Security issue on dependency of dependency bl (download->decompress->decompress-tar->tar-stream->bl) - CVE-2020-8244 #107
Comments
|
We are also getting this alert: [email protected] |
|
believe this is a duplicate of #82 |
i do not think this is duplicate of #82 issue. That for decompress package vulnerability issue in 4.2.0. Even If we updated decompress package with latest still we will face this issue. Because the fix should come from down the line. bl Package is the dependency of dependency (download->decompress->decompress-tar->tar-stream->bl). In tar-stream Package having fixed version of bl package. so the fix start from decompress-tar Package. already someone raised issue(kevva/decompress-tar#14) regarding this in decompress-tar Repo. |
|
Hi, this should be fixed with the latest release 2.8.2: |
CVE-2020-8244
high severity
Vulnerable versions: < 2.2.1
Patched version: 2.2.1
A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1 and <2.2.1 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.
The text was updated successfully, but these errors were encountered: