Bug 15405 - nodejs new security issue CVE-2015-0278
Summary: nodejs new security issue CVE-2015-0278
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/635283/
Whiteboard: has_procedure advisory MGA4-32-OK MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-03-02 23:04 CET by David Walser
Modified: 2015-05-05 15:53 CEST (History)
5 users (show)

See Also:
Source RPM: nodejs-0.10.33-1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-03-02 23:04:32 CET
Fedora has issued an advisory on February 20:
https://lists.fedoraproject.org/pipermail/package-announce/2015-February/150526.html

The issue is in the bundled libuv and is fixed in nodejs 0.10.36.

Reproducible: 

Steps to Reproduce:
David Walser 2015-03-02 23:04:44 CET

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 Sander Lepik 2015-04-25 21:42:41 CEST
Joseph, you promised to keep nodejs patched for security issues, please confirm that you are still willing to do so or I'm going to drop it for good :)

CC: (none) => mageia

Comment 2 Joseph Wang 2015-04-26 02:03:25 CEST
Will fix
Comment 3 Joseph Wang 2015-04-26 02:13:19 CEST
Fixed in cauldron.  Will update MGA4
Comment 4 David Walser 2015-05-02 17:47:52 CEST
It's not fixed in Cauldron.  Nothing was committed in SVN.
Comment 5 David Walser 2015-05-03 17:30:51 CEST
The libuv versioning confused me.  This CVE was fixed in libuv 0.10.36, which is bundled in nodejs as of nodejs 0.10.37.

nodejs-0.10.38-1.mga5 uploaded for Cauldron fixes this.  Thanks Joseph!

Version: Cauldron => 4
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 6 David Walser 2015-05-03 17:36:15 CEST
Updated packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated nodejs package fixes security vulnerability:

It was found that libuv does not call setgoups before calling setuid/setgid.
This may potentially allow an attacker to gain elevated privileges
(CVE-2015-0278).

The libuv library is bundled with nodejs, and a fixed version of libuv is
included with nodejs as of version 0.10.37.  The nodejs package has been
updated to version 0.10.38 to fix this issue, as well as several other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0278
http://blog.nodejs.org/2014/12/17/node-v0-10-34-stable/
http://blog.nodejs.org/2014/12/23/node-v0-10-35-stable/
http://blog.nodejs.org/2015/01/26/node-v0-10-36-stable/
http://blog.nodejs.org/2015/03/14/node-v0-10-37-stable/
http://blog.nodejs.org/2015/03/23/node-v0-10-38-maintenance/
https://lists.fedoraproject.org/pipermail/package-announce/2015-February/150526.html
========================

Updated packages in core/updates_testing:
========================
nodejs-0.10.38-1.mga4

from nodejs-0.10.38-1.mga4.src.rpm

CC: (none) => joequant
Assignee: joequant => qa-bugs

Comment 7 Shlomi Fish 2015-05-04 14:15:41 CEST
There's a test procedure here:

https://bugs.mageia.org/show_bug.cgi?id=11981#c5

CC: (none) => shlomif
Whiteboard: (none) => has_procedure

Comment 8 Shlomi Fish 2015-05-04 14:26:37 CEST
Test procedure runs fine on a MGA4-x86-64 VBox VM. Adding MGA4-64-OK.

Whiteboard: has_procedure => MGA4-64-OK has_procedure

Comment 9 Shlomi Fish 2015-05-04 14:39:46 CEST
Test procedure works fine on a 32-bit i586 VBox VM too. Adding "MGA4-32-OK".

Whiteboard: MGA4-64-OK has_procedure => MGA4-64-OK has_procedure MGA4-32-OK

Comment 10 claire robinson 2015-05-05 11:07:06 CEST
Thanks Shlomi

Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK has_procedure MGA4-32-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 11 Mageia Robot 2015-05-05 15:37:31 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0186.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 12 Oden Eriksson 2015-05-05 15:50:55 CEST
FYI. I tried with libuv-1.4.2 but nodejs-0.10.38 did not like it.

CC: (none) => oe

Comment 13 David Walser 2015-05-05 15:53:56 CEST
I don't know anything about libuv, but v8 is another library that's bundled with nodejs, and I know that it isn't designed to be used as a system library.  I wouldn't be surprised if libuv was the same way.

Note You need to log in before you can comment on or make changes to this bug.