Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 672136

Summary: <net-libs/nodejs-{6.16.0,8.15.0,10.15.0,11.6.0}: multiple vulnerabilities
Product: Gentoo Security Reporter: Jeroen Roovers (RETIRED) <jer>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: guillaume, jer, kripton, leho, viklevin2
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on: 708458    
Bug Blocks:    

Description Jeroen Roovers (RETIRED) gentoo-dev 2018-11-28 08:33:05 UTC
<8.14.0:

https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V8.md#8.14.0
Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
Node.js: Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123)
Node.js: HTTP request splitting (CVE-2018-12116)

<10.14.0:

https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V10.md#10.14.0
Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
Node.js: Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123)

<11.3.0:

https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V11.md#11.3.0
Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
Node.js: Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123)
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2018-11-28 09:51:21 UTC
<6.15.0:

https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V6.md#6.15.0
Node.js: Debugger port 5858 listens on any interface by default (CVE-2018-12120)
Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
Node.js: Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123)
Node.js: HTTP request splitting (CVE-2018-12116)
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2018-11-28 11:10:47 UTC
I am trying to get the ebuilds in but it seems I can't:

# git push --signed origin master

FATAL -- ACCESS DENIED
Repo            repo/gentoo
User            jer@gentoo.org
Stage           Before git was called
Operation       Repo write

FATAL: W any repo/gentoo jer@gentoo.org DENIED by fallthru
(or you mis-spelled the reponame)
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-11-28 12:31:18 UTC
comrel is irrelevant here, blame infra
Comment 4 Larry the Git Cow gentoo-dev 2018-11-29 22:19:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=478037530d3b293185e8bcd1230daaaa7e032d1e

commit 478037530d3b293185e8bcd1230daaaa7e032d1e
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2018-11-28 10:43:11 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2018-11-29 22:19:29 +0000

    net-libs/nodejs: Old
    
    Package-Manager: Portage-2.3.52, Repoman-2.3.12
    Bug: https://bugs.gentoo.org/672136
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-libs/nodejs/Manifest                 |   6 -
 net-libs/nodejs/nodejs-10.13.0-r1.ebuild | 205 ------------------------------
 net-libs/nodejs/nodejs-11.2.0-r1.ebuild  | 205 ------------------------------
 net-libs/nodejs/nodejs-4.8.7.ebuild      | 143 ---------------------
 net-libs/nodejs/nodejs-6.11.5.ebuild     | 193 ----------------------------
 net-libs/nodejs/nodejs-8.13.0-r2.ebuild  | 207 -------------------------------
 net-libs/nodejs/nodejs-9.11.2-r2.ebuild  | 202 ------------------------------
 7 files changed, 1161 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8879e4b3957a10551641e9e045397a908b1dd982

commit 8879e4b3957a10551641e9e045397a908b1dd982
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2018-11-28 10:38:49 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2018-11-29 22:19:29 +0000

    net-libs/nodejs: Versions 6.15.0 8.14.0 10.14.0 11.3.0
    
    Package-Manager: Portage-2.3.52, Repoman-2.3.12
    Bug: https://bugs.gentoo.org/672136
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-libs/nodejs/Manifest               |   4 +
 net-libs/nodejs/nodejs-10.14.0.ebuild  | 205 ++++++++++++++++++++++++++++++++
 net-libs/nodejs/nodejs-11.3.0.ebuild   | 205 ++++++++++++++++++++++++++++++++
 net-libs/nodejs/nodejs-6.15.0.ebuild   | 200 +++++++++++++++++++++++++++++++
 net-libs/nodejs/nodejs-8.14.0.ebuild   | 207 +++++++++++++++++++++++++++++++++
 net-libs/nodejs/nodejs-99999999.ebuild |   2 +-
 6 files changed, 822 insertions(+), 1 deletion(-)
Comment 5 Eugene Shalygin 2018-11-30 09:13:50 UTC
You removed 9.11.2, but 10.* versions require masked openssl-1.1. Please bring 9.* version back.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2018-11-30 10:30:39 UTC
(In reply to Eugene Shalygin from comment #5)
> You removed 9.11.2, but 10.* versions require masked openssl-1.1. Please
> bring 9.* version back.

The 9 series has seen no updates since June 2018[1] so if I were to bring it back, I would have to mask that too, not because of masked dependencies but because of security vulnerabilities that will never be fixed upstream[2].



[1] https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V9.md#9.11.2
[2] https://github.com/nodejs/Release#end-of-life-releases
Comment 7 Guillaume Ceccarelli 2018-12-05 20:10:09 UTC
CVE-2018-12121 seems to affect the http-parser lib. Nodejs patched the http-parser dependency they bundle directly inside of the nodejs official distribution to limit the max header size to 8k, but since Gentoo's nodejs ebuilds use the system's http-parser lib as opposed to the bundled one, and I don't think a fix was released there yet, this would mean Gentoo's nodejs is still vulnerable to CVE-2018-12121 despite releasing ebuilds for the newer node version.

I recommend using the bundled dependency as opposed to the system's http-parser or backporting node's fix as a patch to http-parser or patching http-parser with the contents of https://github.com/nodejs/http-parser/pull/452 . Note that limiting HTTP headers to a max size of 8k is a breaking change. Efforts are underway to make the max configurable and / or modifyable at runtime.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2018-12-05 23:16:23 UTC
(In reply to Guillaume Ceccarelli from comment #7)
> CVE-2018-12121 seems to affect the http-parser lib.

That should be in a different bug report, then.
Comment 9 Guillaume Ceccarelli 2018-12-05 23:24:35 UTC
(In reply to Jeroen Roovers from comment #8)
> (In reply to Guillaume Ceccarelli from comment #7)
> > CVE-2018-12121 seems to affect the http-parser lib.
> 
> That should be in a different bug report, then.

There might need to be another issue open in addition to this one, I'll let you and other Gentoo devs be the judge of that, but what I meant is the context of nodejs: Gentoo's nodejs does not benefit from the upstream fix to CVE-2018-12121 as it is, since the fix commit is
  * https://github.com/nodejs/node/commit/74e01d0020ec255673e17353a1004a8ea375fff4
which essentially creates a fix directly in the bundled http-parser dependency.

Since gentoo's nodejs ebuilds do not make use of the bundled dependency, they also can't benefit from the fix. That --shared-http-parser we pass in src_configure explicitly prevents it, hence my Comment #7 .
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2018-12-06 09:54:37 UTC
(In reply to Guillaume Ceccarelli from comment #9)
> (In reply to Jeroen Roovers from comment #8)
> > (In reply to Guillaume Ceccarelli from comment #7)
> > > CVE-2018-12121 seems to affect the http-parser lib.
> > 
> > That should be in a different bug report, then.
> 
> There might need to be another issue open in addition to this one, I'll let
> you and other Gentoo devs be the judge of that, but what I meant is the
> context of nodejs: Gentoo's nodejs does not benefit from the upstream fix to
> CVE-2018-12121 as it is, since the fix commit is
>   *
> https://github.com/nodejs/node/commit/
> 74e01d0020ec255673e17353a1004a8ea375fff4
> which essentially creates a fix directly in the bundled http-parser
> dependency.

No, it merely sets HTTP_MAX_HEADER_SIZE in the code that compiles against http-parser. The http-parser header says:

http_parser.h:#ifndef HTTP_MAX_HEADER_SIZE
http_parser.h:# define HTTP_MAX_HEADER_SIZE (80*1024)

and the nodejs build system overrides that default by limiting it to 8KB.
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2018-12-06 10:00:44 UTC
(In reply to Jeroen Roovers from comment #10)
> (In reply to Guillaume Ceccarelli from comment #9)
> > (In reply to Jeroen Roovers from comment #8)
> > > (In reply to Guillaume Ceccarelli from comment #7)
> > > > CVE-2018-12121 seems to affect the http-parser lib.
> > > 
> > > That should be in a different bug report, then.
> > 
> > There might need to be another issue open in addition to this one, I'll let
> > you and other Gentoo devs be the judge of that, but what I meant is the
> > context of nodejs: Gentoo's nodejs does not benefit from the upstream fix to
> > CVE-2018-12121 as it is, since the fix commit is
> >   *
> > https://github.com/nodejs/node/commit/
> > 74e01d0020ec255673e17353a1004a8ea375fff4
> > which essentially creates a fix directly in the bundled http-parser
> > dependency.
> 
> No, it merely sets HTTP_MAX_HEADER_SIZE in the code that compiles against
> http-parser. The http-parser header says:
> 
> http_parser.h:#ifndef HTTP_MAX_HEADER_SIZE
> http_parser.h:# define HTTP_MAX_HEADER_SIZE (80*1024)
> 
> and the nodejs build system overrides that default by limiting it to 8KB.

But you're right: it hasn't trickled down to current net-libs/http-parser. Note that http-parser is mostly developed by nodejs people, much like libuv, and that it apparently takes time and effort for them to send their changes upstream, even if they work upstream as well. Perhaps this is because they like to test things in the nodejs tree better than developing that independently in the upstream trees.
Comment 12 Larry the Git Cow gentoo-dev 2018-12-06 13:56:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=70a1b6bb522216ee1e5cab45df6ca67c44d96179

commit 70a1b6bb522216ee1e5cab45df6ca67c44d96179
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2018-12-06 13:54:23 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2018-12-06 13:56:12 +0000

    net-libs/nodejs: Version 6.15.1
    
    "This is a patch release to address a bad backport of the fix for
    "Slowloris HTTP Denial of Service" (CVE-2018-12122). Node.js 6.15.0
    misapplies the headers timeout to an entire keep-alive HTTP session,
    resulting in prematurely disconnected sockets."
    
    https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V6.md#6.15.1
    
    Package-Manager: Portage-2.3.52, Repoman-2.3.12
    Bug: https://bugs.gentoo.org/672136
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-libs/nodejs/Manifest                                       | 2 +-
 net-libs/nodejs/{nodejs-6.15.0.ebuild => nodejs-6.15.1.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-20 19:03:27 UTC
Added to an existing GLSA.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2020-03-20 19:22:00 UTC
This issue was resolved and addressed in
 GLSA 202003-48 at https://security.gentoo.org/glsa/202003-48
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-20 19:25:11 UTC
Superseded by bug 708458.