Bug 29584 - nodejs new security issues CVE-2021-22959 and CVE-2021-22960
Summary: nodejs new security issues CVE-2021-22959 and CVE-2021-22960
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-10-23 15:48 CEST by David Walser
Modified: 2021-11-13 18:36 CET (History)
7 users (show)

See Also:
Source RPM: nodejs-14.17.6-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-10-23 15:48:17 CEST
Fedora has issued an advisory today (October 23):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EUZYFCI7N4TFZSIGA7WGZ4Q7V3EK76GH/

The issue is fixed upstream in 14.18.1:
https://nodejs.org/en/blog/release/v14.18.1/

There is another fix too in the October updates:
https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/
David Walser 2021-10-23 15:48:28 CEST

Status comment: (none) => Fixed upstream in 14.18.1

Comment 1 Lewis Smith 2021-10-23 21:18:12 CEST
Assigning this to Joseph who mostly maintains nodejs, CC'ing neoclust who has also helped with it recently.

Assignee: bugsquad => joequant
CC: (none) => mageia

Comment 2 David Walser 2021-10-30 23:08:54 CEST
Fedora has issued an advisory for this on October 29 (with both CVEs):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MFLYHRQPDF6ZMESCI3HRNOP6D6GELPFR/
Comment 3 Nicolas Lécureuil 2021-11-09 09:27:40 CET
updated in mga8

src:
    - nodejs-14.18.1-1.mga8

Status comment: Fixed upstream in 14.18.1 => (none)
CC: (none) => joequant
Assignee: joequant => qa-bugs

Comment 4 David Walser 2021-11-09 14:50:08 CET
nodejs-docs-14.18.1-1.mga8
nodejs-libs-14.18.1-1.mga8
nodejs-devel-14.18.1-1.mga8
nodejs-14.18.1-1.mga8
v8-devel-8.4.371.23.mga8-1.mga8
npm-6.14.15-1.14.18.1.1.mga8

from nodejs-14.18.1-1.mga8.src.rpm
Comment 5 Herman Viaene 2021-11-10 15:02:00 CET
MGA8-64 Plasma on Lenovo B50
Installation: when I select the v8-devel-8.4.371.23.mga8-1.mga8, I get
"Sorry, the following package cannot selected:
- v8-devel-8.4.371.23.mga8-1.mga8.x86_64 (because of missing nodejs-devel[== 1:14.17.3-1.mga8])
Continued the installation without the v8-devel without problems.
Tested along bug 29028 Comment 8, and that worked OK.
Issue with the v8-devel had to be resolved before OK'ing this update I guess????

CC: (none) => herman.viaene

Comment 6 Len Lawrence 2021-11-10 17:49:50 CET
mga8, x64
Tried this to confirm Herman's observation.
All the Core packages were either installed or could be installed before updating except for v8-devel, which must be something new.
Used qarepo to populate the local repository with all six rpms then MageiaUpdate to install the updates.  Since v8-devel was not currently installed it was ignored so this does look like a missing dependency.  There is no problem installing it directly using urpmi.

CC: (none) => tarazed25

Comment 7 Len Lawrence 2021-11-10 18:04:41 CET
Is v8 an alias of some kind?
$ sudo urpmi v8
Package nodejs-libs-14.18.1-1.mga8.x86_64 is already installed
$ locate v8 | grep nodejs
/usr/share/doc/nodejs/html/api/v8.html
/usr/share/doc/nodejs/html/api/v8.json
/usr/share/doc/nodejs/html/api/v8.md
The last file reads:
# V8

<!--introduced_in=v4.0.0-->

<!-- source_link=lib/v8.js -->

The `v8` module exposes APIs that are specific to the version of [V8][]
built into the Node.js binary. It can be accessed using:
...................
Comment 8 Herman Viaene 2021-11-11 08:51:06 CET
I doing things a little different from Len's:
I use qarepo to populate the local repository with all six rpms , but then use MCC - Software - Add and remove ,and so select the v8-devel-8.4.371.23.mga8-1.mga8 package. The reported missing nodejs-devel was not present in any version in my installation before running the installation of the updates.
Comment 9 Len Lawrence 2021-11-11 12:00:13 CET
@Herman regarding comment 8:

Yeah, I had tried to use MCC to finish the installation but could not find any nodejs packages listed, none at all even though the core packages were present on the system and the updates available.
Comment 10 Len Lawrence 2021-11-11 16:48:48 CET
@Herman - adding feedback marker because I think this still needs clarification.

Keywords: (none) => feedback

Comment 11 Dave Hodgins 2021-11-12 00:37:10 CET
(In reply to Len Lawrence from comment #9)
> @Herman regarding comment 8:
> 
> Yeah, I had tried to use MCC to finish the installation but could not find
> any nodejs packages listed, none at all even though the core packages were
> present on the system and the updates available.

Make sure rpmdrake is set to show all packages, not just those with a gui.
Removing the feedback tag

CC: (none) => davidwhodgins
Keywords: feedback => (none)

Comment 12 Len Lawrence 2021-11-12 00:43:24 CET
Thanks Dave.  The trouble is I cannot recall waht I did - but chose "all" at some point.  Better go back to the beginning and try again.
Comment 13 Len Lawrence 2021-11-12 19:23:56 CET
Nope.  Too much time wasted on this.  If it works for Herman then let it roll.
Comment 14 David Walser 2021-11-12 20:31:49 CET
So is v8-devel installable or is it not?  It isn't clear that Herman was able to install it either.
Comment 15 Dave Hodgins 2021-11-12 20:56:39 CET
# urpmi nodejs-devel
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release (distrib1)")
  nodejs-packaging               23           3.mga8        noarch  
(medium "Core Updates Testing (distrib5)")
  nodejs-devel                   14.18.1      1.mga8        x86_64  
1005KB of additional disk space will be used.
200KB of packages will be retrieved.
Proceed with the installation of the 2 packages? (Y/n) y


    http://mirror.math.princeton.edu/pub/mageia/distrib/8/x86_64/media/core/release/nodejs-packaging-23-3.mga8.noarch.rpm
    http://mirror.math.princeton.edu/pub/mageia/distrib/8/x86_64/media/core/updates_testing/nodejs-devel-14.18.1-1.mga8.x86_64.rpm                                                                               
installing nodejs-packaging-23-3.mga8.noarch.rpm nodejs-devel-14.18.1-1.mga8.x86_64.rpm from /var/cache/urpmi/rpms                                                                                               
Preparing...                     ###############################################################################################################################################################################
      1/2: nodejs-packaging      ###############################################################################################################################################################################
      2/2: nodejs-devel          ###############################################################################################################################################################################
Comment 16 Dave Hodgins 2021-11-12 21:00:11 CET
That was on an install where I didn't have the prior version installed.

Testing using qarepo as an update for existing packages now.
Comment 17 Len Lawrence 2021-11-12 21:18:08 CET
Herman was able to install it using drakrpm - I was not.  However it was simple to install separately after the other packages were installed.
Comment 18 Dave Hodgins 2021-11-12 21:25:23 CET
Sorry, wrong devel package above.

On one install it installed ok. On another ...

chosen v8-devel-8.4.371.23.mga8-1.mga8.x86_64 for v8-devel|v8-devel|v8-devel|v8-devel|v8-devel
selecting v8-devel-8.4.371.23.mga8-1.mga8.x86_64
requiring nodejs-devel[== 1:14.17.3-1.mga8] for v8-devel-8.4.371.23.mga8-1.mga8.x86_64
chosen nodejs-devel-14.17.3-1.mga8.x86_64 for nodejs-devel[== 1:14.17.3-1.mga8]
the more recent nodejs-devel-14.18.1-1.mga8.x86_64 is installed, but does not provide nodejs-devel[== 1:14.17.3-1.mga8] whereas nodejs-devel-14.17.3-1.mga8.x86_64 does

Looking into the differences more.
Comment 19 Dave Hodgins 2021-11-12 21:32:13 CET
I think the princeton mirror may be under a ddos attack again. I'm getting a lot
of wget failures. I'll try switching to kernel.org.
Comment 20 Dave Hodgins 2021-11-12 21:43:24 CET
This makes no sense. I've switched to the kernel.org mirror which is working
well.

I downloaded http://mirrors.kernel.org/mageia/distrib/8/x86_64/media/core/updates_testing/v8-devel-8.4.371.23.mga8-1.mga8.x86_64.rpm

[root@x3 ~]# urpmi ./v8-devel-8.4.371.23.mga8-1.mga8.x86_64.rpm 


installing v8-devel-8.4.371.23.mga8-1.mga8.x86_64.rpm from .
Preparing...                     ###############################################################################################################################################################################
      1/1: v8-devel              ###############################################################################################################################################################################
[root@x3 ~]# urpme v8-devel
removing v8-devel-8.4.371.23.mga8-1.mga8.x86_64
removing package v8-devel-2:8.4.371.23.mga8-1.mga8.x86_64
      1/1: removing v8-devel-2:8.4.371.23.mga8-1.mga8.x86_64
                                 ###############################################################################################################################################################################
[root@x3 ~]# urpmi v8-devel
The following package cannot be installed because it depends on packages
that are older than the installed ones:
v8-devel-8.4.371.23.mga8-1.mga8

So the package itself appears to be ok, but there is something wrong with the hdlist file urpmi is using.

Why it worked on one of my vb installs using qarepo, I don't understand yet.
Comment 21 Len Lawrence 2021-11-13 01:10:47 CET
That is the sort of thing I have been seeing which is why it seemed wise to investigate further.  All I know is that v8-devel has to match the version of v8 compiled into nodejs.
Comment 22 Dave Hodgins 2021-11-13 01:43:35 CET
What doesn't make sense is why urpmi can install using ./
v8-devel-8.4.371.23.mga8-1.mga8.x86_64.rpm
but when using urpmi v8-devel, can't install
v8-devel-8.4.371.23.mga8-1.mga8

I downloaded the package from the same mirror being used by urpmi. The only
difference I can see is that when using v8-devel instead of using the
package that's been manually downloaded is that urpmi is using the
synthesis.hdlist.cz or hdlist.cz file from the mirror instead of using
the requires/provides that are actually in the package.

Adding the sysadmin team to the cc list

In the package downloaded from kernel.org, it has ...
# rpm -q --requires ./v8-devel-8.4.371.23.mga8-1.mga8.x86_64.rpm |grep nodejs-devel
nodejs-devel = 1:14.18.1-1.mga8

As per comment 18, the error shows it's requiring the wrong version with ...
requiring nodejs-devel[== 1:14.17.3-1.mga8]
when using the repo data.

CC: (none) => sysadmin-bugs

Comment 23 Raphael Gertz 2021-11-13 12:58:16 CET
The max version v8-devel package present on server is 8.4.371.23.mga8 (nodejs-14.17.3-1.mga8.src.rpm)

Where for nodejs and nodejs-devel it is 14.17.6 (nodejs-14.17.6-1.mga8.src.rpm)

For some reason the v8-devel package was not included in the hdlist by the process (dunno why).

Did you try to increase release version and rebuild it again to see if it reach the mirrors correctly ?

# urpmq -i --media 'Core Release,Core Updates,Core Updates Testing' v8-devel
Name        : v8-devel
Epoch       : 2
Version     : 8.4.371.19.mga8
Release     : 10.mga8
Group       : Development/Other
Size        : 592                          Architecture: x86_64
Source RPM  : nodejs-14.15.1-3.mga8.src.rpm
URL         : https://nodejs.org/
Summary     : v8 - development headers
Description :
Development headers for the v8 runtime.

Name        : v8-devel
Epoch       : 2
Version     : 8.4.371.19.mga8
Release     : 1.mga8
Group       : Development/Other
Size        : 592                          Architecture: x86_64
Source RPM  : nodejs-14.16.0-1.mga8.src.rpm
URL         : https://nodejs.org/
Summary     : v8 - development headers
Description :
Development headers for the v8 runtime.

Name        : v8-devel
Epoch       : 2
Version     : 8.4.371.19.mga8
Release     : 11.mga8
Group       : Development/Other
Size        : 592                          Architecture: x86_64
Source RPM  : nodejs-14.16.0-2.mga8.src.rpm
URL         : https://nodejs.org/
Summary     : v8 - development headers
Description :
Development headers for the v8 runtime.

Name        : v8-devel
Epoch       : 2
Version     : 8.4.371.23.mga8
Release     : 1.mga8
Group       : Development/Other
Size        : 592                          Architecture: x86_64
Source RPM  : nodejs-14.17.3-1.mga8.src.rpm
URL         : https://nodejs.org/
Summary     : v8 - development headers
Description :
Development headers for the v8 runtime.

CC: (none) => mageia

Comment 24 Dave Hodgins 2021-11-13 18:36:43 CET
Adding Nicolas back to cc list.
Please bump the release and resubmit nodejs.

Note You need to log in before you can comment on or make changes to this bug.