Bug 29112

Summary: Puddletag security issue - CVE-2021-23358
Product: Mageia Reporter: Stig-Ørjan Smelror <smelror>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: puddletag-2.0.1-2.mga8.src.rpm CVE: CVE-2021-23358
Status comment:

Description Stig-Ørjan Smelror 2021-06-12 01:17:56 CEST 
Upstream has made a fix for CVE-2021-23358 on 2021-05-23.

https://github.com/puddletag/puddletag/commit/0a20591c08818956b5f694b3467b6795004ec199
https://github.com/advisories/GHSA-cf4h-3jhx-xvhq
Comment 1 Stig-Ørjan Smelror 2021-06-12 01:22:54 CEST 
Advisory
========

Puddletag has been updated to fix a security issue in the underscore module.

References
==========
https://github.com/puddletag/puddletag/commit/0a20591c08818956b5f694b3467b6795004ec199
https://github.com/advisories/GHSA-cf4h-3jhx-xvhq
https://nvd.nist.gov/vuln/detail/CVE-2021-23358

Files
=====

Uploaded to core/updates_testing

puddletag-2.0.2-0.git20210523.1.mga8

from puddletag-2.0.2-0.git20210523.1.mga8.src.rpm

Assignee: smelror => qa-bugs
Status comment: (none) => Fixed upstream in git, but not yet in a release
CVE: (none) => CVE-2021-23358

Comment 2 David Walser 2021-06-12 01:54:58 CEST 
We have nodejs-underscore packaged, and the CVE is for that (see Bug 28984).  If puddletag is bundling it, you should unbundle it and fix it in the nodejs-underscore package.

Keywords: (none) => feedback

Comment 3 Stig-Ørjan Smelror 2021-06-12 09:02:00 CEST 
(In reply to David Walser from comment #2)
> We have nodejs-underscore packaged, and the CVE is for that (see Bug 28984).
> If puddletag is bundling it, you should unbundle it and fix it in the
> nodejs-underscore package.

If you mean "nodejs-underscore-dot-string-2.3.1-4.mga8.noarch", then it looks like it's not the same as the one updated in Puddletag.

https://www.npmjs.com/package/underscore
Comment 4 David Walser 2021-06-13 00:59:12 CEST 
No I don't mean dot-string.  See the nodejs-underscore package itself (and js-underscore).
Comment 5 Stig-Ørjan Smelror 2021-06-13 12:11:53 CEST 
(In reply to David Walser from comment #4)
> No I don't mean dot-string.  See the nodejs-underscore package itself (and
> js-underscore).

I've searched mga8 and can't find it anywhere.

On https://ftp.acc.umu.se/mirror/mageia/distrib/8/SRPMS/core/release/ I can only see
nodejs-underscore-dot-string-2.3.1-4.mga8.src.rpm
perl-lexical-underscore-0.4.0-3.mga8.src.rpm
Comment 6 Dave Hodgins 2021-06-13 16:52:29 CEST 
(In reply to David Walser from comment #4)
> No I don't mean dot-string.  See the nodejs-underscore package itself (and
> js-underscore).

Dropped in Mageia 8?

In Mageia 7 ...
$ urpmq -y underscore|sort -u
js-underscore
nodejs-underscore
nodejs-underscore-dot-string
perl-lexical-underscore

In Mageia 8 ...
]$ urpmq -y underscore|sort -u
nodejs-underscore-dot-string
perl-lexical-underscore

CC: (none) => davidwhodgins

Comment 7 David Walser 2021-06-13 18:48:12 CEST 
Well that's weird!  My local Cauldron mirror is from shortly before Mageia 8 was released (January 15, release was on February 28), and it's on there.  I see it isn't in Cauldron or Mageia 8 now, but it's also not in task-obsolete and it wasn't moved to obsolete in SVN.  I have no idea what happened to it.

Keywords: feedback => (none)
Status comment: Fixed upstream in git, but not yet in a release => (none)

Comment 8 Dave Hodgins 2021-06-13 19:35:24 CEST 
https://ml.mageia.org/l/arc/dev/2021-02/msg00173.html

Bulk dropping of packages due to build failures.
Comment 9 David Walser 2021-06-13 19:57:52 CEST 
I don't see anything there about it being dropped, or how.  Maybe a sysadmin deleted a bunch of them.
Comment 10 Dave Hodgins 2021-06-13 21:46:33 CEST 
That's the last reference I found to nodejs-underscore prior to this bug report
in any of the mailing lists I have archived which includes both dev and sysadmin
discuss lists.

It's not listed in http://svnweb.mageia.org/packages/obsolete/?sortby=file&dir_pagestart=1700

Adding sysadmin team to cc list.

For sysadmins, when/how was the nodejs-underscore srpm removed from Mageia 8?

Is there a complete list of all of the srpms removed at that time?

CC: (none) => sysadmin-bugs

Comment 11 David Walser 2021-06-13 22:31:13 CEST 
It's fine that it's gone, just a bit puzzling.
Comment 12 Thomas Andrews 2021-06-18 02:39:15 CEST 
Since there has been no further debate on the fate of nodejs-underscore, I'm going ahead with this. Tested in a VirtualBox mga8-64 Plasma guest. 

Installed puddletag and its numerous dependencies, 46 packages in all. No installation issues. Got the update with qarepo, and updated. Again, no installation issues.

Before trying this, I didn't even know that "tagging" music files was a thing, so I don't know the finer points of the process. However, I did run puddletag, loaded a directory into it, and played with some of the fields of a couple of files.

It didn't crash, and seemed to be doing what it's supposed to do. Calling that good enough. OKing, and validating. Advisory in Comment 1.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK
CC: (none) => andrewsfarm

Thomas Backlund 2021-06-18 20:11:44 CEST

Keywords: (none) => advisory

Comment 13 Mageia Robot 2021-06-18 21:26:11 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0269.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED