Bug 24792

Summary: Security issue in nodejs-js-yaml
Product: Mageia Reporter: Stig-Ørjan Smelror <smelror>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, tarazed25, tmb
Version: 6Keywords: feedback
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: CVE:
Status comment: Version 3,13,1 has been pushed to Cauldron

Description Stig-Ørjan Smelror 2019-05-08 19:58:45 CEST 
Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the load() function. The safeLoad() function is unaffected.

https://www.npmjs.com/advisories/813
https://github.com/nodeca/js-yaml/pull/480
Comment 1 Stig-Ørjan Smelror 2019-05-10 09:55:14 CEST 
Advisory
========

nodejs-js-yaml has been updated to fix a security issue.

References
==========
https://www.npmjs.com/advisories/813
https://github.com/nodeca/js-yaml/pull/480

Files
=====

Uploaded to core/updates_testing

nodejs-fs.realpath-1.0.0-2.mga6
from nodejs-fs.realpath-1.0.0-2.mga6.src.rpm

nodejs-js-yaml-3.13.1-1.mga6
from nodejs-js-yaml-3.13.1-1.mga6.src.rpm

Assignee: smelror => qa-bugs
Status comment: (none) => Version 3,13,1 has been pushed to Cauldron

Comment 2 Len Lawrence 2019-06-12 00:17:45 CEST 
Cannot find either of these packages in release.
Enabled updates testing

# urpmi nodejs-fs.realpath
    http://ftp.fi.muni.cz/pub/linux/mageia/distrib/6/x86_64/media/core/updates_testing/nodejs-fs.realpath-1.0.0-2.mga6.noarch.rpm
installing nodejs-fs.realpath-1.0.0-2.mga6.noarch.rpm from /var/cache/urpmi/rpms
Preparing...                     #############################################
      1/1: nodejs-fs.realpath    #############################################
# urpmi nodejs-js-yaml
A requested package cannot be installed:
nodejs-js-yaml-3.13.1-1.mga6.noarch (due to unsatisfied npm(esprima)[>= 4.0.0])
# npm install esprima -g
/usr/bin/esparse -> /usr/lib/node_modules/esprima/bin/esparse.js
/usr/bin/esvalidate -> /usr/lib/node_modules/esprima/bin/esvalidate.js
/usr/lib
└── esprima@4.0.1 
# urpmi nodejs-js-yaml
A requested package cannot be installed:
nodejs-js-yaml-3.13.1-1.mga6.noarch (due to unsatisfied npm(esprima)[>= 4.0.0])

Help!

CC: (none) => tarazed25
Keywords: (none) => feedback

Comment 3 Len Lawrence 2019-06-12 00:30:38 CEST 
Follow up on comment 2.
There is a package nodejs-esprima-2.7.2-1.mga6.noarch already installed.
Presumably that needs updating as well.
Comment 4 Len Lawrence 2019-06-12 08:18:06 CEST 
Looking at the bundled modules tree
$ npm ls -g
shows some that are invalid.

├─┬ argparse@1.0.3
│ ├── lodash@3.10.1 -> /usr/lib/node_modules/lodash
│ ├── sprintf-js@1.0.3 -> /usr/lib/node_modules/sprintf-js
│ └── underscore@1.8.3 -> /usr/lib/node_modules/underscore invalid

├─┬ js-yaml@3.5.2
│ ├── argparse@1.0.3 -> /usr/lib/node_modules/argparse
│ └── esprima@4.0.1 -> /usr/lib/node_modules/esprima invalid

npm ERR! invalid: underscore@1.8.3 /usr/lib/node_modules/argparse/node_modules/underscore
npm ERR! invalid: esprima@4.0.1 /usr/lib/node_modules/js-yaml/node_modules/esprima
Comment 5 Len Lawrence 2019-06-15 12:18:44 CEST 
A question: should these modules be noarch and if so should 32-bit updates testing be enabled?
Comment 6 Thomas Andrews 2019-09-14 05:12:07 CEST 
Len asked for some feedback three months ago. Could we get a response to his question? It would be nice to be able to clear this before M6 goes EOL...

CC: (none) => andrewsfarm

Comment 7 Thomas Andrews 2019-09-14 05:41:09 CEST 
Len, the QARepo tool just found both of those packages for me in the 64-bit testing repositories. Both are indeed noarch.

Unfortunately, I don't have a clue about how to test them.
Comment 8 Thomas Andrews 2019-09-14 05:47:58 CEST 
FWIW, https://madb.mageia.org/tools/listRpmsForQaBug/bugnum/24792/application/0 only lists the nodejs-fs.realpath package. It does not mention the nodejs-js-yaml package at all.
Comment 9 Len Lawrence 2019-09-14 10:22:13 CEST 
Back to the beginning.
Removed nodejs and 10 other related packages.
Installed nodejs from scratch, nodejs-js-yaml and nodejs-fs.realpath.

Enabled updates testing for 64bits and updated nodejs-fs.realpath successfully but:
# urpmi nodejs-js-yaml
A requested package cannot be installed:
nodejs-js-yaml-3.13.1-1.mga6.noarch (due to unsatisfied npm(argparse)[>= 1.0.7])

This is the state of play:
# rpm -qa | grep nodejs
nodejs-underscore-1.8.3-1.mga6
nodejs-argparse-1.0.3-3.mga6
nodejs-sprintf-js-1.0.3-5.mga6
nodejs-6.10.3-2.mga6
nodejs-js-yaml-3.5.2-3.mga6
nodejs-esprima-2.7.2-1.mga6
nodejs-lodash-3.10.1-7.mga6
nodejs-fs.realpath-1.0.0-2.mga6

Most of those were pulled in when nodejs was reinstalled.  So, is it a bundling problem? 

Does 'npm install' use Mageia repositories?  I am assuming not because although later packages can be installed that way, the rpm database does not seem to be updated.  Unbundled packages seem to be invisible so the problem seems to be missing dependencies or not all required packages having updated versions.  I am not a packager so for me this is all guesswork (hence the "seems").
Comment 10 Len Lawrence 2019-09-17 21:46:35 CEST 
Continuing from comment 9;

$ urpmq --requires nodejs-js-yaml
nodejs
nodejs(engine)
npm(argparse)[>= 1.0.2]
npm(argparse)[< 2]
npm(esprima)[>= 2.6.0]
npm(esprima)[< 3]

This is getting very confusing - e.g. compare the argparse statement in comment 9 with the above.
Comment 11 Thomas Backlund 2019-10-02 22:44:44 CEST 
Mga 6 EOL

CC: (none) => tmb
Resolution: (none) => WONTFIX
Status: NEW => RESOLVED

Comment 12 David Walser 2019-10-03 13:59:08 CEST 
Please use OLD for EOL.

Resolution: WONTFIX => OLD

Comment 13 Thomas Backlund 2019-10-03 14:04:01 CEST 
Ah, indeed. Thanks