Summary: | <net-dns/c-ares-1.17.2 <net-libs/nodejs-{12.22.5:0/12,14.17.5:0/14,16.6.2:0/16}: Multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | CONFIRMED --- | ||
Severity: | major | CC: | ajak, base-system, williamh |
Priority: | Normal | Flags: | sam:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://github.com/nodejs/node/issues/39747 | ||
Whiteboard: | B1 [glsa] | ||
Package list: |
=net-dns/c-ares-1.17.2
=net-libs/nodejs-12.22.5-r1 amd64 arm arm64 ppc64 x86
=net-libs/nodejs-14.17.5-r1 amd64 arm arm64 ppc64 x86
|
Runtime testing required: | --- |
Bug Depends on: | |||
Bug Blocks: | 805053, 807604, 807778 |
Description
Sam James
2021-08-12 00:07:52 UTC
We unbundle c-ares so not sure about the first two(?) CVEs. That said, we try to unbundle libuv, but it's been frought with risk before. So, let's treat it as if it is bundled... Please bump to 14.17.5 and friends. Looks like nodejs upstream now uses a custom version of bundled c-ares which is uses different headers than the version we have got packaged - 12.22.5, 14.17.5 and 16.6.2 all fail to build due to cares_wrap.cc: fatal error: ares_nameser.h: No such file or directory This file is present in neither net-dns/c-ares-1.17.{1,2} nor the c-ares Git master. Unfortunately real-life priorities prevent me from pursuing this any further at the moment. Good to go; I assume we haven't switched to the decoupled work flow yet so I'm populating the package list in this bug. Moreover, from now Node.js ebuilds will, in src_prepare, delete bundled dependencies which are not supposed to be used. amd64 done (In reply to Marek Szuba from comment #4) > Good to go; I assume we haven't switched to the decoupled work flow yet so > I'm populating the package list in this bug. Moreover, from now Node.js > ebuilds will, in src_prepare, delete bundled dependencies which are not > supposed to be used. Thank you! (Both for this and the update previously. It is very much appreciated!) sparc done CVE-2021-22940: Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. hppa done ppc done ppc64 done arm done arm64 done x86 done all arches done Please cleanup, thanks! (In reply to Sam James from comment #15) > Please cleanup, thanks! The vulnerable version of c-ares is off the tree. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=c2152e9dc06608bf6a50d3bdd22ee8bd8bf222ce commit c2152e9dc06608bf6a50d3bdd22ee8bd8bf222ce Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-01-05 09:27:33 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-01-05 09:28:02 +0000 [ GLSA 202401-02 ] c-ares: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/807604 Bug: https://bugs.gentoo.org/807775 Bug: https://bugs.gentoo.org/892489 Bug: https://bugs.gentoo.org/905341 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202401-02.xml | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) Looks like we never GLSA'd nodejs here but it's in an existing request anyway. |