Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <20140930045342.46A38C50174@smtptsrv1.mitre.org>
Date: Tue, 30 Sep 2014 00:53:42 -0400 (EDT)
From: cve-assign@...re.org
To: pabs3@...edaddy.net
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: various NodeJS module vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> qs Denial-of-Service Memory Exhaustion
> https://nodesecurity.io/advisories/qs_dos_memory_exhaustion

The description seems to suggest that there should be an arbitrary
limit on the index value. That, by itself, might not be considered a
vulnerability report; however, omitting the call to the compact
function can probably be considered a security problem. Use
CVE-2014-7191 for the
https://github.com/raymondfeng/node-querystring/commit/43a604b7847e56bba49d0ce3e222fe89569354d8
commit.


> qs Denial-of-Service Extended Event Loop Blocking
> https://nodesecurity.io/advisories/qs_dos_extended_event_loop_blocking

This has no references to the specific code changes, and the
discussion suggests that this is a security enhancement -- adding new
resource-limit functionality that hadn't existed before 1.0.0 -- not a
fix to the implementation of existing functionality. Accordingly, no
CVE ID is currently being assigned.


> syntax-error potential for script injection
> https://nodesecurity.io/advisories/syntax-error-potential-script-injection

This seems to have multiple possible interpretations of where the
vulnerability is.

"In node 0.10, Function() seems to be implemented in terms of eval(),
so malicious code can execute even if the function returned by
Function() was never called" doesn't seem to be a statement of an eval
injection vulnerability affecting all 0.10.x versions. Instead,
https://nodesecurity.io/advisories/syntax-error-potential-script-injection
seems to be only about the
https://github.com/substack/node-syntax-error/commit/9aa4e66eb90ec595d2dba55e6f9c2dd9a668b309
commit. The affected product is only the syntax-error package from the
http://www.npmjs.org/package/syntax-error web site.

Use CVE-2014-7192.


> send Directory Traversal
> https://nodesecurity.io/advisories/send-directory-traversal

The CVE ID is already listed on that web page.


> Crumb CORS Token Disclosure
> https://nodesecurity.io/advisories/crumb_cors_token_disclosure

Use CVE-2014-7193.


> Arbitrary JavaScript Execution in Bassmaster
> https://nodesecurity.io/advisories/bassmaster_js_injection

Use CVE-2014-7205.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUKjayAAoJEKllVAevmvmsyGUIAIn3usYJEiGNn1bV2MKMLViU
SPZjEGB94Uq3CbJHnAFXUGveRwANkdaePoyBDGB8xWDGcPsCBsBIcxD1W31LCNOf
x4R7hEB/+AmGtiZI+AiwxMlOzG508ymEygK/YgP3RUT8HwJhDmfT9Gs9S1hC83XN
5BcmBojhEZuESm5w7V/jV+xTUgb9KEEDNldiNRpyn/iFy++5TArtiYF6ldfllpFL
VQBiC3npo+eJUABFkFWZxm9e7GcI8asYpVdhXE1z5lvc2/4x43auKUcDLOXZJP6h
O7liLJ44g/phRRhal53FUxG8rO1mzP8zcmHKVKnm1lnNSFBwRbMA/nG16gKUhh8=
=oKCI
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.