CVE-2020-8244

NameCVE-2020-8244
DescriptionA buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2698-1
NVD severitymedium
Debian Bugs969309

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-bl (PTS)stretch1.1.2-1vulnerable
stretch (security)1.1.2-1+deb9u1fixed
buster1.1.2-1+deb10u1fixed
bookworm, sid, bullseye4.0.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-blsourcestretch1.1.2-1+deb9u1DLA-2698-1
node-blsourcebuster1.1.2-1+deb10u1
node-blsource(unstable)4.0.3-1969309

Notes

https://hackerone.com/reports/966347
https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190

Search for package or bug name: Reporting problems