Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Buffer overread @ concat-stream #478

Closed
pumano opened this issue Apr 15, 2017 · 2 comments
Closed

Buffer overread @ concat-stream #478

pumano opened this issue Apr 15, 2017 · 2 comments

Comments

@pumano
Copy link

pumano commented Apr 15, 2017

Today I got a message from https://nodesecurity.io:

142 - Buffer Overread

Vulnerable: All - Patched: None - Path: multer@1.3.0 > concat-stream@1.6.0

How to fix
Consider using the --zero-fill-buffers command line argument to zero out buffer before using them.

Avoid passing numeric values to the write function.

I also submitted that issue to concat-stream: max-mapper/concat-stream#57
@LinusU
Copy link
Member

LinusU commented Apr 16, 2017

This issue does not affect multer since we are only consuming a stream from busboy which will always yield buffers, but it would be nice to have it not shown as vulnerable on nodescurity...

It seems like the issue was fixed in concat-stream 1.5.2, yet nodesecurity still shows all versions as vulnerable...

I think that the first that needs to happen is that 1.5.2 and upwards gets marked as fixed. We should also bump our dependency to ^1.5.2, I'll open a PR for that now...

@LinusU LinusU mentioned this issue Apr 16, 2017
Merged
@jonchurch
Copy link
Member

Closing as resolved 💯

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@LinusU @jonchurch @pumano