Package: node-bl / 1.1.2-1+deb10u1

Metadata

Package Version Patches format
node-bl 1.1.2-1+deb10u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
00 readable_stream.patch | (download)

bl.js | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 readable-stream is only needed for node.js 0.8 compat
01 use_tap.patch | (download)

test/test.js | 7 5 + 2 - 0 !
1 file changed, 5 insertions(+), 2 deletions(-)

 port tests to tap and add hash function
CVE 2020 8244.diff | (download)

bl.js | 11 10 + 1 - 0 !
1 file changed, 10 insertions(+), 1 deletion(-)

 fix buffer over-read vulnerability
 CVE-2020-8244:
 A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1 and
 <2.2.1 which could allow an attacker to supply user input (even
 typed) that if it ends up in consume() argument and can become
 negative, the BufferList state can be corrupted, tricking it into
 exposing uninitialized memory via regular .slice() calls.