reassign 773623 libv8-3.14 thanks Le dimanche 21 décembre 2014 à 12:43 -0500, Michael Gilbert a écrit : > On Sun, Dec 21, 2014 at 5:31 AM, Jérémy Lal wrote: > > Le samedi 20 décembre 2014 à 22:07 -0500, Michael Gilbert a écrit : > >> package: src:nodejs > >> CVE-2014-7192[0],[1]: > >> | Eval injection vulnerability in index.js in the syntax-error package > >> | before 1.1.1 for Node.js 0.10.x, as used in IBM Rational Application > >> | Developer and other products, allows remote attackers to execute > >> | arbitrary code via a crafted file. > > > > This doesn't affect nodejs, but the "syntax-error" module, a dependency > > of browserify - both not packaged in debian. > > > > Cannot reassign, then. Maybe close ? > > The advisories seem to indicate that the origin of the flaw lies > within nodejs, not the libraries using it. That may be right or > wrong, but it should be checked.
Right, two hours of skimming through v8 issues later, here is a proper report of the issue with a link to the patch fixing it. https://code.google.com/p/v8/issues/detail?id=2470 I confirm the issue is real, reproducible in v8-3.14, and serious (since it is so easy to reproduce). Side note: any javascript code using "eval" directly, or indirectly through Function(str), in nodejs, in browser, whereever, will have security issues today or tomorrow... there are several developers still using eval for checking syntax errors and it is wrong. Jérémy. _______________________________________________ Pkg-javascript-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
