reported in 2018, but our automated tool caught this vulnerability and reported in in Dec 2018
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-21270
Statement: Red Hat Quay include stringstream as a dependency of Karma. Karma is only used at build time, and not at runtime reducing the impact of this vulnerability to low.
This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917