Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 742893 (CVE-2020-8201, CVE-2020-8251) - <net-libs/nodejs-{10.22.1,12.18.4,14.11.0}: Multiple vulnerabilities (CVE-2020-8201, CVE-2020-8251)
Summary: <net-libs/nodejs-{10.22.1,12.18.4,14.11.0}: Multiple vulnerabilities (CVE-202...
Status: CONFIRMED
Alias: CVE-2020-8201, CVE-2020-8251
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [stable cve]
Keywords: CC-ARCHES, STABLEREQ
: 753806 (view as bug list)
Depends on: 728110 754921
Blocks: CVE-2020-8172, CVE-2020-8174 CVE-2020-15095
  Show dependency tree
 
Reported: 2020-09-16 07:20 UTC by Jeroen Roovers (RETIRED)
Modified: 2020-11-22 17:45 UTC (History)
4 users (show)

See Also:
Package list:
=dev-libs/libuv-1.40.0 =net-libs/nodejs-14.15.0 =net-libs/http-parser-2.9.3
Runtime testing required: ---
nattka: sanity-check-


Attachments
build.log.xz (nodejs-12.19.0, ppc) (nodejs-12.19.0:20201112-201101.log.xz,5.62 KB, text/plain)
2020-11-12 20:43 UTC, ernsteiswuerfel
no flags Details
build.log.xz (nodejs-14.15.0, ppc) (nodejs-14.15.0:20201112-201343.log.xz,23.07 KB, application/x-xz)
2020-11-12 20:44 UTC, ernsteiswuerfel
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2020-09-16 07:20:58 UTC
CVE-2020-8251: Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests (Critical).
CVE-2020-8201: HTTP Request Smuggling due to CR-to-Hyphen conversion (High).


https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V12.md#12.18.4
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V14.md#14.11.0
Comment 1 Larry the Git Cow gentoo-dev 2020-09-16 07:21:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=79ae762f24b37251e14919b829893ef1dc93a3b5

commit 79ae762f24b37251e14919b829893ef1dc93a3b5
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-09-16 07:19:37 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-09-16 07:21:21 +0000

    net-libs/nodejs: Versions 12.18.4 14.11.0
    
    Package-Manager: Portage-3.0.7, Repoman-3.0.1
    Bug: https://bugs.gentoo.org/742893
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-libs/nodejs/Manifest               |   2 +
 net-libs/nodejs/nodejs-12.18.4.ebuild  | 213 +++++++++++++++++++++++++++++++++
 net-libs/nodejs/nodejs-14.11.0.ebuild  | 200 +++++++++++++++++++++++++++++++
 net-libs/nodejs/nodejs-99999999.ebuild |   8 +-
 4 files changed, 419 insertions(+), 4 deletions(-)
Comment 2 Larry the Git Cow gentoo-dev 2020-09-16 07:40:21 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=224ae61f77174ca30c1424737cdacd821c623789

commit 224ae61f77174ca30c1424737cdacd821c623789
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-09-16 07:39:36 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-09-16 07:40:17 +0000

    net-libs/nodejs: Versions 10.19.0 10.22.1
    
    Package-Manager: Portage-3.0.7, Repoman-3.0.1
    RepoMan-Options: --force
    Bug: https://bugs.gentoo.org/742893
    Closes: https://bugs.gentoo.org/739340
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-libs/nodejs/Manifest              |   2 +
 net-libs/nodejs/nodejs-10.19.0.ebuild | 205 ++++++++++++++++++++++++++++++++++
 net-libs/nodejs/nodejs-10.22.1.ebuild | 205 ++++++++++++++++++++++++++++++++++
 3 files changed, 412 insertions(+)
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2020-09-16 07:46:55 UTC
For 10.22.1:

CVE-2020-8174: napi_get_value_string_*() allows various kinds of memory corruption (High).
CVE-2020-10531: ICU-20958 Prevent SEGV_MAPERR in append (High).
CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).

The latter two are covered elsewhere:

<dev-libs/icu-65.1-r1 : bug #710758
<net-libs/nghttp2-1.41.0 : bug #726834
Comment 4 NATTkA bot gentoo-dev 2020-09-19 11:32:58 UTC
Unable to check for sanity:

> no match for package: =net-libs/nodejs-10.22.1
Comment 5 John Helmert III (ajak) 2020-09-20 16:27:04 UTC
We're going to have to stable at least 14.6.0 and cleanup previous anyway for bug 731654, maybe let's just stable the 14 branch here?
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2020-09-20 18:43:00 UTC
(In reply to John Helmert III (ajak) from comment #5)
> We're going to have to stable at least 14.6.0 and cleanup previous anyway
> for bug 731654, maybe let's just stable the 14 branch here?

What are you talking about?
Comment 7 John Helmert III (ajak) 2020-09-21 03:03:49 UTC
(In reply to Jeroen Roovers from comment #6)
> (In reply to John Helmert III (ajak) from comment #5)
> > We're going to have to stable at least 14.6.0 and cleanup previous anyway
> > for bug 731654, maybe let's just stable the 14 branch here?
> 
> What are you talking about?

Unless the vulnerability in the other bug is fixed in other branches, we will need to drop versions which are vulnerable from the tree. Please let us know on the other bug if the other branches of NodeJS have been fixed in that bug.
Comment 8 NATTkA bot gentoo-dev 2020-09-28 18:24:55 UTC
Sanity check failed:

> net-libs/nodejs-12.18.4
>   depend ppc stable profile default/linux/powerpc/ppc32/17.0 (19 total)
>     >=net-libs/http-parser-2.9.3:=
>   rdepend ppc stable profile default/linux/powerpc/ppc32/17.0 (19 total)
>     >=net-libs/http-parser-2.9.3:=
>   depend ppc64 dev profile default/linux/ppc64le/17.0/desktop/plasma (2 total)
>     >=net-libs/http-parser-2.9.3:=
>   rdepend ppc64 dev profile default/linux/ppc64le/17.0/desktop/plasma (2 total)
>     >=net-libs/http-parser-2.9.3:=
Comment 9 NATTkA bot gentoo-dev 2020-09-28 18:28:59 UTC
All sanity-check issues have been resolved
Comment 10 Sam James archtester gentoo-dev Security 2020-09-29 18:47:53 UTC
arm64 done
Comment 11 NATTkA bot gentoo-dev 2020-09-30 06:28:50 UTC
Unable to check for sanity:

> no match for package: =net-libs/nodejs-12.18.4
Comment 12 NATTkA bot gentoo-dev 2020-09-30 07:24:57 UTC
All sanity-check issues have been resolved
Comment 13 Agostino Sarubbo gentoo-dev 2020-09-30 09:30:32 UTC
amd64 stable
Comment 14 Sam James archtester gentoo-dev Security 2020-10-03 14:52:10 UTC
arm done
Comment 15 Agostino Sarubbo gentoo-dev 2020-10-07 07:25:55 UTC
x86 stable
Comment 16 NATTkA bot gentoo-dev 2020-11-09 15:17:00 UTC
Sanity check failed:

> net-libs/nodejs-14.15.0
>   depend ppc stable profile default/linux/powerpc/ppc32/17.0 (19 total)
>     >=dev-libs/libuv-1.40.0:=
>   rdepend ppc stable profile default/linux/powerpc/ppc32/17.0 (19 total)
>     >=dev-libs/libuv-1.40.0:=
>   depend ppc64 dev profile default/linux/ppc64le/17.0/desktop/plasma (2 total)
>     >=dev-libs/libuv-1.40.0:=
>   rdepend ppc64 dev profile default/linux/ppc64le/17.0/desktop/plasma (2 total)
>     >=dev-libs/libuv-1.40.0:=
Comment 17 NATTkA bot gentoo-dev 2020-11-09 15:20:55 UTC
Unable to check for sanity:

> no match for package: =dev-libs/libuv-1.40
Comment 18 Marek Szuba gentoo-dev 2020-11-10 14:44:10 UTC
Adding amd64, arm, arm64 and x86 to the Cc list manually, seems CC-ARCHES didn't work this time.
Comment 19 Sam James archtester gentoo-dev Security 2020-11-10 18:13:31 UTC
*** Bug 753806 has been marked as a duplicate of this bug. ***
Comment 20 Sam James archtester gentoo-dev Security 2020-11-10 21:21:14 UTC
amd64 done
Comment 21 Sam James archtester gentoo-dev Security 2020-11-10 21:32:20 UTC
ppc64 stable
Comment 22 Sam James archtester gentoo-dev Security 2020-11-10 23:49:53 UTC
x86 done
Comment 23 Sam James archtester gentoo-dev Security 2020-11-11 15:35:24 UTC
arm64 done
Comment 24 Sam James archtester gentoo-dev Security 2020-11-11 15:36:22 UTC
arm done
Comment 25 Marek Szuba gentoo-dev 2020-11-11 17:27:06 UTC
Dropping the request for stabilisation on ppc because this architecture is not really supported upstream. In fact, we'll likely soon drop the ppc keyword from nodejs-14 altogether.

However, that means that before we can remove vulnerable nodejs-14 versions from the tree we have to stabilise one of the nodejs-12 ebuilds on ppc to avoid breaking the dependency tree.
Comment 26 NATTkA bot gentoo-dev 2020-11-11 17:28:56 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 27 ernsteiswuerfel 2020-11-11 19:12:50 UTC
(In reply to Marek Szuba from comment #25)
> Dropping the request for stabilisation on ppc because this architecture is
> not really supported upstream. In fact, we'll likely soon drop the ppc
> keyword from nodejs-14 altogether.
> 
> However, that means that before we can remove vulnerable nodejs-14 versions
> from the tree we have to stabilise one of the nodejs-12 ebuilds on ppc to
> avoid breaking the dependency tree.
I may be wrong but I suppose nodejs-14 is in a better state for ppc than nodejs-12... Could run tests to check that out.
Comment 28 Marek Szuba gentoo-dev 2020-11-12 15:50:11 UTC
Please do, at this point it's either stabilising v12 on ppc or removing that keyword from net-libs/nodejs altogether.
Comment 29 ernsteiswuerfel 2020-11-12 20:43:37 UTC
Created attachment 671137 [details]
build.log.xz (nodejs-12.19.0, ppc)

Both nodejs-12.19.0 and nodejs-14.15.0 fail with the same error message on ppc:

[...]
In file included from ../deps/v8/src/objects/visitors.h:9,
                 from ../deps/v8/src/heap/heap.h:33,
                 from ../deps/v8/src/heap/factory.h:16,
                 from ../deps/v8/src/execution/isolate.h:28,
                 from ../deps/v8/src/api/api.h:10,
                 from ../deps/v8/src/api/api-arguments.h:8,
                 from ../deps/v8/src/api/api-arguments.cc:5:
../deps/v8/src/objects/code.h:439:2: error: #error Unknown architecture.
  439 | #error Unknown architecture.
      |  ^~~~~
In file included from ../deps/v8/src/execution/isolate.h:18,
                 from ../deps/v8/src/api/api.h:10,
                 from ../deps/v8/src/api/api-arguments.h:8,
                 from ../deps/v8/src/api/api-arguments.cc:5:
../deps/v8/src/objects/code.h:441:55: error: ‘kHeaderPaddingSize’ was not declared in this scope
  441 |   STATIC_ASSERT(FIELD_SIZE(kOptionalPaddingOffset) == kHeaderPaddingSize);
      |                                                       ^~~~~~~~~~~~~~~~~~
../deps/v8/src/base/macros.h:200:43: note: in definition of macro ‘STATIC_ASSERT’
  200 | #define STATIC_ASSERT(test) static_assert(test, #test)
      |                                           ^~~~
make: *** [tools/v8_gypfiles/v8_base_without_compiler.host.mk:669: /var/tmp/portage/net-libs/nodejs-14.15.0/work/node-v14.15.0/out/Release/obj.host/v8_base_without_compiler/deps/v8/src/api/api-arguments.o] Error 1
Comment 30 ernsteiswuerfel 2020-11-12 20:44:09 UTC
Created attachment 671140 [details]
build.log.xz (nodejs-14.15.0, ppc)
Comment 31 ernsteiswuerfel 2020-11-12 20:53:03 UTC
Though there is some upstream effort to get nodejs in a working state on ppc again: https://chromium-review.googlesource.com/c/v8/v8/+/2083019
Comment 32 Marek Szuba gentoo-dev 2020-11-12 22:26:38 UTC
Oh well, dekeywording it is then. Thanks for having checked this!
Comment 33 Marek Szuba gentoo-dev 2020-11-12 22:49:45 UTC
(In reply to ernsteiswuerfel from comment #29)

> Both nodejs-12.19.0 and nodejs-14.15.0 fail with the same error message on
> ppc:

For completeness, could you test 12.18.4-r1 as well? Turns out there is a chain of dev-ruby ebuilds which will completely break if we drop ppc from net-libs/nodejs keywords.
Comment 34 Larry the Git Cow gentoo-dev 2020-11-13 09:56:55 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=88758984a00b5a3d4f6d256f215f5d4ca47b7a4e

commit 88758984a00b5a3d4f6d256f215f5d4ca47b7a4e
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2020-11-13 09:40:32 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2020-11-13 09:56:36 +0000

    net-libs/nodejs-14.2.0: drop all keywords except ppc
    
    This version has got known security vulnerabilities but none of the
    others currently in the tree build on 32-bit ppc.
    
    Bug: https://bugs.gentoo.org/742893
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 net-libs/nodejs/nodejs-14.2.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 35 ernsteiswuerfel 2020-11-13 12:40:47 UTC
(In reply to Marek Szuba from comment #33)
> (In reply to ernsteiswuerfel from comment #29)
> 
> > Both nodejs-12.19.0 and nodejs-14.15.0 fail with the same error message on
> > ppc:
> 
> For completeness, could you test 12.18.4-r1 as well? Turns out there is a
> chain of dev-ruby ebuilds which will completely break if we drop ppc from
> net-libs/nodejs keywords.
12.18.4-r1 and also current stable 14.2.0 fail with the same error message for ppc builds. Maybe someone from the ppc/ppc64 team should have a closer look?

On Void Linux lastest stable version for ppc32 is 10.22.0 LTS.
Comment 36 NATTkA bot gentoo-dev 2020-11-17 16:25:08 UTC
Unable to check for sanity:

> no match for package: =net-libs/http-parser-2.9.3
Comment 37 Larry the Git Cow gentoo-dev 2020-11-21 20:26:43 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4b094fb3db96fe457eecee465812486cb7880e5a

commit 4b094fb3db96fe457eecee465812486cb7880e5a
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2020-11-21 20:16:13 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2020-11-21 20:26:27 +0000

    net-libs/nodejs: remove 12.18.4 and 14.2.0
    
    Tickets pertaining to CVE-2020-8201, CVE-2020-8251, CVE-2020-8172,
    CVE-2020-8174 and CVE-2020-15095 should now be safe to close.
    
    Bug: https://bugs.gentoo.org/726836
    Bug: https://bugs.gentoo.org/731654
    Bug: https://bugs.gentoo.org/742893
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 net-libs/nodejs/Manifest                 |   2 -
 net-libs/nodejs/nodejs-12.18.4-r1.ebuild | 216 -------------------------------
 net-libs/nodejs/nodejs-14.2.0.ebuild     | 201 ----------------------------
 3 files changed, 419 deletions(-)
Comment 38 Andreas Sturmlechner gentoo-dev 2020-11-21 20:32:33 UTC
The arches you dropped from nodejs are still relevant for dev-libs/libuv-1.40.0.
Comment 39 Marek Szuba gentoo-dev 2020-11-21 20:39:54 UTC
Could you elaborate? Only one arch has been dropped (ppc, which apparently was never officially supported upstream), it is net-libs/nodejs that depends on dev-libs/libuv and not the other way around, and now that dev-ruby/execjs has been fixed neither pkgcheck nor check-revdep show any deptree breakage due to the dekeywording.
Comment 40 Andreas Sturmlechner gentoo-dev 2020-11-21 20:43:58 UTC
I mean that's the downside when you populate package list with many packages - it would be nice to make sure each of them ends up with a consistent stabilisation even if not all keywords are necessary for the 'title' package. On a security bug, it may be better to simply make dependency bugs then.