Bug 27962 - grpc new security issue CVE-2020-7768
Summary: grpc new security issue CVE-2020-7768
Status: RESOLVED INVALID
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: David GEIGER
QA Contact: Sec team
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-12-28 19:39 CET by Zombie Ryushu
Modified: 2021-01-06 16:17 CET (History)
0 users

See Also:
Source RPM: grpc-1.20.0-1.mga7.src.rpm
CVE: CVE-2020-7768
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Zombie Ryushu 2020-12-28 19:39:54 CET 
The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.
Zombie Ryushu 2020-12-28 19:40:11 CET

QA Contact: (none) => security
Component: RPM Packages => Security
CVE: (none) => CVE-2020-7768

Comment 1 David Walser 2020-12-28 19:55:10 CET 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7768

Upstream patches:
https://github.com/grpc/grpc-node/pull/1605
https://github.com/grpc/grpc-node/pull/1606

Status comment: (none) => Patches available from upstream
Assignee: bugsquad => geiger.david68210
Summary: grpc security issue CVE-2020-7768 => grpc new security issue CVE-2020-7768
Severity: normal => major

Comment 2 David GEIGER 2021-01-06 08:03:14 CET 
We haven't the package "grpc-node", so we are not affected!
Comment 3 David Walser 2021-01-06 16:17:40 CET 
Indeed it looks like the affected code isn't in the package.

Status: NEW => RESOLVED
Status comment: Patches available from upstream => (none)
Resolution: (none) => INVALID
Note You need to log in before you can comment on or make changes to this bug.