Bug 13383

In addition to this, there seems to be a problem in node.js environment. I have a script written in nodejs javascript and cannot run it directly, need to run "node myscript.js". It claims some file doesn't exist when run with "./myscript.js" (and with a #!/usr/bin/env node at the header).

CC: (none) => pkreuzt

Sorry, forget the preceding message, it was a line ending CR_LF issue caused by pastebin.

Here's a Fedora advisory for v8 that specifically mentions nodejs:
https://lists.fedoraproject.org/pipermail/package-announce/2014-August/136333.html

from http://lwn.net/Vulnerabilities/608199/

The RedHat bug for that links to the upstream blog post:
http://blog.nodejs.org/2014/07/31/v8-memory-corruption-stack-overflow/

(In reply to David Walser from comment #3)
> Here's a Fedora advisory for v8 that specifically mentions nodejs:
> https://lists.fedoraproject.org/pipermail/package-announce/2014-August/
> 136333.html
> 
> from http://lwn.net/Vulnerabilities/608199/
> 
> The RedHat bug for that links to the upstream blog post:
> http://blog.nodejs.org/2014/07/31/v8-memory-corruption-stack-overflow/

CVE request:
http://openwall.com/lists/oss-security/2014/09/03/3

(In reply to David Walser from comment #4)
> (In reply to David Walser from comment #3)
> > Here's a Fedora advisory for v8 that specifically mentions nodejs:
> > https://lists.fedoraproject.org/pipermail/package-announce/2014-August/
> > 136333.html
> > 
> > from http://lwn.net/Vulnerabilities/608199/
> > 
> > The RedHat bug for that links to the upstream blog post:
> > http://blog.nodejs.org/2014/07/31/v8-memory-corruption-stack-overflow/
> 
> CVE request:
> http://openwall.com/lists/oss-security/2014/09/03/3

Response from MITRE:
http://openwall.com/lists/oss-security/2014/09/04/10

This has CVE-2014-5256 and the CVE is for nodejs itself, not v8.

Damien, do you have plans to schedule a nodejs update for stable releases?

CVE request for more security issues:
http://openwall.com/lists/oss-security/2014/09/24/1

CVE request for more security issues:
http://openwall.com/lists/oss-security/2014/09/29/2

And a response:
http://openwall.com/lists/oss-security/2014/09/30/10

Here's the changelog for the current version 0.9.33:
http://nodejs.org/dist/v0.10.33/docs/changelog.html

You can also see that in 0.9.31 they fixed CVE-2013-6668 in v8.

Thierry, I can see that you have imported a long list of packages into cauldron that depend on nodejs. I expect you to fix those security issues here or I'll do the evil move and drop nodejs as a big security concern for mga5 - the package needs a maintainer who cares about security, if we don't have such maintainer we don't need the package either..

CC: (none) => mageia
Assignee: mageia => thierry.vignaud

Version 0.10.33 was recently pushed in Cauldron, so it should be OK there for now.  Mageia 3 and Mageia 4 also have the 0.10 branch, so we should be able to just update it, but I had asked on the dev ml about changes in the Cauldron spec and whether they should or should not be included in the mga3/mga4 update.  At the very least, I just need some feedback on that.

CC: (none) => joequant
Version: Cauldron => 4
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Last warning.. :)

Whiteboard: MGA3TOO => (none)

(In reply to Sander Lepik from comment #10)
> Thierry, I can see that you have imported a long list of packages into
> cauldron that depend on nodejs. I expect you to fix those security issues
> here or I'll do the evil move and drop nodejs as a big security concern for
> mga5 - the package needs a maintainer who cares about security, if we don't
> have such maintainer we don't need the package either..

I've imported them so that we don't have broken deps

So you don't actually care if it's dropped from cauldron completely? As I don't want it to grow into another unmaintained security mess like the java stack currently is. We either have maintainer for it or we won't have it at all.

Nobody else seems to care..

I was only interested in the mga5 mass rebuild.
I tried to fixed as many deps as possible, shrinking broken deps from a 1Mb html page to a 8ko one.
As far as I'm concerned, the nodejs maintainer would be dams.

I think you should check the impacts using "urpmf --requires" for binary deps and "urpmf --requires --synthesis SRPMS/core/release/media_info/synt*cz" for source deps in order to identify which end packages would be affected
Then you could mail this to dev ml & affected packagers, warning their packages would be at risk b/c of their nodejs deps.

Hardware: i586 => All
Assignee: thierry.vignaud => bugsquad

I'll update everything to the latest versions.

Upgraded nodejs-js-yaml to latest version to fix CVE-2013-4660

I've requests a freeze push for js-yaml that fixes that issue.  nodejs-connect is not in Mageia.  All of the outstanding CVE's in this list have been fixed by the version of nodejs in cauldron.

I will backport the newest nodejs and js-yaml back into Mageia 4.

nodejs-js-yaml is not in Mageia 4 and neither is nodejs-js-connect.

The only package that needs to be backported is nodejs itself, and I've got a build going right now.

I'll send out an advisory and reassign the bug to QA.

Also, let me know if there are any orphan packages for the nodejs stack.  It turns out that nodejs is a critical piece of functionality for me, and so I will volunteer to maintain that stack.

I have uploaded a updated package for Mageia 4.


Suggested advisory:
========================

Updated nodejs packages fix security vulnerabilities:

A memory corruption vulnerability, which results in a denial-of-service, was identified in the versions of V8 that ship with Node.js 0.8 and 0.10. In certain circumstances, a particularly deep recursive workload that may trigger a GC and receive an interrupt may overflow the stack and result in a segmentation fault. For instance, if your work load involves successive JSON.parse calls and the parsed objects are significantly deep, you may experience the process aborting while parsing. (CVE-2014-5256)

Multiple unspecified vulnerabilities in Google V8 before 3.24.35.10, as used in Google Chrome before 33.0.1750.146, allow attackers to cause a denial of service or possibly have other impact via unknown vectors. (CVE-2013-6668)


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5256
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6668
http://nodejs.org/dist/v0.10.33/docs/changelog.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-5256

========================

Updated packages in core/updates_testing:
========================
nodejs-0.10.33-1.mga4

Source RPMs: 
nodejs-0.10.33-1.mga4.src.rpm

Reassigning to QA with advisory.

I've gone through the other advisories and the nodejs package itself appears to be the only one that is in Mageia 4.

Assignee: bugsquad => qa-bugs

Procedure: https://bugs.mageia.org/show_bug.cgi?id=10691#c0

Whiteboard: (none) => has_procedure

Testing complete mga4 64

Well done Joseph.

$ node -e "console.log(process.versions)"
{ http_parser: '1.0',
  node: '0.10.33',
  v8: '3.14.5.9',
  ares: '1.10.0',
  uv: '0.10.29',
  zlib: '1.2.8',
  modules: '11',
  openssl: '1.0.1e' }

$ node -e "console.log('Hello World')"
Hello World


#  npm install azure-cli -g
/usr/bin/azure -> /usr/lib/node_modules/azure-cli/bin/azure
azure-cli@0.8.12 /usr/lib/node_modules/azure-cli
âââ easy-table@0.0.1
âââ eyes@0.1.8
...etc

# azure --help
info:             _    _____   _ ___ ___
info:            /_\  |_  / | | | _ \ __|
info:      _ ___/ _ \__/ /| |_| |   / _|___ _ _
info:    (___  /_/ \_\/___|\___/|_|_\___| _____)
info:       (_______ _ _)         _ ______ _)_ _ 
info:              (______________ _ )   (___ _ _)
info:    
info:    Microsoft Azure: Microsoft's Cloud Platform
info:    
info:    Tool version 0.8.12
...etc

#  npm uninstall azure-cli -g
unbuild azure-cli@0.8.12

# azure --help
-bash: azure: command not found

Whiteboard: has_procedure => has_procedure mga4-64-ok

Thanks Joseph!  Great job!

Just some whitespace changes and minor references adjustment to the advisory.

Suggested advisory:
========================

Updated nodejs package fixes security vulnerabilities:

A memory corruption vulnerability, which results in a denial-of-service, was
identified in the versions of V8 that ship with Node.js 0.8 and 0.10. In
certain circumstances, a particularly deep recursive workload that may trigger
a GC and receive an interrupt may overflow the stack and result in a
segmentation fault. For instance, if your work load involves successive
JSON.parse calls and the parsed objects are significantly deep, you may
experience the process aborting while parsing (CVE-2014-5256).

Multiple unspecified vulnerabilities in Google V8 before 3.24.35.10, as used
in Node.js before 0.10.31, allow attackers to cause a denial of service or
possibly have other impact via unknown vectors (CVE-2013-6668).

The nodejs package has been updated to version 0.10.33 to fix these issues
as well as several other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5256
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6668
http://blog.nodejs.org/2014/07/31/v8-memory-corruption-stack-overflow/
http://nodejs.org/dist/v0.10.33/docs/changelog.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-August/136333.html

Testing complete mga3 32

ermmm mga4 32

Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-64-ok mga4-32-ok

Validating. I'll upload the advisory shortly.

Please push to updates

Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Advisory uploaded.

Whiteboard: has_procedure mga4-64-ok mga4-32-ok => advisory has_procedure mga4-64-ok mga4-32-ok

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0516.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED