Candidate: CVE-2018-7167
PublicDate: 2018-06-13 16:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7167
 https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/#calls-to-buffer-fill-and-or-buffer-alloc-may-hang-cve-2018-7167
 https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/
Description:
 Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a
 hang which could result in a Denial of Service. In order to address this
 vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were
 updated so that they zero fill instead of hanging in these cases. All
 versions of Node.js 6.x (LTS "Boron"), 8.x (LTS "Carbon"), and 9.x are
 vulnerable. All versions of Node.js 10.x (Current) are NOT vulnerable.
Ubuntu-Description:
 It was discovered that the Buffer.fill() and Buffer.alloc() methods improperly
 handled certain inputs. An attacker could use this vulnerability to cause a
 denial of service.
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_nodejs:
 upstream: https://github.com/nodejs/node/commit/c5a2748d8f
 upstream: https://github.com/nodejs/node/commit/25c5111ca4
upstream_nodejs: released (8.11.3,10.4.1)
precise/esm_nodejs: DNE
trusty_nodejs: not-affected (code not present)
trusty/esm_nodejs: not-affected (code not present)
xenial_nodejs: ignored (end of standard support, was needed)
artful_nodejs: ignored (reached end-of-life)
bionic_nodejs: needed
cosmic_nodejs: not-affected (8.11.4~dfsg-0ubuntu1)
disco_nodejs: not-affected (10.15.1~dfsg-5)
eoan_nodejs: not-affected (10.15.1~dfsg-5)
focal_nodejs: not-affected (10.15.1~dfsg-5)
groovy_nodejs: not-affected (10.15.1~dfsg-5)
hirsute_nodejs: not-affected (10.15.1~dfsg-5)
impish_nodejs: not-affected (10.15.1~dfsg-5)
jammy_nodejs: not-affected (10.15.1~dfsg-5)
devel_nodejs: not-affected (10.15.1~dfsg-5)