Comment 1 Larry the Git Cow 2020-11-16 17:38:22 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3db67e73440f7da405fe85ed291678fac83f6490

commit 3db67e73440f7da405fe85ed291678fac83f6490
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2020-11-16 17:36:11 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2020-11-16 17:38:13 +0000

    net-libs/nodejs: bump to 12.19.1 and 14.15.1
    
    Security updates due to CVE-2020-8277.
    
    Bug: https://bugs.gentoo.org/754942
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 net-libs/nodejs/Manifest                           |   3 +-
 ...nodejs-12.19.0.ebuild => nodejs-12.19.1.ebuild} |   0
 net-libs/nodejs/nodejs-14.15.1.ebuild              | 202 +++++++++++++++++++++
 3 files changed, 204 insertions(+), 1 deletion(-)

Comment 2 Marek Szuba (RETIRED) 2020-11-16 17:49:07 UTC

I haven't checked the code but judging from the timestamps mentioned in the upstream bug, nodejs-14.2.0 is vulnerable to this as well - meaning this means we will have vulnerable version in the tree until the dev-ruby/execjs dependency chain on ppc has been given an alternative JavaScript runtime. Of course with said version having lost all keywords except ppc and not building on on that architecture, the risk is limited.

Comment 3 Sam James 2020-11-16 19:18:11 UTC

(In reply to Marek Szuba from comment #2)
> I haven't checked the code but judging from the timestamps mentioned in the
> upstream bug, nodejs-14.2.0 is vulnerable to this as well - meaning this
> means we will have vulnerable version in the tree until the dev-ruby/execjs
> dependency chain on ppc has been given an alternative JavaScript runtime. Of
> course with said version having lost all keywords except ppc and not
> building on on that architecture, the risk is limited.

I'm going to shift the blocker to See Also just because some tooling will ignore bugs with a blocker, but it is technically one for the bug, so I'll move it backc later.

Are we ready to start stabling given the minimal changes?

Comment 4 Marek Szuba (RETIRED) 2020-11-16 20:49:18 UTC

Fine by me. 14.15.1 could probably be fast-tracked given we have only just stabilised 14.15.0, in case of 12.19.1 it wouldn't hurt to build-test it on each arch because we did not get to stabilise 12.19.0 in time.

Comment 5 Sam James 2020-11-16 21:02:01 UTC

(In reply to Marek Szuba from comment #4)
> Fine by me. 14.15.1 could probably be fast-tracked given we have only just
> stabilised 14.15.0, in case of 12.19.1 it wouldn't hurt to build-test it on
> each arch because we did not get to stabilise 12.19.0 in time.

Thanks! Yeah, we always "test properly" unless there's something really serious (like some exploited-in-the-wild browser vulnerability where minimal stuff changed).

Comment 6 Agostino Sarubbo 2020-11-17 18:45:27 UTC

amd64 stable

Comment 7 Agostino Sarubbo 2020-11-17 19:19:29 UTC

x86 stable

Comment 8 Sam James 2020-11-18 09:11:31 UTC

arm done

Comment 9 Sam James 2020-11-18 09:12:03 UTC

arm64 done

Comment 10 Marek Szuba (RETIRED) 2021-01-04 21:43:07 UTC

Lagging ppc64 stabilisation no longer needed due to new vulnerabilities having been announced which affect the the versions at hand.

Comment 11 NATTkA bot 2021-01-04 21:44:56 UTC

Resetting sanity check; package list is empty or all packages are done.

Comment 12 John Helmert III 2021-01-04 22:52:51 UTC

(In reply to Marek Szuba from comment #10)
> Lagging ppc64 stabilisation no longer needed due to new vulnerabilities
> having been announced which affect the the versions at hand.

Thank you! For this bug, cleanup doesn't seem to be done for the 14.15 branch though.

Comment 13 GLSAMaker/CVETool Bot 2021-01-11 09:17:07 UTC

This issue was resolved and addressed in
 GLSA 202101-07 at https://security.gentoo.org/glsa/202101-07
by GLSA coordinator Sam James (sam_c).