29112 – Puddletag security issue - CVE-2021-23358

Bug 29112 - Puddletag security issue - CVE-2021-23358

Summary: Puddletag security issue - CVE-2021-23358

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2021-06-12 01:17 CEST by Stig-Ørjan Smelror
Modified:	2021-06-18 21:26 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	puddletag-2.0.1-2.mga8.src.rpm
CVE:	CVE-2021-23358
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Stig-Ørjan Smelror 2021-06-12 01:17:56 CEST

Upstream has made a fix for CVE-2021-23358 on 2021-05-23.

https://github.com/puddletag/puddletag/commit/0a20591c08818956b5f694b3467b6795004ec199
https://github.com/advisories/GHSA-cf4h-3jhx-xvhq

Comment 1 Stig-Ørjan Smelror 2021-06-12 01:22:54 CEST

Advisory
========

Puddletag has been updated to fix a security issue in the underscore module.

References
==========
https://github.com/puddletag/puddletag/commit/0a20591c08818956b5f694b3467b6795004ec199
https://github.com/advisories/GHSA-cf4h-3jhx-xvhq
https://nvd.nist.gov/vuln/detail/CVE-2021-23358

Files
=====

Uploaded to core/updates_testing

puddletag-2.0.2-0.git20210523.1.mga8

from puddletag-2.0.2-0.git20210523.1.mga8.src.rpm

Assignee: smelror => qa-bugs
Status comment: (none) => Fixed upstream in git, but not yet in a release
CVE: (none) => CVE-2021-23358

Comment 2 David Walser 2021-06-12 01:54:58 CEST

We have nodejs-underscore packaged, and the CVE is for that (see Bug 28984).  If puddletag is bundling it, you should unbundle it and fix it in the nodejs-underscore package.

Keywords: (none) => feedback

Comment 3 Stig-Ørjan Smelror 2021-06-12 09:02:00 CEST

(In reply to David Walser from comment #2)
> We have nodejs-underscore packaged, and the CVE is for that (see Bug 28984).
> If puddletag is bundling it, you should unbundle it and fix it in the
> nodejs-underscore package.

If you mean "nodejs-underscore-dot-string-2.3.1-4.mga8.noarch", then it looks like it's not the same as the one updated in Puddletag.

https://www.npmjs.com/package/underscore

Comment 4 David Walser 2021-06-13 00:59:12 CEST

No I don't mean dot-string.  See the nodejs-underscore package itself (and js-underscore).

Comment 5 Stig-Ørjan Smelror 2021-06-13 12:11:53 CEST

(In reply to David Walser from comment #4)
> No I don't mean dot-string.  See the nodejs-underscore package itself (and
> js-underscore).

I've searched mga8 and can't find it anywhere.

On https://ftp.acc.umu.se/mirror/mageia/distrib/8/SRPMS/core/release/ I can only see
nodejs-underscore-dot-string-2.3.1-4.mga8.src.rpm
perl-lexical-underscore-0.4.0-3.mga8.src.rpm

Comment 6 Dave Hodgins 2021-06-13 16:52:29 CEST

(In reply to David Walser from comment #4)
> No I don't mean dot-string.  See the nodejs-underscore package itself (and
> js-underscore).

Dropped in Mageia 8?

In Mageia 7 ...
$ urpmq -y underscore|sort -u
js-underscore
nodejs-underscore
nodejs-underscore-dot-string
perl-lexical-underscore

In Mageia 8 ...
]$ urpmq -y underscore|sort -u
nodejs-underscore-dot-string
perl-lexical-underscore

CC: (none) => davidwhodgins

Comment 7 David Walser 2021-06-13 18:48:12 CEST

Well that's weird!  My local Cauldron mirror is from shortly before Mageia 8 was released (January 15, release was on February 28), and it's on there.  I see it isn't in Cauldron or Mageia 8 now, but it's also not in task-obsolete and it wasn't moved to obsolete in SVN.  I have no idea what happened to it.

Keywords: feedback => (none)
Status comment: Fixed upstream in git, but not yet in a release => (none)

Comment 8 Dave Hodgins 2021-06-13 19:35:24 CEST

https://ml.mageia.org/l/arc/dev/2021-02/msg00173.html

Bulk dropping of packages due to build failures.

Comment 9 David Walser 2021-06-13 19:57:52 CEST

I don't see anything there about it being dropped, or how.  Maybe a sysadmin deleted a bunch of them.

Comment 10 Dave Hodgins 2021-06-13 21:46:33 CEST

That's the last reference I found to nodejs-underscore prior to this bug report
in any of the mailing lists I have archived which includes both dev and sysadmin
discuss lists.

It's not listed in http://svnweb.mageia.org/packages/obsolete/?sortby=file&dir_pagestart=1700

Adding sysadmin team to cc list.

For sysadmins, when/how was the nodejs-underscore srpm removed from Mageia 8?

Is there a complete list of all of the srpms removed at that time?

CC: (none) => sysadmin-bugs

Comment 11 David Walser 2021-06-13 22:31:13 CEST

It's fine that it's gone, just a bit puzzling.

Comment 12 Thomas Andrews 2021-06-18 02:39:15 CEST

Since there has been no further debate on the fate of nodejs-underscore, I'm going ahead with this. Tested in a VirtualBox mga8-64 Plasma guest. 

Installed puddletag and its numerous dependencies, 46 packages in all. No installation issues. Got the update with qarepo, and updated. Again, no installation issues.

Before trying this, I didn't even know that "tagging" music files was a thing, so I don't know the finer points of the process. However, I did run puddletag, loaded a directory into it, and played with some of the fields of a couple of files.

It didn't crash, and seemed to be doing what it's supposed to do. Calling that good enough. OKing, and validating. Advisory in Comment 1.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK
CC: (none) => andrewsfarm

Thomas Backlund 2021-06-18 20:11:44 CEST

Keywords: (none) => advisory

Comment 13 Mageia Robot 2021-06-18 21:26:11 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0269.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.