Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 807775 (CVE-2021-22930, CVE-2021-22931, CVE-2021-22939, CVE-2021-22940) - <net-dns/c-ares-1.17.2 <net-libs/nodejs-{12.22.5:0/12,14.17.5:0/14,16.6.2:0/16}: Multiple vulnerabilities
Summary: <net-dns/c-ares-1.17.2 <net-libs/nodejs-{12.22.5:0/12,14.17.5:0/14,16.6.2:0/1...
Status: IN_PROGRESS
Alias: CVE-2021-22930, CVE-2021-22931, CVE-2021-22939, CVE-2021-22940
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa?]
Keywords:
Depends on:
Blocks: 805053 807604 807778
  Show dependency tree
 
Reported: 2021-08-12 00:07 UTC by Sam James
Modified: 2021-10-17 16:22 UTC (History)
2 users (show)

See Also:
Package list:
=net-dns/c-ares-1.17.2 =net-libs/nodejs-12.22.5-r1 amd64 arm arm64 ppc64 x86 =net-libs/nodejs-14.17.5-r1 amd64 arm arm64 ppc64 x86
Runtime testing required: ---
sam: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-08-12 00:07:52 UTC
CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in domain names (High)
        Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library which can lead to the output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. You can read more about it at nvd.nist.gov/vuln/detail/CVE-2021-22931.

    CVE-2021-22930: Use after free on close http2 on stream canceling (High)
        Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. This release includes a follow-up fix for CVE-2021-22930 as the issue was not completely resolved by the previous fix. You can read more about it at cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930.

    CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter (Low)
        If the Node.js HTTPS API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted. You can read more about it at nvd.nist.gov/vuln/detail/CVE-2021-22939.
Comment 1 Sam James archtester gentoo-dev Security 2021-08-12 00:11:35 UTC
We unbundle c-ares so not sure about the first two(?) CVEs. That said, we try to unbundle libuv, but it's been frought with risk before. So, let's treat it as if it is bundled...
Comment 2 Sam James archtester gentoo-dev Security 2021-08-12 00:15:23 UTC
Please bump to 14.17.5 and friends.
Comment 3 Marek Szuba archtester gentoo-dev 2021-08-12 08:06:08 UTC
Looks like nodejs upstream now uses a custom version of bundled c-ares which is uses different headers than the version we have got packaged - 12.22.5, 14.17.5 and 16.6.2 all fail to build due to

cares_wrap.cc: fatal error: ares_nameser.h: No such file or directory

This file is present in neither net-dns/c-ares-1.17.{1,2} nor the c-ares Git master.

Unfortunately real-life priorities prevent me from pursuing this any further at the moment.
Comment 4 Marek Szuba archtester gentoo-dev 2021-08-13 17:37:05 UTC
Good to go; I assume we haven't switched to the decoupled work flow yet so I'm populating the package list in this bug. Moreover, from now Node.js ebuilds will, in src_prepare, delete bundled dependencies which are not supposed to be used.
Comment 5 Sam James archtester gentoo-dev Security 2021-08-14 03:50:03 UTC
amd64 done
Comment 6 Sam James archtester gentoo-dev Security 2021-08-14 03:53:59 UTC
(In reply to Marek Szuba from comment #4)
> Good to go; I assume we haven't switched to the decoupled work flow yet so
> I'm populating the package list in this bug. Moreover, from now Node.js
> ebuilds will, in src_prepare, delete bundled dependencies which are not
> supposed to be used.

Thank you! (Both for this and the update previously. It is very much appreciated!)
Comment 7 Rolf Eike Beer archtester 2021-08-16 07:50:15 UTC
sparc done
Comment 8 John Helmert III gentoo-dev Security 2021-08-16 23:11:34 UTC
CVE-2021-22940:

Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
Comment 9 Rolf Eike Beer archtester 2021-08-17 18:58:28 UTC
hppa done
Comment 10 Sam James archtester gentoo-dev Security 2021-08-17 21:38:15 UTC
ppc done
Comment 11 Sam James archtester gentoo-dev Security 2021-09-07 01:19:03 UTC
ppc64 done
Comment 12 Sam James archtester gentoo-dev Security 2021-09-07 01:19:05 UTC
arm done
Comment 13 Sam James archtester gentoo-dev Security 2021-09-07 01:19:07 UTC
arm64 done
Comment 14 Sam James archtester gentoo-dev Security 2021-09-07 01:19:09 UTC
x86 done

all arches done
Comment 15 Sam James archtester gentoo-dev Security 2021-09-07 01:20:34 UTC
Please cleanup, thanks!
Comment 16 Anthony Basile gentoo-dev 2021-09-07 18:18:08 UTC
(In reply to Sam James from comment #15)
> Please cleanup, thanks!

The vulnerable version of c-ares is off the tree.