Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 754942 - <net-libs/nodejs-{12.19.1, 14.15.1}: Denial of service in bundled net-dns/c-ares
Summary: <net-libs/nodejs-{12.19.1, 14.15.1}: Denial of service in bundled net-dns/c-ares
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks: CVE-2020-8277
  Show dependency tree
 
Reported: 2020-11-16 16:53 UTC by Sam James
Modified: 2021-01-11 09:17 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-11-16 16:53:48 UTC
See tracker bug. Fixed in 15.2.1 (not in tree), 14.15.1, 12.19.1 upstream.
Comment 1 Larry the Git Cow gentoo-dev 2020-11-16 17:38:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3db67e73440f7da405fe85ed291678fac83f6490

commit 3db67e73440f7da405fe85ed291678fac83f6490
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2020-11-16 17:36:11 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2020-11-16 17:38:13 +0000

    net-libs/nodejs: bump to 12.19.1 and 14.15.1
    
    Security updates due to CVE-2020-8277.
    
    Bug: https://bugs.gentoo.org/754942
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 net-libs/nodejs/Manifest                           |   3 +-
 ...nodejs-12.19.0.ebuild => nodejs-12.19.1.ebuild} |   0
 net-libs/nodejs/nodejs-14.15.1.ebuild              | 202 +++++++++++++++++++++
 3 files changed, 204 insertions(+), 1 deletion(-)
Comment 2 Marek Szuba gentoo-dev 2020-11-16 17:49:07 UTC
I haven't checked the code but judging from the timestamps mentioned in the upstream bug, nodejs-14.2.0 is vulnerable to this as well - meaning this means we will have vulnerable version in the tree until the dev-ruby/execjs dependency chain on ppc has been given an alternative JavaScript runtime. Of course with said version having lost all keywords except ppc and not building on on that architecture, the risk is limited.
Comment 3 Sam James archtester gentoo-dev Security 2020-11-16 19:18:11 UTC
(In reply to Marek Szuba from comment #2)
> I haven't checked the code but judging from the timestamps mentioned in the
> upstream bug, nodejs-14.2.0 is vulnerable to this as well - meaning this
> means we will have vulnerable version in the tree until the dev-ruby/execjs
> dependency chain on ppc has been given an alternative JavaScript runtime. Of
> course with said version having lost all keywords except ppc and not
> building on on that architecture, the risk is limited.

I'm going to shift the blocker to See Also just because some tooling will ignore bugs with a blocker, but it is technically one for the bug, so I'll move it backc later.

Are we ready to start stabling given the minimal changes?
Comment 4 Marek Szuba gentoo-dev 2020-11-16 20:49:18 UTC
Fine by me. 14.15.1 could probably be fast-tracked given we have only just stabilised 14.15.0, in case of 12.19.1 it wouldn't hurt to build-test it on each arch because we did not get to stabilise 12.19.0 in time.
Comment 5 Sam James archtester gentoo-dev Security 2020-11-16 21:02:01 UTC
(In reply to Marek Szuba from comment #4)
> Fine by me. 14.15.1 could probably be fast-tracked given we have only just
> stabilised 14.15.0, in case of 12.19.1 it wouldn't hurt to build-test it on
> each arch because we did not get to stabilise 12.19.0 in time.

Thanks! Yeah, we always "test properly" unless there's something really serious (like some exploited-in-the-wild browser vulnerability where minimal stuff changed).
Comment 6 Agostino Sarubbo gentoo-dev 2020-11-17 18:45:27 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-11-17 19:19:29 UTC
x86 stable
Comment 8 Sam James archtester gentoo-dev Security 2020-11-18 09:11:31 UTC
arm done
Comment 9 Sam James archtester gentoo-dev Security 2020-11-18 09:12:03 UTC
arm64 done
Comment 10 Marek Szuba gentoo-dev 2021-01-04 21:43:07 UTC
Lagging ppc64 stabilisation no longer needed due to new vulnerabilities having been announced which affect the the versions at hand.
Comment 11 NATTkA bot gentoo-dev 2021-01-04 21:44:56 UTC
Resetting sanity check; package list is empty or all packages are done.
Comment 12 John Helmert III (ajak) 2021-01-04 22:52:51 UTC
(In reply to Marek Szuba from comment #10)
> Lagging ppc64 stabilisation no longer needed due to new vulnerabilities
> having been announced which affect the the versions at hand.

Thank you! For this bug, cleanup doesn't seem to be done for the 14.15 branch though.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2021-01-11 09:17:07 UTC
This issue was resolved and addressed in
 GLSA 202101-07 at https://security.gentoo.org/glsa/202101-07
by GLSA coordinator Sam James (sam_c).