Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 807610 (CVE-2020-23171, CVE-2021-41259) - dev-lang/nim: multiple vulnerabilities
Summary: dev-lang/nim: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2020-23171, CVE-2021-41259
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://github.com/nim-lang/zip/issue...
Whiteboard: ~4 [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-08-10 19:59 UTC by John Helmert III
Modified: 2021-11-13 00:58 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-08-10 19:59:04 UTC
CVE-2020-23171:

A vulnerability in all versions of Nim-lang allows unauthenticated attackers to write files to arbitrary directories via a crafted zip file with dot-slash characters included in the name of the crafted file.


In this case, it seems like the CVE description is accurate and all versions
are indeed vulnerable.
Comment 1 John Helmert III gentoo-dev Security 2021-11-13 00:58:31 UTC
CVE-2021-41259 (https://github.com/nim-lang/security/security/advisories/GHSA-3gg2-rw3q-qwgc):

Nim is a systems programming language with a focus on efficiency, expressiveness, and elegance. In affected versions the uri.parseUri function which may be used to validate URIs accepts null bytes in the input URI. This behavior could be used to bypass URI validation. For example: parseUri("http://localhost\0hello").hostname is set to "localhost\0hello". Additionally, httpclient.getContent accepts null bytes in the input URL and ignores any data after the first null byte. Example: getContent("http://localhost\0hello") makes a request to localhost:80. An attacker can use a null bytes to bypass the check and mount a SSRF attack.