Bug 24792 - Security issue in nodejs-js-yaml
Summary: Security issue in nodejs-js-yaml
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords: feedback
Depends on:
Blocks:
 
Reported: 2019-05-08 19:58 CEST by Stig-Ørjan Smelror
Modified: 2019-10-03 14:04 CEST (History)
3 users (show)

See Also:
Source RPM:
CVE:
Status comment: Version 3,13,1 has been pushed to Cauldron


Attachments

Description Stig-Ørjan Smelror 2019-05-08 19:58:45 CEST
Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the load() function. The safeLoad() function is unaffected.

https://www.npmjs.com/advisories/813
https://github.com/nodeca/js-yaml/pull/480
Comment 1 Stig-Ørjan Smelror 2019-05-10 09:55:14 CEST
Advisory
========

nodejs-js-yaml has been updated to fix a security issue.

References
==========
https://www.npmjs.com/advisories/813
https://github.com/nodeca/js-yaml/pull/480

Files
=====

Uploaded to core/updates_testing

nodejs-fs.realpath-1.0.0-2.mga6
from nodejs-fs.realpath-1.0.0-2.mga6.src.rpm

nodejs-js-yaml-3.13.1-1.mga6
from nodejs-js-yaml-3.13.1-1.mga6.src.rpm

Assignee: smelror => qa-bugs
Status comment: (none) => Version 3,13,1 has been pushed to Cauldron

Comment 2 Len Lawrence 2019-06-12 00:17:45 CEST
Cannot find either of these packages in release.
Enabled updates testing

# urpmi nodejs-fs.realpath
    http://ftp.fi.muni.cz/pub/linux/mageia/distrib/6/x86_64/media/core/updates_testing/nodejs-fs.realpath-1.0.0-2.mga6.noarch.rpm
installing nodejs-fs.realpath-1.0.0-2.mga6.noarch.rpm from /var/cache/urpmi/rpms
Preparing...                     #############################################
      1/1: nodejs-fs.realpath    #############################################
# urpmi nodejs-js-yaml
A requested package cannot be installed:
nodejs-js-yaml-3.13.1-1.mga6.noarch (due to unsatisfied npm(esprima)[>= 4.0.0])
# npm install esprima -g
/usr/bin/esparse -> /usr/lib/node_modules/esprima/bin/esparse.js
/usr/bin/esvalidate -> /usr/lib/node_modules/esprima/bin/esvalidate.js
/usr/lib
└── esprima@4.0.1 
# urpmi nodejs-js-yaml
A requested package cannot be installed:
nodejs-js-yaml-3.13.1-1.mga6.noarch (due to unsatisfied npm(esprima)[>= 4.0.0])

Help!

CC: (none) => tarazed25
Keywords: (none) => feedback

Comment 3 Len Lawrence 2019-06-12 00:30:38 CEST
Follow up on comment 2.
There is a package nodejs-esprima-2.7.2-1.mga6.noarch already installed.
Presumably that needs updating as well.
Comment 4 Len Lawrence 2019-06-12 08:18:06 CEST
Looking at the bundled modules tree
$ npm ls -g
shows some that are invalid.

├─┬ argparse@1.0.3
│ ├── lodash@3.10.1 -> /usr/lib/node_modules/lodash
│ ├── sprintf-js@1.0.3 -> /usr/lib/node_modules/sprintf-js
│ └── underscore@1.8.3 -> /usr/lib/node_modules/underscore invalid

├─┬ js-yaml@3.5.2
│ ├── argparse@1.0.3 -> /usr/lib/node_modules/argparse
│ └── esprima@4.0.1 -> /usr/lib/node_modules/esprima invalid

npm ERR! invalid: underscore@1.8.3 /usr/lib/node_modules/argparse/node_modules/underscore
npm ERR! invalid: esprima@4.0.1 /usr/lib/node_modules/js-yaml/node_modules/esprima
Comment 5 Len Lawrence 2019-06-15 12:18:44 CEST
A question: should these modules be noarch and if so should 32-bit updates testing be enabled?
Comment 6 Thomas Andrews 2019-09-14 05:12:07 CEST
Len asked for some feedback three months ago. Could we get a response to his question? It would be nice to be able to clear this before M6 goes EOL...

CC: (none) => andrewsfarm

Comment 7 Thomas Andrews 2019-09-14 05:41:09 CEST
Len, the QARepo tool just found both of those packages for me in the 64-bit testing repositories. Both are indeed noarch.

Unfortunately, I don't have a clue about how to test them.
Comment 8 Thomas Andrews 2019-09-14 05:47:58 CEST
FWIW, https://madb.mageia.org/tools/listRpmsForQaBug/bugnum/24792/application/0 only lists the nodejs-fs.realpath package. It does not mention the nodejs-js-yaml package at all.
Comment 9 Len Lawrence 2019-09-14 10:22:13 CEST
Back to the beginning.
Removed nodejs and 10 other related packages.
Installed nodejs from scratch, nodejs-js-yaml and nodejs-fs.realpath.

Enabled updates testing for 64bits and updated nodejs-fs.realpath successfully but:
# urpmi nodejs-js-yaml
A requested package cannot be installed:
nodejs-js-yaml-3.13.1-1.mga6.noarch (due to unsatisfied npm(argparse)[>= 1.0.7])

This is the state of play:
# rpm -qa | grep nodejs
nodejs-underscore-1.8.3-1.mga6
nodejs-argparse-1.0.3-3.mga6
nodejs-sprintf-js-1.0.3-5.mga6
nodejs-6.10.3-2.mga6
nodejs-js-yaml-3.5.2-3.mga6
nodejs-esprima-2.7.2-1.mga6
nodejs-lodash-3.10.1-7.mga6
nodejs-fs.realpath-1.0.0-2.mga6

Most of those were pulled in when nodejs was reinstalled.  So, is it a bundling problem? 

Does 'npm install' use Mageia repositories?  I am assuming not because although later packages can be installed that way, the rpm database does not seem to be updated.  Unbundled packages seem to be invisible so the problem seems to be missing dependencies or not all required packages having updated versions.  I am not a packager so for me this is all guesswork (hence the "seems").
Comment 10 Len Lawrence 2019-09-17 21:46:35 CEST
Continuing from comment 9;

$ urpmq --requires nodejs-js-yaml
nodejs
nodejs(engine)
npm(argparse)[>= 1.0.2]
npm(argparse)[< 2]
npm(esprima)[>= 2.6.0]
npm(esprima)[< 3]

This is getting very confusing - e.g. compare the argparse statement in comment 9 with the above.
Comment 11 Thomas Backlund 2019-10-02 22:44:44 CEST
Mga 6 EOL

CC: (none) => tmb
Resolution: (none) => WONTFIX
Status: NEW => RESOLVED

Comment 12 David Walser 2019-10-03 13:59:08 CEST
Please use OLD for EOL.

Resolution: WONTFIX => OLD

Comment 13 Thomas Backlund 2019-10-03 14:04:01 CEST
Ah, indeed. Thanks

Note You need to log in before you can comment on or make changes to this bug.