Bug 27901

Summary: nodejs-ini new security issue CVE-2020-7788
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: brtians1, mageia, ouaurelien, sysadmin-bugs, tarazed25
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: nodejs-ini-1.3.5-2.mga7.src.rpm CVE: CVE-2020-7788
Status comment:

Description David Walser 2020-12-22 17:19:55 CET 
Debian-LTS has issued an advisory on December 21:
https://www.debian.org/lts/security/2020/dla-2503

The issue is fixed upstream in 1.3.6.

Mageia 7 is also affected.
David Walser 2020-12-22 17:42:25 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-12-22 20:37:35 CET 
Assigning to Stig for this SRPM.

Assignee: bugsquad => smelror

Comment 2 Nicolas Lécureuil 2020-12-25 18:42:04 CET 
fixed in cauldron by updating to version 1.3.8

Version: Cauldron => 7
CC: (none) => mageia
Whiteboard: MGA7TOO => (none)

Comment 3 Nicolas Lécureuil 2020-12-25 19:43:55 CET 
updated in mga7 ( to 1.3 branch , to make sure we do not break other nodejs deps )
src: 
    nodejs-ini-1.3.8-1.mga7

Assignee: smelror => qa-bugs

Comment 4 David Walser 2020-12-25 19:55:00 CET 
Advisory:
========================

Updated nodejs-ini package fixes security vulnerability:

It was discovered that there was an issue in nodejs-ini, where an application
could be exploited by a malicious input file. This affects the package ini
before 1.3.6. If an attacker submits a malicious INI file to an application
that parses it with ini.parse, they will pollute the prototype on the
application. This can be exploited further depending on the context
(CVE-2020-7788).


References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788
https://www.debian.org/lts/security/2020/dla-2503
========================

Updated packages in core/updates_testing:
========================
nodejs-ini-1.3.8-1.mga7

from nodejs-ini-1.3.8-1.mga7.src.rpm
Comment 5 Len Lawrence 2020-12-30 21:07:21 CET 
mga7, x86_64

Installed nodejs files before updating.

CVE-2020-7788
https://snyk.io/vuln/SNYK-JS-INI-1048974
$ cat payload.ini
[__proto__]
polluted = "polluted"
$ cat poc.js
var fs = require('fs')
var ini = require('ini')

var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))
console.log(parsed)
console.log(parsed.__proto__)
console.log(polluted)

The test is to use nodejs interactively - this is what is expected:
$ node
> node poc.js
{}
{ polluted: 'polluted' }
{ polluted: 'polluted' }
polluted

But this is what happens here:
$ node
> node poc.js
Thrown:
node poc.js
     ^^^

SyntaxError: Unexpected identifier
> poc.js
Thrown:
ReferenceError: poc is not defined
> .exit

Cannot figure out what is going on here.  The REPL definitely works so maybe my interpretation of the PoC procedure is wrong.

CC: (none) => tarazed25

Comment 6 Len Lawrence 2021-01-02 23:45:26 CET 
Running the PoC code explicitly in the REPL does not work.
$ node
> var fs = require('fs')
undefined
> var ini = require('ini')
Thrown:
{ Error: Cannot find module 'ini'
    at Function.Module._resolveFilename (internal/modules/cjs/loader.js:636:15)
    at Function.Module._load (internal/modules/cjs/loader.js:562:25)
    at Module.require (internal/modules/cjs/loader.js:692:17)
    at require (internal/modules/cjs/helpers.js:25:18) code: 'MODULE_NOT_FOUND' }
> 
> var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))
Thrown:
TypeError: Cannot read property 'parse' of undefined
> console.log(parsed)
undefined
undefined
> console.log(parsed.__proto__)
Thrown:
TypeError: Cannot read property '__proto__' of undefined
> console.log(polluted)
Thrown:
ReferenceError: polluted is not defined
> .exit
Comment 7 Aurelien Oudelet 2021-02-04 18:59:46 CET 
Ping?

CC: (none) => ouaurelien
Source RPM: nodejs-ini-1.3.5-3.mga8.src.rpm => nodejs-ini-1.3.5-2.mga7.src.rpm
CVE: (none) => CVE-2020-7788

Comment 8 Brian Rockwell 2021-02-05 01:02:05 CET 
Feb 04 13:41:53 localhost [RPM][5804]: install nodejs-libs-1:10.23.1-10.mga7.x86_64: success
Feb 04 13:41:53 localhost [RPM][5804]: install nodejs-1:10.23.1-10.mga7.x86_64: success
Feb 04 13:42:33 localhost [RPM][5804]: install nodejs-packaging-9-2.mga7.noarch: success
Feb 04 13:42:41 localhost [RPM][5804]: install nodejs-libs-1:10.23.1-10.mga7.x86_64: success
Feb 04 13:42:41 localhost [RPM][5804]: install nodejs-1:10.23.1-10.mga7.x86_64: success
Feb 04 13:42:41 localhost [RPM][5804]: install nodejs-packaging-9-2.mga7.noarch: success
Feb 04 13:42:56 localhost [RPM][5804]: install nodejs-devel-1:10.23.1-10.mga7.x86_64: success
Feb 04 13:42:59 localhost [RPM][5804]: install nodejs-docs-1:10.23.1-10.mga7.noarch: success
Feb 04 13:42:59 localhost [RPM][5804]: install nodejs-devel-1:10.23.1-10.mga7.x86_64: success
Feb 04 13:42:59 localhost [RPM][5804]: install nodejs-docs-1:10.23.1-10.mga7.noarch: success

note other modules include nbm were installed.

set up a multi-user game and tested some basic server functionality.

Working as designed for me.

CC: (none) => brtians1

Comment 9 Aurelien Oudelet 2021-02-05 11:10:33 CET 
So, MGA7-64-OK on behalf comment 8.

Validating.
Advisory flushed to SVN.
Aurelien Oudelet 2021-02-05 11:10:44 CET

Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA7-64-OK
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2021-02-05 12:56:16 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0068.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED