Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 731654 (CVE-2020-15095)

Summary: <net-libs/nodejs-14.6.0: Information disclosure via npm (CVE-2020-15095)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp
Whiteboard: B4 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on: 742893    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-07-07 23:38:01 UTC 
CVE-2020-15095:

Versions of the CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. 

The cli supports URLs like <protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>. The password value is not redacted and is printed to stdout and also to any generated log files.


Maintainer, please let us know if our versions are vulnerable and if so please bump.
Comment 1 Larry the Git Cow gentoo-dev 2020-07-22 06:22:14 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b982d273c955a12408b0fdbd78f4f7a50662b549

commit b982d273c955a12408b0fdbd78f4f7a50662b549
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-07-22 06:21:49 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-07-22 06:22:10 +0000

    net-libs/nodejs: Version 14.6.0
    
    Package-Manager: Portage-3.0.0, Repoman-2.3.23
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=731654
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-libs/nodejs/Manifest             |   1 +
 net-libs/nodejs/nodejs-14.6.0.ebuild | 200 +++++++++++++++++++++++++++++++++++
 2 files changed, 201 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-07-22 18:47:10 UTC 
Thanks. Let's stable when ready.
Comment 3 NATTkA bot gentoo-dev Security 2020-07-22 18:48:53 UTC 
Sanity check failed:

> net-libs/nodejs-14.6.0
>   depend amd64 stable profile default/linux/amd64/17.0 (68 total)
>     >=dev-libs/libuv-1.38.1:=
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (34 total)
>     >=dev-libs/libuv-1.38.1:=
>   rdepend amd64 stable profile default/linux/amd64/17.0 (68 total)
>     >=dev-libs/libuv-1.38.1:=
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (34 total)
>     >=dev-libs/libuv-1.38.1:=
Comment 4 NATTkA bot gentoo-dev Security 2020-07-22 18:56:41 UTC 
All sanity-check issues have been resolved
Comment 5 NATTkA bot gentoo-dev Security 2020-08-27 17:52:54 UTC 
Unable to check for sanity:

> no match for package: =net-libs/nodejs-14.6.0
Comment 6 NATTkA bot gentoo-dev Security 2020-11-09 15:17:10 UTC 
Sanity check failed:

> net-libs/nodejs-14.15.0
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (35 total)
>     >=dev-libs/libuv-1.40.0:=
>   depend amd64 stable profile default/linux/amd64/17.1 (54 total)
>     >=dev-libs/libuv-1.40.0:=
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (35 total)
>     >=dev-libs/libuv-1.40.0:=
>   rdepend amd64 stable profile default/linux/amd64/17.1 (54 total)
>     >=dev-libs/libuv-1.40.0:=
Comment 7 NATTkA bot gentoo-dev Security 2020-11-09 15:21:00 UTC 
Unable to check for sanity:

> no match for package: dev-libs/libuv-1.40
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-11-09 20:17:45 UTC 
Stabling in other bug
Comment 9 Larry the Git Cow gentoo-dev 2020-11-21 20:26:40 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4b094fb3db96fe457eecee465812486cb7880e5a

commit 4b094fb3db96fe457eecee465812486cb7880e5a
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2020-11-21 20:16:13 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2020-11-21 20:26:27 +0000

    net-libs/nodejs: remove 12.18.4 and 14.2.0
    
    Tickets pertaining to CVE-2020-8201, CVE-2020-8251, CVE-2020-8172,
    CVE-2020-8174 and CVE-2020-15095 should now be safe to close.
    
    Bug: https://bugs.gentoo.org/726836
    Bug: https://bugs.gentoo.org/731654
    Bug: https://bugs.gentoo.org/742893
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 net-libs/nodejs/Manifest                 |   2 -
 net-libs/nodejs/nodejs-12.18.4-r1.ebuild | 216 -------------------------------
 net-libs/nodejs/nodejs-14.2.0.ebuild     | 201 ----------------------------
 3 files changed, 419 deletions(-)
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2021-01-11 09:16:58 UTC 
This issue was resolved and addressed in
 GLSA 202101-07 at https://security.gentoo.org/glsa/202101-07
by GLSA coordinator Sam James (sam_c).