27901 – nodejs-ini new security issue CVE-2020-7788

Bug 27901 - nodejs-ini new security issue CVE-2020-7788

Summary: nodejs-ini new security issue CVE-2020-7788

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2020-12-22 17:19 CET by David Walser
Modified:	2021-02-05 12:56 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	nodejs-ini-1.3.5-2.mga7.src.rpm
CVE:	CVE-2020-7788
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-12-22 17:19:55 CET

Debian-LTS has issued an advisory on December 21:
https://www.debian.org/lts/security/2020/dla-2503

The issue is fixed upstream in 1.3.6.

Mageia 7 is also affected.

David Walser 2020-12-22 17:42:25 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-12-22 20:37:35 CET

Assigning to Stig for this SRPM.

Assignee: bugsquad => smelror

Comment 2 Nicolas Lécureuil 2020-12-25 18:42:04 CET

fixed in cauldron by updating to version 1.3.8

Version: Cauldron => 7
CC: (none) => mageia
Whiteboard: MGA7TOO => (none)

Comment 3 Nicolas Lécureuil 2020-12-25 19:43:55 CET

updated in mga7 ( to 1.3 branch , to make sure we do not break other nodejs deps )
src: 
    nodejs-ini-1.3.8-1.mga7

Assignee: smelror => qa-bugs

Comment 4 David Walser 2020-12-25 19:55:00 CET

Advisory:
========================

Updated nodejs-ini package fixes security vulnerability:

It was discovered that there was an issue in nodejs-ini, where an application
could be exploited by a malicious input file. This affects the package ini
before 1.3.6. If an attacker submits a malicious INI file to an application
that parses it with ini.parse, they will pollute the prototype on the
application. This can be exploited further depending on the context
(CVE-2020-7788).


References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788
https://www.debian.org/lts/security/2020/dla-2503
========================

Updated packages in core/updates_testing:
========================
nodejs-ini-1.3.8-1.mga7

from nodejs-ini-1.3.8-1.mga7.src.rpm

Comment 5 Len Lawrence 2020-12-30 21:07:21 CET

mga7, x86_64

Installed nodejs files before updating.

CVE-2020-7788
https://snyk.io/vuln/SNYK-JS-INI-1048974
$ cat payload.ini
[__proto__]
polluted = "polluted"
$ cat poc.js
var fs = require('fs')
var ini = require('ini')

var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))
console.log(parsed)
console.log(parsed.__proto__)
console.log(polluted)

The test is to use nodejs interactively - this is what is expected:
$ node
> node poc.js
{}
{ polluted: 'polluted' }
{ polluted: 'polluted' }
polluted

But this is what happens here:
$ node
> node poc.js
Thrown:
node poc.js
     ^^^

SyntaxError: Unexpected identifier
> poc.js
Thrown:
ReferenceError: poc is not defined
> .exit

Cannot figure out what is going on here.  The REPL definitely works so maybe my interpretation of the PoC procedure is wrong.

CC: (none) => tarazed25

Comment 6 Len Lawrence 2021-01-02 23:45:26 CET

Running the PoC code explicitly in the REPL does not work.
$ node
> var fs = require('fs')
undefined
> var ini = require('ini')
Thrown:
{ Error: Cannot find module 'ini'
    at Function.Module._resolveFilename (internal/modules/cjs/loader.js:636:15)
    at Function.Module._load (internal/modules/cjs/loader.js:562:25)
    at Module.require (internal/modules/cjs/loader.js:692:17)
    at require (internal/modules/cjs/helpers.js:25:18) code: 'MODULE_NOT_FOUND' }
> 
> var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))
Thrown:
TypeError: Cannot read property 'parse' of undefined
> console.log(parsed)
undefined
undefined
> console.log(parsed.__proto__)
Thrown:
TypeError: Cannot read property '__proto__' of undefined
> console.log(polluted)
Thrown:
ReferenceError: polluted is not defined
> .exit

Comment 7 Aurelien Oudelet 2021-02-04 18:59:46 CET

Ping?

CC: (none) => ouaurelien
Source RPM: nodejs-ini-1.3.5-3.mga8.src.rpm => nodejs-ini-1.3.5-2.mga7.src.rpm
CVE: (none) => CVE-2020-7788

Comment 8 Brian Rockwell 2021-02-05 01:02:05 CET

Feb 04 13:41:53 localhost [RPM][5804]: install nodejs-libs-1:10.23.1-10.mga7.x86_64: success
Feb 04 13:41:53 localhost [RPM][5804]: install nodejs-1:10.23.1-10.mga7.x86_64: success
Feb 04 13:42:33 localhost [RPM][5804]: install nodejs-packaging-9-2.mga7.noarch: success
Feb 04 13:42:41 localhost [RPM][5804]: install nodejs-libs-1:10.23.1-10.mga7.x86_64: success
Feb 04 13:42:41 localhost [RPM][5804]: install nodejs-1:10.23.1-10.mga7.x86_64: success
Feb 04 13:42:41 localhost [RPM][5804]: install nodejs-packaging-9-2.mga7.noarch: success
Feb 04 13:42:56 localhost [RPM][5804]: install nodejs-devel-1:10.23.1-10.mga7.x86_64: success
Feb 04 13:42:59 localhost [RPM][5804]: install nodejs-docs-1:10.23.1-10.mga7.noarch: success
Feb 04 13:42:59 localhost [RPM][5804]: install nodejs-devel-1:10.23.1-10.mga7.x86_64: success
Feb 04 13:42:59 localhost [RPM][5804]: install nodejs-docs-1:10.23.1-10.mga7.noarch: success

note other modules include nbm were installed.

set up a multi-user game and tested some basic server functionality.

Working as designed for me.

CC: (none) => brtians1

Comment 9 Aurelien Oudelet 2021-02-05 11:10:33 CET

So, MGA7-64-OK on behalf comment 8.

Validating.
Advisory flushed to SVN.

Aurelien Oudelet 2021-02-05 11:10:44 CET

Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA7-64-OK
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2021-02-05 12:56:16 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0068.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.