Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 807775 (CVE-2021-22930, CVE-2021-22931, CVE-2021-22939, CVE-2021-22940) - <net-dns/c-ares-1.17.2 <net-libs/nodejs-{12.22.5:0/12,14.17.5:0/14,16.6.2:0/16}: Multiple vulnerabilities
Summary: <net-dns/c-ares-1.17.2 <net-libs/nodejs-{12.22.5:0/12,14.17.5:0/14,16.6.2:0/1...
Status: RESOLVED FIXED
Alias: CVE-2021-22930, CVE-2021-22931, CVE-2021-22939, CVE-2021-22940
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa+]
Keywords:
Depends on:
Blocks: 805053 CVE-2021-3672 807778
  Show dependency tree
 
Reported: 2021-08-12 00:07 UTC by Sam James
Modified: 2024-05-08 11:19 UTC (History)
3 users (show)

See Also:
Package list:
=net-dns/c-ares-1.17.2 =net-libs/nodejs-12.22.5-r1 amd64 arm arm64 ppc64 x86 =net-libs/nodejs-14.17.5-r1 amd64 arm arm64 ppc64 x86
Runtime testing required: ---
sam: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-12 00:07:52 UTC
CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in domain names (High)
        Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library which can lead to the output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. You can read more about it at nvd.nist.gov/vuln/detail/CVE-2021-22931.

    CVE-2021-22930: Use after free on close http2 on stream canceling (High)
        Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. This release includes a follow-up fix for CVE-2021-22930 as the issue was not completely resolved by the previous fix. You can read more about it at cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930.

    CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter (Low)
        If the Node.js HTTPS API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted. You can read more about it at nvd.nist.gov/vuln/detail/CVE-2021-22939.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-12 00:11:35 UTC
We unbundle c-ares so not sure about the first two(?) CVEs. That said, we try to unbundle libuv, but it's been frought with risk before. So, let's treat it as if it is bundled...
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-12 00:15:23 UTC
Please bump to 14.17.5 and friends.
Comment 3 Marek Szuba (RETIRED) archtester gentoo-dev 2021-08-12 08:06:08 UTC
Looks like nodejs upstream now uses a custom version of bundled c-ares which is uses different headers than the version we have got packaged - 12.22.5, 14.17.5 and 16.6.2 all fail to build due to

cares_wrap.cc: fatal error: ares_nameser.h: No such file or directory

This file is present in neither net-dns/c-ares-1.17.{1,2} nor the c-ares Git master.

Unfortunately real-life priorities prevent me from pursuing this any further at the moment.
Comment 4 Marek Szuba (RETIRED) archtester gentoo-dev 2021-08-13 17:37:05 UTC
Good to go; I assume we haven't switched to the decoupled work flow yet so I'm populating the package list in this bug. Moreover, from now Node.js ebuilds will, in src_prepare, delete bundled dependencies which are not supposed to be used.
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-14 03:50:03 UTC
amd64 done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-14 03:53:59 UTC
(In reply to Marek Szuba from comment #4)
> Good to go; I assume we haven't switched to the decoupled work flow yet so
> I'm populating the package list in this bug. Moreover, from now Node.js
> ebuilds will, in src_prepare, delete bundled dependencies which are not
> supposed to be used.

Thank you! (Both for this and the update previously. It is very much appreciated!)
Comment 7 Rolf Eike Beer archtester 2021-08-16 07:50:15 UTC
sparc done
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-16 23:11:34 UTC
CVE-2021-22940:

Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
Comment 9 Rolf Eike Beer archtester 2021-08-17 18:58:28 UTC
hppa done
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-17 21:38:15 UTC
ppc done
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-09-07 01:19:03 UTC
ppc64 done
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-09-07 01:19:05 UTC
arm done
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-09-07 01:19:07 UTC
arm64 done
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-09-07 01:19:09 UTC
x86 done

all arches done
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-09-07 01:20:34 UTC
Please cleanup, thanks!
Comment 16 Anthony Basile gentoo-dev 2021-09-07 18:18:08 UTC
(In reply to Sam James from comment #15)
> Please cleanup, thanks!

The vulnerable version of c-ares is off the tree.
Comment 17 Larry the Git Cow gentoo-dev 2024-01-05 09:28:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=c2152e9dc06608bf6a50d3bdd22ee8bd8bf222ce

commit c2152e9dc06608bf6a50d3bdd22ee8bd8bf222ce
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-05 09:27:33 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-01-05 09:28:02 +0000

    [ GLSA 202401-02 ] c-ares: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/807604
    Bug: https://bugs.gentoo.org/807775
    Bug: https://bugs.gentoo.org/892489
    Bug: https://bugs.gentoo.org/905341
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202401-02.xml | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)
Comment 18 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-01-14 21:52:09 UTC
Looks like we never GLSA'd nodejs here but it's in an existing request anyway.
Comment 19 Larry the Git Cow gentoo-dev 2024-05-08 11:16:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=88bffd0cf8491b108b57ac229b72f8b472c31ed1

commit 88bffd0cf8491b108b57ac229b72f8b472c31ed1
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-05-08 11:16:15 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-05-08 11:16:37 +0000

    [ GLSA 202405-29 ] Node.js: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/772422
    Bug: https://bugs.gentoo.org/781704
    Bug: https://bugs.gentoo.org/800986
    Bug: https://bugs.gentoo.org/805053
    Bug: https://bugs.gentoo.org/807775
    Bug: https://bugs.gentoo.org/811273
    Bug: https://bugs.gentoo.org/817938
    Bug: https://bugs.gentoo.org/831037
    Bug: https://bugs.gentoo.org/835615
    Bug: https://bugs.gentoo.org/857111
    Bug: https://bugs.gentoo.org/865627
    Bug: https://bugs.gentoo.org/872692
    Bug: https://bugs.gentoo.org/879617
    Bug: https://bugs.gentoo.org/918086
    Bug: https://bugs.gentoo.org/918614
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202405-29.xml | 121 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 121 insertions(+)