Bug 29656 - nodejs-tar new security issues CVE-2021-37701 and CVE-2021-37712
Summary: nodejs-tar new security issues CVE-2021-37701 and CVE-2021-37712
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-11-12 21:39 CET by David Walser
Modified: 2022-03-21 21:19 CET (History)
7 users (show)

See Also:
Source RPM: nodejs-tar-6.0.5-1.mga8.src.rpm
CVE:
Status comment:


Attachments
located in~/Docmuenten in my test (355 bytes, application/x-javascript)
2021-12-08 14:55 CET, Herman Viaene
Details

Description David Walser 2021-11-12 21:39:44 CET
Debian has issued an advisory on November 11:
https://www.debian.org/security/2021/dsa-5008

The issues are fixed upstream in 6.1.9.

Mageia 8 is also affected.
David Walser 2021-11-12 21:39:58 CET

Status comment: (none) => Fixed upstream in 6.1.9
Whiteboard: (none) => MGA8TOO

Comment 1 Nicolas Lécureuil 2021-11-24 18:25:48 CET
fixed in cauldron + mga8. In addition i fixed 2 other  CVE

CVE-2021-32803, CVE-2021-32804, CVE-2021-37701 and CVE-2021-37712


src:
    - nodejs-tar-6.0.5-1.1.mga8

Assignee: smelror => qa-bugs
CC: (none) => mageia, smelror

Nicolas Lécureuil 2021-11-24 18:26:56 CET

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Status comment: Fixed upstream in 6.1.9 => (none)

Comment 2 David Walser 2021-11-25 00:47:24 CET
Can you provide some URL references for the other CVEs?
Comment 3 Herman Viaene 2021-12-02 16:16:29 CET
@Nicolas: and can yoou provide the exact rpm name please (happens on some of your updates).

CC: (none) => herman.viaene

Comment 4 David Walser 2021-12-03 00:30:58 CET
If I don't post a package list, the rpm and srpm have the same name.
Comment 5 Herman Viaene 2021-12-08 14:54:31 CET
MGA8-64 Plasma on Lenovo B50
No intallation issues.
No previous update on this, so googled for some simple example and found https://gist.github.com/kylemanna/6983997
Changed to reflect my config (see file attached), but run into problem:
$ cd Documenten
[tester8@mach5 Documenten]$ node nodejstar.js 
internal/modules/cjs/loader.js:905
  throw err;
  ^

Error: Cannot find module 'tar'
Require stack:
- /home/tester8/Documenten/nodejstar.js
    at Function.Module._resolveFilename (internal/modules/cjs/loader.js:902:15)
    at Function.Module._load (internal/modules/cjs/loader.js:746:27)
    at Module.require (internal/modules/cjs/loader.js:974:19)
    at require (internal/modules/cjs/helpers.js:93:18)
    at Object.<anonymous> (/home/tester8/Documenten/nodejstar.js:2:11)
    at Module._compile (internal/modules/cjs/loader.js:1085:14)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1114:10)
    at Module.load (internal/modules/cjs/loader.js:950:32)
    at Function.Module._load (internal/modules/cjs/loader.js:790:12)
    at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:76:12) {
  code: 'MODULE_NOT_FOUND',
  requireStack: [ '/home/tester8/Documenten/nodejstar.js' ]
Comment 6 Herman Viaene 2021-12-08 14:55:42 CET
Created attachment 13025 [details]
located in~/Docmuenten in my test
Comment 7 Brian Rockwell 2021-12-12 02:00:01 CET
Herman - try this from the terminal (I ran mine as root):

# npm install tar --save

CC: (none) => brtians1

Comment 8 Herman Viaene 2021-12-29 14:51:09 CET
@Brian
I un this command both as root (first try) and as normal user. The feedback is:
npm install tar --save
npm WARN saveError ENOENT: no such file or directory, open '/root/package.json'
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN enoent ENOENT: no such file or directory, open '/root/package.json'
npm WARN root No description
npm WARN root No repository field.
npm WARN root No README data
npm WARN root No license field.

+ tar@6.1.11
added 7 packages from 1 contributor and audited 7 packages in 2.296s
found 0 vulnerabilities

And subsequently the command fromComment 5 now reports another error.
$ node nodejstar.js 
internal/modules/cjs/loader.js:905
  throw err;
  ^

Error: Cannot find module 'fstream'
Require stack:
- /home/tester8/Documenten/nodejstar.js
    at Function.Module._resolveFilename (internal/modules/cjs/loader.js:902:15)
    at Function.Module._load (internal/modules/cjs/loader.js:746:27)
    at Module.require (internal/modules/cjs/loader.js:974:19)
    at require (internal/modules/cjs/helpers.js:93:18)
    at Object.<anonymous> (/home/tester8/Documenten/nodejstar.js:3:15)
    at Module._compile (internal/modules/cjs/loader.js:1085:14)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1114:10)
    at Module.load (internal/modules/cjs/loader.js:950:32)
    at Function.Module._load (internal/modules/cjs/loader.js:790:12)
    at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:76:12) {
  code: 'MODULE_NOT_FOUND',
  requireStack: [ '/home/tester8/Documenten/nodejstar.js' ]
}
Note:from my test it seems you have to run the install as the same user as the test you want to do. Running the install as root and then  the test as normal user still shows "tar not found"

Making a blind guess I did:
$ npm install fstream --save
npm WARN saveError ENOENT: no such file or directory, open '/home/tester8/Documenten/package.json'
npm WARN enoent ENOENT: no such file or directory, open '/home/tester8/Documenten/package.json'
npm WARN Documenten No description
npm WARN Documenten No repository field.
npm WARN Documenten No README data
npm WARN Documenten No license field.

+ fstream@1.0.12
added 16 packages from 4 contributors and audited 25 packages in 1.927s

1 package is looking for funding
  run `npm fund` for details

found 0 vulnerabilities

$ node nodejstar.js 
/home/tester8/Documenten/nodejstar.js:9
var pack = src.pipe(tar.Pack({ noProprietary: true }));
                        ^

TypeError: Class constructors cannot be invoked without 'new'
    at Object.<anonymous> (/home/tester8/Documenten/nodejstar.js:9:25)
    at Module._compile (internal/modules/cjs/loader.js:1085:14)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1114:10)
    at Module.load (internal/modules/cjs/loader.js:950:32)
    at Function.Module._load (internal/modules/cjs/loader.js:790:12)
    at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:76:12)
    at internal/main/run_main_module.js:17:47

I think I'm still missing something.
Comment 9 Brian Rockwell 2022-01-06 23:18:36 CET
I ran mine as root.  You might try that.
Comment 10 Herman Viaene 2022-01-07 15:06:04 CET
I believe you, but that cann't be the normal way, one should be able to use this as a normal user. Who would run thunderbird as root?????
Comment 11 Len Lawrence 2022-01-29 17:14:45 CET
mga8, x64
Installed nodejs-tar:
      1/9: nodejs-yallist
      2/9: nodejs-minipass
      3/9: nodejs-fs-minipass
      4/9: nodejs-minizlib
      5/9: nodejs-safe-buffer
      6/9: nodejs-minimist
      7/9: nodejs-mkdirp
      8/9: nodejs-chownr
      9/9: nodejs-tar
Full list of packages installed:
nodejs-safe-buffer-5.1.2-3.mga8
nodejs-fs-minipass-2.0.1-2.mga8
nodejs-14.18.1-1.1.mga8
nodejs-docs-14.18.1-1.1.mga8
nodejs-tar-6.0.5-1.mga8
nodejs-minimist-1.2.5-1.mga8
nodejs-mkdirp-1.0.4-2.mga8
nodejs-minizlib-2.1.2-2.mga8
nodejs-chownr-2.0.0-1.mga8
nodejs-yallist-4.0.0-1.mga8
nodejs-packaging-23-3.mga8
nodejs-libs-14.18.1-1.1.mga8
nodejs-minipass-3.1.3-2.mga8
nodejs-devel-14.18.1-1.1.mga8
v8-devel-8.4.371.23.1.mga8-1.1.mga8
npm-6.14.15-1.14.18.1.1.1.mga8

Updated nodejs-tar.
Edited the file from https://gist.github.com/kylemanna/6983997 and tried to run it:
$ node create-tar.js
/home/lcl/qa/nodejs/create-tar.js:9
var pack = src.pipe(tar.Pack({ noProprietary: true }));
                        ^
TypeError: Class constructors cannot be invoked without 'new'

This is what happened the last time I tried this.  It differs from Herman's error.

CC: (none) => tarazed25

Comment 12 Len Lawrence 2022-01-29 17:49:54 CET
Meanwhile I tried to update nodejs and ran into the v8-devel problem which also happened on an earlier update.
Ran the test script and hit exactly the same error with the Pack class.  So I agree with Herman; there is something missing.  I tried hacking the script but without knowing javascript that is a fool's errand.
Comment 13 Dave Hodgins 2022-03-21 18:39:25 CET
My understanding is that npm is used to install nodejs programs directly from github,
not from Mageia repos.

After using urpmi to install the nodejs javascript programs. A usage example is
shown for nodejs-tar at https://github.com/npm/node-tar

However, for qa testing of nodejs packages, in most cases we just confirm the
update installs cleanly over the prior version.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Dave Hodgins 2022-03-21 19:17:51 CET

Keywords: (none) => advisory

Comment 14 Mageia Robot 2022-03-21 21:19:43 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0103.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.