Bugzilla – Bug 1105019
VUL-0: CVE-2018-12115: nodejs4,nodejs6,nodejs8,nodejs10: Out of bounds (OOB) write
Last modified: 2020-07-02 13:06:04 UTC
https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/ Out of bounds (OOB) write (CVE-2018-12115) All actively supported release lines of Node.js are impacted by this flaw. Node.js TSC member Сковорода Никита Андреевич (Nikita Skovoroda / @ChALkeR) discovered an OOB write in Buffer that can be used to write to memory outside of a Buffer's memory space. This can corrupt unrelated Buffer objects or cause the Node.js process to crash. When used with UCS-2 encoding (recognized by Node.js under the names 'ucs2', 'ucs-2', 'utf16le' and 'utf-16le'), Buffer#write() can be abused to write outside of the bounds of a single Buffer. Writes that start from the second-to-last position of a buffer cause a miscalculation of the maximum length of the input bytes to be written. Impact: All previous versions of Node.js 6.x (LTS "Boron") are vulnerable All previous versions of Node.js 8.x (LTS "Carbon") are vulnerable All previous versions of Node.js 10.x (Current) are vulnerable
This is an autogenerated message for OBS integration: This bug (1105019) was mentioned in https://build.opensuse.org/request/show/630497 Factory / nodejs6 https://build.opensuse.org/request/show/630498 Factory / nodejs8
All supported codestreams submitted/fixed. Reassigning back to security team. nodejs10 is fixed in devel project and will be submitted to Factory soon. nodejs4, nodejs6, and nodejs8 are submitted to supported codestreams.
SUSE-SU-2018:2647-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (moderate) Bug References: 1082318,1091764,1097158,1097748,1105019 CVE References: CVE-2018-0732,CVE-2018-12115 Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): nodejs4-4.9.1-15.14.1 SUSE Enterprise Storage 4 (src): nodejs4-4.9.1-15.14.1
openSUSE-SU-2018:2667-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (moderate) Bug References: 1082318,1091764,1097158,1097748,1105019 CVE References: CVE-2018-0732,CVE-2018-12115 Sources used: openSUSE Leap 42.3 (src): nodejs4-4.9.1-17.1
This is an autogenerated message for OBS integration: This bug (1105019) was mentioned in https://build.opensuse.org/request/show/634765 Factory / nodejs10
SUSE-SU-2018:2796-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1097158,1097748,1105019 CVE References: CVE-2018-0732,CVE-2018-12115 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): nodejs6-6.14.4-11.18.1 SUSE OpenStack Cloud 7 (src): nodejs6-6.14.4-11.18.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): nodejs6-6.14.4-11.18.1 SUSE Enterprise Storage 4 (src): nodejs6-6.14.4-11.18.1
SUSE-SU-2018:2812-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1097158,1097748,1105019 CVE References: CVE-2018-0732,CVE-2018-12115 Sources used: SUSE Linux Enterprise Module for Web Scripting 15 (src): nodejs8-8.11.4-3.8.2
openSUSE-SU-2018:2816-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1097158,1097748,1105019 CVE References: CVE-2018-0732,CVE-2018-12115 Sources used: openSUSE Leap 42.3 (src): nodejs6-6.14.4-15.1
openSUSE-SU-2018:2855-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1097158,1097748,1105019 CVE References: CVE-2018-0732,CVE-2018-12115 Sources used: openSUSE Leap 15.0 (src): nodejs8-8.11.4-lp150.2.6.1
released
This is an autogenerated message for OBS integration: This bug (1105019) was mentioned in https://build.opensuse.org/request/show/642571 42.3+Backports:SLE-12 / nodejs8
This is an autogenerated message for OBS integration: This bug (1105019) was mentioned in https://build.opensuse.org/request/show/643179 42.3 / nodejs10
This is an autogenerated message for OBS integration: This bug (1105019) was mentioned in https://build.opensuse.org/request/show/649577 Backports:SLE-12-SP2 / nodejs8
SUSE-SU-2019:14246-1: An update that fixes 118 vulnerabilities is now available. Category: security (important) Bug References: 1000036,1001652,1025108,1029377,1029902,1040164,104105,1042670,1043008,1044946,1047925,1047936,1048299,1049186,1050653,1056058,1058013,1066242,1066953,1070738,1070853,1072320,1072322,1073796,1073798,1073799,1073803,1073808,1073818,1073823,1073829,1073830,1073832,1073846,1074235,1077230,1079761,1081750,1082318,1087453,1087459,1087463,1088573,1091764,1094814,1097158,1097375,1097401,1097404,1097748,1104841,1105019,1107030,1109465,1117473,1117626,1117627,1117629,1117630,1120644,1122191,1123482,1124525,1127532,1129346,1130694,1130840,1133452,1133810,1134209,1138459,1140290,1140868,1141853,1144919,1145665,1146090,1146091,1146093,1146094,1146095,1146097,1146099,1146100,1149323,1153423,1154738,1447070,1447409,744625,744629,845955,865853,905528,917607,935856,937414,947747,948045,948602,955142,957814,957815,961254,962297,966076,966077,985201,986541,991344,998743 CVE References: CVE-2013-2882,CVE-2013-6639,CVE-2013-6640,CVE-2013-6668,CVE-2014-0224,CVE-2015-3193,CVE-2015-3194,CVE-2015-5380,CVE-2015-7384,CVE-2016-2086,CVE-2016-2178,CVE-2016-2183,CVE-2016-2216,CVE-2016-5172,CVE-2016-5325,CVE-2016-6304,CVE-2016-6306,CVE-2016-7052,CVE-2016-7099,CVE-2017-1000381,CVE-2017-10686,CVE-2017-11111,CVE-2017-11499,CVE-2017-14228,CVE-2017-14849,CVE-2017-14919,CVE-2017-15896,CVE-2017-15897,CVE-2017-17810,CVE-2017-17811,CVE-2017-17812,CVE-2017-17813,CVE-2017-17814,CVE-2017-17815,CVE-2017-17816,CVE-2017-17817,CVE-2017-17818,CVE-2017-17819,CVE-2017-17820,CVE-2017-18207,CVE-2017-3735,CVE-2017-3736,CVE-2017-3738,CVE-2018-0732,CVE-2018-1000168,CVE-2018-12115,CVE-2018-12116,CVE-2018-12121,CVE-2018-12122,CVE-2018-12123,CVE-2018-20406,CVE-2018-20852,CVE-2018-7158,CVE-2018-7159,CVE-2018-7160,CVE-2018-7161,CVE-2018-7167,CVE-2019-10160,CVE-2019-11709,CVE-2019-11710,CVE-2019-11711,CVE-2019-11712,CVE-2019-11713,CVE-2019-11714,CVE-2019-11715,CVE-2019-11716,CVE-2019-11717,CVE-2019-11718,CVE-2019-11719,CVE-2019-11720,CVE-2019-11721,CVE-2019-11723,CVE-2019-11724,CVE-2019-11725,CVE-2019-11727,CVE-2019-11728,CVE-2019-11729,CVE-2019-11730,CVE-2019-11733,CVE-2019-11735,CVE-2019-11736,CVE-2019-11738,CVE-2019-11740,CVE-2019-11742,CVE-2019-11743,CVE-2019-11744,CVE-2019-11746,CVE-2019-11747,CVE-2019-11748,CVE-2019-11749,CVE-2019-11750,CVE-2019-11751,CVE-2019-11752,CVE-2019-11753,CVE-2019-11757,CVE-2019-11758,CVE-2019-11759,CVE-2019-11760,CVE-2019-11761,CVE-2019-11762,CVE-2019-11763,CVE-2019-11764,CVE-2019-13173,CVE-2019-15903,CVE-2019-5010,CVE-2019-5737,CVE-2019-9511,CVE-2019-9512,CVE-2019-9513,CVE-2019-9514,CVE-2019-9515,CVE-2019-9516,CVE-2019-9517,CVE-2019-9518,CVE-2019-9636,CVE-2019-9811,CVE-2019-9812,CVE-2019-9947 Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): MozillaFirefox-68.2.0-78.51.4, MozillaFirefox-branding-SLED-68-21.9.8, firefox-atk-2.26.1-2.8.4, firefox-cairo-1.15.10-2.13.4, firefox-gcc5-5.3.1+r233831-14.1, firefox-gcc8-8.2.1+r264010-2.5.1, firefox-gdk-pixbuf-2.36.11-2.8.4, firefox-glib2-2.54.3-2.14.7, firefox-gtk3-3.10.9-2.15.3, firefox-harfbuzz-1.7.5-2.7.4, firefox-libffi-3.2.1.git259-2.3.3, firefox-libffi-gcc5-5.3.1+r233831-14.1, firefox-pango-1.40.14-2.7.4, mozilla-nspr-4.21-29.6.1, mozilla-nss-3.45-38.9.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.