Bug 24792 - Security issue in nodejs-js-yaml
Summary: Security issue in nodejs-js-yaml
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords: feedback
Depends on:
Blocks:
 
Reported: 2019-05-08 19:58 CEST by Stig-Ørjan Smelror
Modified: 2019-06-15 12:18 CEST (History)
1 user (show)

See Also:
Source RPM:
CVE:
Status comment: Version 3,13,1 has been pushed to Cauldron


Attachments

Description Stig-Ørjan Smelror 2019-05-08 19:58:45 CEST
Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the load() function. The safeLoad() function is unaffected.

https://www.npmjs.com/advisories/813
https://github.com/nodeca/js-yaml/pull/480
Comment 1 Stig-Ørjan Smelror 2019-05-10 09:55:14 CEST
Advisory
========

nodejs-js-yaml has been updated to fix a security issue.

References
==========
https://www.npmjs.com/advisories/813
https://github.com/nodeca/js-yaml/pull/480

Files
=====

Uploaded to core/updates_testing

nodejs-fs.realpath-1.0.0-2.mga6
from nodejs-fs.realpath-1.0.0-2.mga6.src.rpm

nodejs-js-yaml-3.13.1-1.mga6
from nodejs-js-yaml-3.13.1-1.mga6.src.rpm

Status comment: (none) => Version 3,13,1 has been pushed to Cauldron
Assignee: smelror => qa-bugs

Comment 2 Len Lawrence 2019-06-12 00:17:45 CEST
Cannot find either of these packages in release.
Enabled updates testing

# urpmi nodejs-fs.realpath
    http://ftp.fi.muni.cz/pub/linux/mageia/distrib/6/x86_64/media/core/updates_testing/nodejs-fs.realpath-1.0.0-2.mga6.noarch.rpm
installing nodejs-fs.realpath-1.0.0-2.mga6.noarch.rpm from /var/cache/urpmi/rpms
Preparing...                     #############################################
      1/1: nodejs-fs.realpath    #############################################
# urpmi nodejs-js-yaml
A requested package cannot be installed:
nodejs-js-yaml-3.13.1-1.mga6.noarch (due to unsatisfied npm(esprima)[>= 4.0.0])
# npm install esprima -g
/usr/bin/esparse -> /usr/lib/node_modules/esprima/bin/esparse.js
/usr/bin/esvalidate -> /usr/lib/node_modules/esprima/bin/esvalidate.js
/usr/lib
└── esprima@4.0.1 
# urpmi nodejs-js-yaml
A requested package cannot be installed:
nodejs-js-yaml-3.13.1-1.mga6.noarch (due to unsatisfied npm(esprima)[>= 4.0.0])

Help!

CC: (none) => tarazed25
Keywords: (none) => feedback

Comment 3 Len Lawrence 2019-06-12 00:30:38 CEST
Follow up on comment 2.
There is a package nodejs-esprima-2.7.2-1.mga6.noarch already installed.
Presumably that needs updating as well.
Comment 4 Len Lawrence 2019-06-12 08:18:06 CEST
Looking at the bundled modules tree
$ npm ls -g
shows some that are invalid.

├─┬ argparse@1.0.3
│ ├── lodash@3.10.1 -> /usr/lib/node_modules/lodash
│ ├── sprintf-js@1.0.3 -> /usr/lib/node_modules/sprintf-js
│ └── underscore@1.8.3 -> /usr/lib/node_modules/underscore invalid

├─┬ js-yaml@3.5.2
│ ├── argparse@1.0.3 -> /usr/lib/node_modules/argparse
│ └── esprima@4.0.1 -> /usr/lib/node_modules/esprima invalid

npm ERR! invalid: underscore@1.8.3 /usr/lib/node_modules/argparse/node_modules/underscore
npm ERR! invalid: esprima@4.0.1 /usr/lib/node_modules/js-yaml/node_modules/esprima
Comment 5 Len Lawrence 2019-06-15 12:18:44 CEST
A question: should these modules be noarch and if so should 32-bit updates testing be enabled?

Note You need to log in before you can comment on or make changes to this bug.