702988 – (CVE-2019-16777) <net-libs/nodejs-{10.18.0,12.14.0}: Binary Planting with the npm CLI (CVE-2019-16777)

Bug 702988 (CVE-2019-16777) - <net-libs/nodejs-{10.18.0,12.14.0}: Binary Planting with the npm CLI (CVE-2019-16777)

Summary: <net-libs/nodejs-{10.18.0,12.14.0}: Binary Planting with the npm CLI (CVE-201...

Status:	RESOLVED FIXED

Alias:	CVE-2019-16777

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://blog.npmjs.org/post/189618601...
Whiteboard:	B2 [glsa+ cve]
Keywords:

Depends on:	CVE-2019-15604, CVE-2019-15605, CVE-2019-15606
Blocks:
	Show dependency tree

Reported:	2019-12-15 13:06 UTC by Jeroen Roovers (RETIRED)
Modified:	2020-03-20 19:24 UTC (History)
CC List:	0 users

See Also:
Package list:	net-libs/nodejs-10.18.0 net-libs/nodejs-12.14.0 net-libs/http-parser-2.9.2 arm ppc ppc64
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jeroen Roovers (RETIRED) gentoo-dev

2019-12-15 13:06:42 UTC

[URL]:

Binary Planting with the npm CLI
tl;dr - Update to npm v6.13.4 as soon as possible on all your systems to fix a vulnerability allowing arbitrary path access.

The Vulnerabilities
In versions of npm prior to 6.13.3 (and versions of yarn prior to 1.21.1), a properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed.

In versions of npm prior to 6.13.4 (and all versions of yarn as of this announcement), it was possible for a globally-installed package with a binary entry to overwrite an existing binary in the target install location.  (That is, not any arbitrary file on the system, but any file in /usr/local/bin.)

A mitigating factor for both vulnerabilities is that a malicious actor would have to get their victim to install the package with the specially crafted bin entry.  However, as we have seen in the past, this is not an insurmountable barrier.

[https://nodejs.org/en/blog/vulnerability/december-2019-security-releases/]:

The Node.js project will release new versions of all supported release lines on or shortly after Tuesday December 17, 2019 UTC. The only update in these releases will be an updated version of npm addressing the vulnerability announced in [URL].

In the meantime, users should update to npm 6.13.4 by following the instructions provided in the npm advisory[0]. As a general rule, avoid running npm in production environments.

Impact
All versions of Node.js are vulnerable including the LTS and current releases: Node.js 8 (LTS "Carbon"), Node.js 10 (LTS "Dubnium") , Node.js 12 (LTS "Erbium"), and Node.js 13.

Release timing 
Releases will be available at, or shortly after, Tuesday, December 17, 2019 UTC.


[0] I.e. `npm install -g npm@6.13.4`

Comment 1 Larry the Git Cow gentoo-dev

2019-12-18 07:28:52 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0428fda2555f7c021c8243a18a2f2be97462ec56

commit 0428fda2555f7c021c8243a18a2f2be97462ec56
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2019-12-18 07:28:06 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2019-12-18 07:28:48 +0000

    net-libs/nodejs: Versions 8.17.0 10.18.0 12.14.0 13.4.0
    
    Package-Manager: Portage-2.3.82, Repoman-2.3.20
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=702988
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-libs/nodejs/Manifest              |   4 +
 net-libs/nodejs/nodejs-10.18.0.ebuild | 200 ++++++++++++++++++++++++++++++++
 net-libs/nodejs/nodejs-12.14.0.ebuild | 208 +++++++++++++++++++++++++++++++++
 net-libs/nodejs/nodejs-13.4.0.ebuild  | 204 +++++++++++++++++++++++++++++++++
 net-libs/nodejs/nodejs-8.17.0.ebuild  | 210 ++++++++++++++++++++++++++++++++++
 5 files changed, 826 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2019-12-18 07:34:05 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fa93627054b87763d4f451f7c76d6ed40a9f4422

commit fa93627054b87763d4f451f7c76d6ed40a9f4422
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2019-12-18 07:33:09 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2019-12-18 07:34:02 +0000

    net-libs/nodejs: Old
    
    Package-Manager: Portage-2.3.82, Repoman-2.3.20
    Bug: https://bugs.gentoo.org/702988
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-libs/nodejs/Manifest              |   5 -
 net-libs/nodejs/nodejs-12.13.1.ebuild | 208 ----------------------------------
 net-libs/nodejs/nodejs-13.0.1.ebuild  | 202 ---------------------------------
 net-libs/nodejs/nodejs-13.1.0.ebuild  | 202 ---------------------------------
 net-libs/nodejs/nodejs-13.2.0.ebuild  | 204 ---------------------------------
 net-libs/nodejs/nodejs-13.3.0.ebuild  | 204 ---------------------------------
 6 files changed, 1025 deletions(-)

Comment 3 Stabilization helper bot gentoo-dev

2019-12-18 08:02:52 UTC

An automated check of this bug failed - repoman reported dependency errors (873 lines truncated): 

> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: RDEPEND: arm(default/linux/arm/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: RDEPEND: arm(default/linux/arm/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: RDEPEND: arm(default/linux/arm/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/17.0) ['>=net-libs/http-parser-2.9.0:=']

Comment 4 Larry the Git Cow gentoo-dev

2019-12-21 11:17:41 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=50069c9c644e1247ebfc76f0f9bd70101da9a663

commit 50069c9c644e1247ebfc76f0f9bd70101da9a663
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2019-12-21 11:16:38 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2019-12-21 11:17:37 +0000

    net-libs/nodejs: Depend on >=dev-libs/libuv-1.34.0
    
    Package-Manager: Portage-2.3.82, Repoman-2.3.20
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=702988
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-libs/nodejs/nodejs-13.4.0.ebuild   | 2 +-
 net-libs/nodejs/nodejs-13.5.0.ebuild   | 2 +-
 net-libs/nodejs/nodejs-99999999.ebuild | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

Comment 5 Stabilization helper bot gentoo-dev

2019-12-24 21:06:13 UTC

An automated check of this bug failed - repoman reported dependency errors (117 lines truncated): 

> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland/desktop) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland/desktop) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland/desktop) ['>=net-libs/http-parser-2.9.0:=']

Comment 6 Aaron Bauman (RETIRED) gentoo-dev

2019-12-27 21:24:15 UTC

arm64 stable

Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev

2020-01-10 01:47:41 UTC

x86 stable

Comment 8 Piotr Karbowski (RETIRED) gentoo-dev

2020-01-19 15:47:34 UTC

amd64 stable

Comment 9 Agostino Sarubbo gentoo-dev

2020-02-11 13:07:02 UTC

arm stable

Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-20 18:59:21 UTC

Added to an existing GLSA.

Comment 11 GLSAMaker/CVETool Bot gentoo-dev

2020-03-20 19:22:16 UTC

This issue was resolved and addressed in
 GLSA 202003-48 at https://security.gentoo.org/glsa/202003-48
by GLSA coordinator Thomas Deutschmann (whissi).

Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-20 19:24:31 UTC

Superseded by bug 708458.