Summary: | <net-libs/nodejs-{10.18.0,12.14.0}: Binary Planting with the npm CLI (CVE-2019-16777) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Jeroen Roovers (RETIRED) <jer> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | Flags: | stable-bot:
sanity-check+
|
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli | ||
Whiteboard: | B2 [glsa+ cve] | ||
Package list: |
net-libs/nodejs-10.18.0
net-libs/nodejs-12.14.0
net-libs/http-parser-2.9.2 arm ppc ppc64
|
Runtime testing required: | --- |
Bug Depends on: | 708458 | ||
Bug Blocks: |
Description
Jeroen Roovers (RETIRED)
2019-12-15 13:06:42 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0428fda2555f7c021c8243a18a2f2be97462ec56 commit 0428fda2555f7c021c8243a18a2f2be97462ec56 Author: Jeroen Roovers <jer@gentoo.org> AuthorDate: 2019-12-18 07:28:06 +0000 Commit: Jeroen Roovers <jer@gentoo.org> CommitDate: 2019-12-18 07:28:48 +0000 net-libs/nodejs: Versions 8.17.0 10.18.0 12.14.0 13.4.0 Package-Manager: Portage-2.3.82, Repoman-2.3.20 Bug: https://bugs.gentoo.org/show_bug.cgi?id=702988 Signed-off-by: Jeroen Roovers <jer@gentoo.org> net-libs/nodejs/Manifest | 4 + net-libs/nodejs/nodejs-10.18.0.ebuild | 200 ++++++++++++++++++++++++++++++++ net-libs/nodejs/nodejs-12.14.0.ebuild | 208 +++++++++++++++++++++++++++++++++ net-libs/nodejs/nodejs-13.4.0.ebuild | 204 +++++++++++++++++++++++++++++++++ net-libs/nodejs/nodejs-8.17.0.ebuild | 210 ++++++++++++++++++++++++++++++++++ 5 files changed, 826 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fa93627054b87763d4f451f7c76d6ed40a9f4422 commit fa93627054b87763d4f451f7c76d6ed40a9f4422 Author: Jeroen Roovers <jer@gentoo.org> AuthorDate: 2019-12-18 07:33:09 +0000 Commit: Jeroen Roovers <jer@gentoo.org> CommitDate: 2019-12-18 07:34:02 +0000 net-libs/nodejs: Old Package-Manager: Portage-2.3.82, Repoman-2.3.20 Bug: https://bugs.gentoo.org/702988 Signed-off-by: Jeroen Roovers <jer@gentoo.org> net-libs/nodejs/Manifest | 5 - net-libs/nodejs/nodejs-12.13.1.ebuild | 208 ---------------------------------- net-libs/nodejs/nodejs-13.0.1.ebuild | 202 --------------------------------- net-libs/nodejs/nodejs-13.1.0.ebuild | 202 --------------------------------- net-libs/nodejs/nodejs-13.2.0.ebuild | 204 --------------------------------- net-libs/nodejs/nodejs-13.3.0.ebuild | 204 --------------------------------- 6 files changed, 1025 deletions(-) An automated check of this bug failed - repoman reported dependency errors (873 lines truncated):
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: RDEPEND: arm(default/linux/arm/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: RDEPEND: arm(default/linux/arm/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: RDEPEND: arm(default/linux/arm/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/17.0) ['>=net-libs/http-parser-2.9.0:=']
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=50069c9c644e1247ebfc76f0f9bd70101da9a663 commit 50069c9c644e1247ebfc76f0f9bd70101da9a663 Author: Jeroen Roovers <jer@gentoo.org> AuthorDate: 2019-12-21 11:16:38 +0000 Commit: Jeroen Roovers <jer@gentoo.org> CommitDate: 2019-12-21 11:17:37 +0000 net-libs/nodejs: Depend on >=dev-libs/libuv-1.34.0 Package-Manager: Portage-2.3.82, Repoman-2.3.20 Bug: https://bugs.gentoo.org/show_bug.cgi?id=702988 Signed-off-by: Jeroen Roovers <jer@gentoo.org> net-libs/nodejs/nodejs-13.4.0.ebuild | 2 +- net-libs/nodejs/nodejs-13.5.0.ebuild | 2 +- net-libs/nodejs/nodejs-99999999.ebuild | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) An automated check of this bug failed - repoman reported dependency errors (117 lines truncated):
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland/desktop) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland/desktop) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.17.0.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/17.0/64bit-userland/desktop) ['>=net-libs/http-parser-2.9.0:=']
arm64 stable x86 stable amd64 stable arm stable Added to an existing GLSA. This issue was resolved and addressed in GLSA 202003-48 at https://security.gentoo.org/glsa/202003-48 by GLSA coordinator Thomas Deutschmann (whissi). Superseded by bug 708458. |