Comment 1 Sam James 2021-08-12 00:11:35 UTC

We unbundle c-ares so not sure about the first two(?) CVEs. That said, we try to unbundle libuv, but it's been frought with risk before. So, let's treat it as if it is bundled...

Comment 2 Sam James 2021-08-12 00:15:23 UTC

Please bump to 14.17.5 and friends.

Comment 3 Marek Szuba 2021-08-12 08:06:08 UTC

Looks like nodejs upstream now uses a custom version of bundled c-ares which is uses different headers than the version we have got packaged - 12.22.5, 14.17.5 and 16.6.2 all fail to build due to

cares_wrap.cc: fatal error: ares_nameser.h: No such file or directory

This file is present in neither net-dns/c-ares-1.17.{1,2} nor the c-ares Git master.

Unfortunately real-life priorities prevent me from pursuing this any further at the moment.

Comment 4 Marek Szuba 2021-08-13 17:37:05 UTC

Good to go; I assume we haven't switched to the decoupled work flow yet so I'm populating the package list in this bug. Moreover, from now Node.js ebuilds will, in src_prepare, delete bundled dependencies which are not supposed to be used.

Comment 5 Sam James 2021-08-14 03:50:03 UTC

amd64 done

Comment 6 Sam James 2021-08-14 03:53:59 UTC

(In reply to Marek Szuba from comment #4)
> Good to go; I assume we haven't switched to the decoupled work flow yet so
> I'm populating the package list in this bug. Moreover, from now Node.js
> ebuilds will, in src_prepare, delete bundled dependencies which are not
> supposed to be used.

Thank you! (Both for this and the update previously. It is very much appreciated!)

Comment 7 Rolf Eike Beer 2021-08-16 07:50:15 UTC

sparc done

Comment 8 John Helmert III 2021-08-16 23:11:34 UTC

CVE-2021-22940:

Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

Comment 9 Rolf Eike Beer 2021-08-17 18:58:28 UTC

hppa done

Comment 10 Sam James 2021-08-17 21:38:15 UTC

ppc done

Comment 11 Sam James 2021-09-07 01:19:03 UTC

ppc64 done

Comment 12 Sam James 2021-09-07 01:19:05 UTC

arm done

Comment 13 Sam James 2021-09-07 01:19:07 UTC

arm64 done

Comment 14 Sam James 2021-09-07 01:19:09 UTC

x86 done

all arches done

Comment 15 Sam James 2021-09-07 01:20:34 UTC

Please cleanup, thanks!

Comment 16 Anthony Basile 2021-09-07 18:18:08 UTC

(In reply to Sam James from comment #15)
> Please cleanup, thanks!

The vulnerable version of c-ares is off the tree.

Comment 17 Larry the Git Cow 2024-01-05 09:28:13 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=c2152e9dc06608bf6a50d3bdd22ee8bd8bf222ce

commit c2152e9dc06608bf6a50d3bdd22ee8bd8bf222ce
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-05 09:27:33 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-01-05 09:28:02 +0000

    [ GLSA 202401-02 ] c-ares: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/807604
    Bug: https://bugs.gentoo.org/807775
    Bug: https://bugs.gentoo.org/892489
    Bug: https://bugs.gentoo.org/905341
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202401-02.xml | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)

Comment 18 John Helmert III 2024-01-14 21:52:09 UTC

Looks like we never GLSA'd nodejs here but it's in an existing request anyway.