Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 702988 (CVE-2019-16777)

Summary: <net-libs/nodejs-{10.18.0,12.14.0}: Binary Planting with the npm CLI (CVE-2019-16777)
Product: Gentoo Security Reporter: Jeroen Roovers (RETIRED) <jer>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal Flags: stable-bot: sanity-check+
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
Whiteboard: B2 [glsa+ cve]
Package list:
net-libs/nodejs-10.18.0 net-libs/nodejs-12.14.0 net-libs/http-parser-2.9.2 arm ppc ppc64
Runtime testing required: ---
Bug Depends on: 708458    
Bug Blocks:    

Description Jeroen Roovers (RETIRED) gentoo-dev 2019-12-15 13:06:42 UTC
[URL]:

Binary Planting with the npm CLI
tl;dr - Update to npm v6.13.4 as soon as possible on all your systems to fix a vulnerability allowing arbitrary path access.

The Vulnerabilities
In versions of npm prior to 6.13.3 (and versions of yarn prior to 1.21.1), a properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed.

In versions of npm prior to 6.13.4 (and all versions of yarn as of this announcement), it was possible for a globally-installed package with a binary entry to overwrite an existing binary in the target install location.  (That is, not any arbitrary file on the system, but any file in /usr/local/bin.)

A mitigating factor for both vulnerabilities is that a malicious actor would have to get their victim to install the package with the specially crafted bin entry.  However, as we have seen in the past, this is not an insurmountable barrier.

[https://nodejs.org/en/blog/vulnerability/december-2019-security-releases/]:

The Node.js project will release new versions of all supported release lines on or shortly after Tuesday December 17, 2019 UTC. The only update in these releases will be an updated version of npm addressing the vulnerability announced in [URL].

In the meantime, users should update to npm 6.13.4 by following the instructions provided in the npm advisory[0]. As a general rule, avoid running npm in production environments.

Impact
All versions of Node.js are vulnerable including the LTS and current releases: Node.js 8 (LTS "Carbon"), Node.js 10 (LTS "Dubnium") , Node.js 12 (LTS "Erbium"), and Node.js 13.

Release timing

Releases will be available at, or shortly after, Tuesday, December 17, 2019 UTC.


[0] I.e. `npm install -g npm@6.13.4`
Comment 1 Larry the Git Cow gentoo-dev 2019-12-18 07:28:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0428fda2555f7c021c8243a18a2f2be97462ec56

commit 0428fda2555f7c021c8243a18a2f2be97462ec56
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2019-12-18 07:28:06 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2019-12-18 07:28:48 +0000

    net-libs/nodejs: Versions 8.17.0 10.18.0 12.14.0 13.4.0
    
    Package-Manager: Portage-2.3.82, Repoman-2.3.20
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=702988
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-libs/nodejs/Manifest              |   4 +
 net-libs/nodejs/nodejs-10.18.0.ebuild | 200 ++++++++++++++++++++++++++++++++
 net-libs/nodejs/nodejs-12.14.0.ebuild | 208 +++++++++++++++++++++++++++++++++
 net-libs/nodejs/nodejs-13.4.0.ebuild  | 204 +++++++++++++++++++++++++++++++++
 net-libs/nodejs/nodejs-8.17.0.ebuild  | 210 ++++++++++++++++++++++++++++++++++
 5 files changed, 826 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2019-12-18 07:34:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fa93627054b87763d4f451f7c76d6ed40a9f4422

commit fa93627054b87763d4f451f7c76d6ed40a9f4422
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2019-12-18 07:33:09 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2019-12-18 07:34:02 +0000

    net-libs/nodejs: Old
    
    Package-Manager: Portage-2.3.82, Repoman-2.3.20
    Bug: https://bugs.gentoo.org/702988
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-libs/nodejs/Manifest              |   5 -
 net-libs/nodejs/nodejs-12.13.1.ebuild | 208 ----------------------------------
 net-libs/nodejs/nodejs-13.0.1.ebuild  | 202 ---------------------------------
 net-libs/nodejs/nodejs-13.1.0.ebuild  | 202 ---------------------------------
 net-libs/nodejs/nodejs-13.2.0.ebuild  | 204 ---------------------------------
 net-libs/nodejs/nodejs-13.3.0.ebuild  | 204 ---------------------------------
 6 files changed, 1025 deletions(-)
Comment 3 Stabilization helper bot gentoo-dev 2019-12-18 08:02:52 UTC
An automated check of this bug failed - repoman reported dependency errors (873 lines truncated): 

> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: RDEPEND: arm(default/linux/arm/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: RDEPEND: arm(default/linux/arm/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: RDEPEND: arm(default/linux/arm/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/17.0) ['>=net-libs/http-parser-2.9.0:=']
Comment 4 Larry the Git Cow gentoo-dev 2019-12-21 11:17:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=50069c9c644e1247ebfc76f0f9bd70101da9a663

commit 50069c9c644e1247ebfc76f0f9bd70101da9a663
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2019-12-21 11:16:38 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2019-12-21 11:17:37 +0000

    net-libs/nodejs: Depend on >=dev-libs/libuv-1.34.0
    
    Package-Manager: Portage-2.3.82, Repoman-2.3.20
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=702988
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-libs/nodejs/nodejs-13.4.0.ebuild   | 2 +-
 net-libs/nodejs/nodejs-13.5.0.ebuild   | 2 +-
 net-libs/nodejs/nodejs-99999999.ebuild | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)
Comment 5 Stabilization helper bot gentoo-dev 2019-12-24 21:06:13 UTC
An automated check of this bug failed - repoman reported dependency errors (117 lines truncated): 

> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland/desktop) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland/desktop) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland/desktop) ['>=net-libs/http-parser-2.9.0:=']
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2019-12-27 21:24:15 UTC
arm64 stable
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2020-01-10 01:47:41 UTC
x86 stable
Comment 8 Piotr Karbowski (RETIRED) gentoo-dev 2020-01-19 15:47:34 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-02-11 13:07:02 UTC
arm stable
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-20 18:59:21 UTC
Added to an existing GLSA.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2020-03-20 19:22:16 UTC
This issue was resolved and addressed in
 GLSA 202003-48 at https://security.gentoo.org/glsa/202003-48
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-20 19:24:31 UTC
Superseded by bug 708458.