Summary: | <net-libs/nodejs-{10.22.1,12.18.4,14.11.0}: Multiple vulnerabilities (CVE-2020-8201, CVE-2020-8251) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Jeroen Roovers (RETIRED) <jer> | ||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | normal | CC: | ajak, charles17, marecki, williamh | ||||||
Priority: | Normal | Flags: | nattka:
sanity-check-
|
||||||
Version: | unspecified | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=742890 https://bugs.gentoo.org/show_bug.cgi?id=756100 |
||||||||
Whiteboard: | A3 [glsa+ cve] | ||||||||
Package list: |
=dev-libs/libuv-1.40.0
=net-libs/nodejs-14.15.0
=net-libs/http-parser-2.9.3
|
Runtime testing required: | --- | ||||||
Bug Depends on: | 728110, 754921 | ||||||||
Bug Blocks: | 726836, 731654 | ||||||||
Attachments: |
|
Description
Jeroen Roovers (RETIRED)
2020-09-16 07:20:58 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=79ae762f24b37251e14919b829893ef1dc93a3b5 commit 79ae762f24b37251e14919b829893ef1dc93a3b5 Author: Jeroen Roovers <jer@gentoo.org> AuthorDate: 2020-09-16 07:19:37 +0000 Commit: Jeroen Roovers <jer@gentoo.org> CommitDate: 2020-09-16 07:21:21 +0000 net-libs/nodejs: Versions 12.18.4 14.11.0 Package-Manager: Portage-3.0.7, Repoman-3.0.1 Bug: https://bugs.gentoo.org/742893 Signed-off-by: Jeroen Roovers <jer@gentoo.org> net-libs/nodejs/Manifest | 2 + net-libs/nodejs/nodejs-12.18.4.ebuild | 213 +++++++++++++++++++++++++++++++++ net-libs/nodejs/nodejs-14.11.0.ebuild | 200 +++++++++++++++++++++++++++++++ net-libs/nodejs/nodejs-99999999.ebuild | 8 +- 4 files changed, 419 insertions(+), 4 deletions(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=224ae61f77174ca30c1424737cdacd821c623789 commit 224ae61f77174ca30c1424737cdacd821c623789 Author: Jeroen Roovers <jer@gentoo.org> AuthorDate: 2020-09-16 07:39:36 +0000 Commit: Jeroen Roovers <jer@gentoo.org> CommitDate: 2020-09-16 07:40:17 +0000 net-libs/nodejs: Versions 10.19.0 10.22.1 Package-Manager: Portage-3.0.7, Repoman-3.0.1 RepoMan-Options: --force Bug: https://bugs.gentoo.org/742893 Closes: https://bugs.gentoo.org/739340 Signed-off-by: Jeroen Roovers <jer@gentoo.org> net-libs/nodejs/Manifest | 2 + net-libs/nodejs/nodejs-10.19.0.ebuild | 205 ++++++++++++++++++++++++++++++++++ net-libs/nodejs/nodejs-10.22.1.ebuild | 205 ++++++++++++++++++++++++++++++++++ 3 files changed, 412 insertions(+) For 10.22.1: CVE-2020-8174: napi_get_value_string_*() allows various kinds of memory corruption (High). CVE-2020-10531: ICU-20958 Prevent SEGV_MAPERR in append (High). CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low). The latter two are covered elsewhere: <dev-libs/icu-65.1-r1 : bug #710758 <net-libs/nghttp2-1.41.0 : bug #726834 Unable to check for sanity:
> no match for package: =net-libs/nodejs-10.22.1
We're going to have to stable at least 14.6.0 and cleanup previous anyway for bug 731654, maybe let's just stable the 14 branch here? (In reply to John Helmert III (ajak) from comment #5) > We're going to have to stable at least 14.6.0 and cleanup previous anyway > for bug 731654, maybe let's just stable the 14 branch here? What are you talking about? (In reply to Jeroen Roovers from comment #6) > (In reply to John Helmert III (ajak) from comment #5) > > We're going to have to stable at least 14.6.0 and cleanup previous anyway > > for bug 731654, maybe let's just stable the 14 branch here? > > What are you talking about? Unless the vulnerability in the other bug is fixed in other branches, we will need to drop versions which are vulnerable from the tree. Please let us know on the other bug if the other branches of NodeJS have been fixed in that bug. Sanity check failed:
> net-libs/nodejs-12.18.4
> depend ppc stable profile default/linux/powerpc/ppc32/17.0 (19 total)
> >=net-libs/http-parser-2.9.3:=
> rdepend ppc stable profile default/linux/powerpc/ppc32/17.0 (19 total)
> >=net-libs/http-parser-2.9.3:=
> depend ppc64 dev profile default/linux/ppc64le/17.0/desktop/plasma (2 total)
> >=net-libs/http-parser-2.9.3:=
> rdepend ppc64 dev profile default/linux/ppc64le/17.0/desktop/plasma (2 total)
> >=net-libs/http-parser-2.9.3:=
All sanity-check issues have been resolved arm64 done Unable to check for sanity:
> no match for package: =net-libs/nodejs-12.18.4
All sanity-check issues have been resolved amd64 stable arm done x86 stable Sanity check failed:
> net-libs/nodejs-14.15.0
> depend ppc stable profile default/linux/powerpc/ppc32/17.0 (19 total)
> >=dev-libs/libuv-1.40.0:=
> rdepend ppc stable profile default/linux/powerpc/ppc32/17.0 (19 total)
> >=dev-libs/libuv-1.40.0:=
> depend ppc64 dev profile default/linux/ppc64le/17.0/desktop/plasma (2 total)
> >=dev-libs/libuv-1.40.0:=
> rdepend ppc64 dev profile default/linux/ppc64le/17.0/desktop/plasma (2 total)
> >=dev-libs/libuv-1.40.0:=
Unable to check for sanity:
> no match for package: =dev-libs/libuv-1.40
Adding amd64, arm, arm64 and x86 to the Cc list manually, seems CC-ARCHES didn't work this time. *** Bug 753806 has been marked as a duplicate of this bug. *** amd64 done ppc64 stable x86 done arm64 done arm done Dropping the request for stabilisation on ppc because this architecture is not really supported upstream. In fact, we'll likely soon drop the ppc keyword from nodejs-14 altogether. However, that means that before we can remove vulnerable nodejs-14 versions from the tree we have to stabilise one of the nodejs-12 ebuilds on ppc to avoid breaking the dependency tree. Resetting sanity check; keywords are not fully specified and arches are not CC-ed. (In reply to Marek Szuba from comment #25) > Dropping the request for stabilisation on ppc because this architecture is > not really supported upstream. In fact, we'll likely soon drop the ppc > keyword from nodejs-14 altogether. > > However, that means that before we can remove vulnerable nodejs-14 versions > from the tree we have to stabilise one of the nodejs-12 ebuilds on ppc to > avoid breaking the dependency tree. I may be wrong but I suppose nodejs-14 is in a better state for ppc than nodejs-12... Could run tests to check that out. Please do, at this point it's either stabilising v12 on ppc or removing that keyword from net-libs/nodejs altogether. Created attachment 671137 [details]
build.log.xz (nodejs-12.19.0, ppc)
Both nodejs-12.19.0 and nodejs-14.15.0 fail with the same error message on ppc:
[...]
In file included from ../deps/v8/src/objects/visitors.h:9,
from ../deps/v8/src/heap/heap.h:33,
from ../deps/v8/src/heap/factory.h:16,
from ../deps/v8/src/execution/isolate.h:28,
from ../deps/v8/src/api/api.h:10,
from ../deps/v8/src/api/api-arguments.h:8,
from ../deps/v8/src/api/api-arguments.cc:5:
../deps/v8/src/objects/code.h:439:2: error: #error Unknown architecture.
439 | #error Unknown architecture.
| ^~~~~
In file included from ../deps/v8/src/execution/isolate.h:18,
from ../deps/v8/src/api/api.h:10,
from ../deps/v8/src/api/api-arguments.h:8,
from ../deps/v8/src/api/api-arguments.cc:5:
../deps/v8/src/objects/code.h:441:55: error: ‘kHeaderPaddingSize’ was not declared in this scope
441 | STATIC_ASSERT(FIELD_SIZE(kOptionalPaddingOffset) == kHeaderPaddingSize);
| ^~~~~~~~~~~~~~~~~~
../deps/v8/src/base/macros.h:200:43: note: in definition of macro ‘STATIC_ASSERT’
200 | #define STATIC_ASSERT(test) static_assert(test, #test)
| ^~~~
make: *** [tools/v8_gypfiles/v8_base_without_compiler.host.mk:669: /var/tmp/portage/net-libs/nodejs-14.15.0/work/node-v14.15.0/out/Release/obj.host/v8_base_without_compiler/deps/v8/src/api/api-arguments.o] Error 1
Created attachment 671140 [details]
build.log.xz (nodejs-14.15.0, ppc)
Though there is some upstream effort to get nodejs in a working state on ppc again: https://chromium-review.googlesource.com/c/v8/v8/+/2083019 Oh well, dekeywording it is then. Thanks for having checked this! (In reply to ernsteiswuerfel from comment #29) > Both nodejs-12.19.0 and nodejs-14.15.0 fail with the same error message on > ppc: For completeness, could you test 12.18.4-r1 as well? Turns out there is a chain of dev-ruby ebuilds which will completely break if we drop ppc from net-libs/nodejs keywords. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=88758984a00b5a3d4f6d256f215f5d4ca47b7a4e commit 88758984a00b5a3d4f6d256f215f5d4ca47b7a4e Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2020-11-13 09:40:32 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2020-11-13 09:56:36 +0000 net-libs/nodejs-14.2.0: drop all keywords except ppc This version has got known security vulnerabilities but none of the others currently in the tree build on 32-bit ppc. Bug: https://bugs.gentoo.org/742893 Signed-off-by: Marek Szuba <marecki@gentoo.org> net-libs/nodejs/nodejs-14.2.0.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (In reply to Marek Szuba from comment #33) > (In reply to ernsteiswuerfel from comment #29) > > > Both nodejs-12.19.0 and nodejs-14.15.0 fail with the same error message on > > ppc: > > For completeness, could you test 12.18.4-r1 as well? Turns out there is a > chain of dev-ruby ebuilds which will completely break if we drop ppc from > net-libs/nodejs keywords. 12.18.4-r1 and also current stable 14.2.0 fail with the same error message for ppc builds. Maybe someone from the ppc/ppc64 team should have a closer look? On Void Linux lastest stable version for ppc32 is 10.22.0 LTS. Unable to check for sanity:
> no match for package: =net-libs/http-parser-2.9.3
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4b094fb3db96fe457eecee465812486cb7880e5a commit 4b094fb3db96fe457eecee465812486cb7880e5a Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2020-11-21 20:16:13 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2020-11-21 20:26:27 +0000 net-libs/nodejs: remove 12.18.4 and 14.2.0 Tickets pertaining to CVE-2020-8201, CVE-2020-8251, CVE-2020-8172, CVE-2020-8174 and CVE-2020-15095 should now be safe to close. Bug: https://bugs.gentoo.org/726836 Bug: https://bugs.gentoo.org/731654 Bug: https://bugs.gentoo.org/742893 Signed-off-by: Marek Szuba <marecki@gentoo.org> net-libs/nodejs/Manifest | 2 - net-libs/nodejs/nodejs-12.18.4-r1.ebuild | 216 ------------------------------- net-libs/nodejs/nodejs-14.2.0.ebuild | 201 ---------------------------- 3 files changed, 419 deletions(-) The arches you dropped from nodejs are still relevant for dev-libs/libuv-1.40.0. Could you elaborate? Only one arch has been dropped (ppc, which apparently was never officially supported upstream), it is net-libs/nodejs that depends on dev-libs/libuv and not the other way around, and now that dev-ruby/execjs has been fixed neither pkgcheck nor check-revdep show any deptree breakage due to the dekeywording. I mean that's the downside when you populate package list with many packages - it would be nice to make sure each of them ends up with a consistent stabilisation even if not all keywords are necessary for the 'title' package. On a security bug, it may be better to simply make dependency bugs then. Unable to check for sanity:
> no match for package: =net-libs/http-parser-2.9.3
Unable to check for sanity:
> no match for package: =net-libs/nodejs-14.15.0
This issue was resolved and addressed in GLSA 202101-07 at https://security.gentoo.org/glsa/202101-07 by GLSA coordinator Sam James (sam_c). |