Bug 30887 - nodejs new security issues CVE-2022-3221[35] and CVE-2022-3525[56]
Summary: nodejs new security issues CVE-2022-3221[35] and CVE-2022-3525[56]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-09-23 18:42 CEST by David Walser
Modified: 2022-10-01 19:50 CEST (History)
5 users (show)

See Also:
Source RPM: nodejs-14.20.0-1.1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-09-23 18:42:52 CEST
Nodejs has issued an advisory today (September 23):
https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/

The issues are fixed upstream in 14.20.1 and 18.9.1:
https://nodejs.org/en/blog/release/v14.20.1/
https://nodejs.org/en/blog/release/v18.9.1/

Mageia 8 is also affected by CVE-2022-32213 and CVE-2022-35256.
David Walser 2022-09-23 18:43:07 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 14.20.1 and 18.9.1

Comment 1 Lewis Smith 2022-09-23 20:43:53 CEST
Assigning to Joseph who is the registered and active maintainer for this pkg.

Assignee: bugsquad => joequant

Comment 2 christian barranco 2022-09-25 14:27:28 CEST
Hi. I just sent an email to dev mail list proposing to update to the 16 LTS branch instead. I have tested that successfully so far locally. What do you think?

CC: (none) => chb0

Comment 3 David Walser 2022-09-25 16:36:46 CEST
14 is still supported.  What would be the reason?
Comment 4 christian barranco 2022-09-25 19:10:21 CEST
Some applications start not to be possible to build with 14.x
It works with 16.x and 18.x
Comment 5 David Walser 2022-09-25 19:15:59 CEST
Which ones?
Comment 6 christian barranco 2022-09-26 12:23:32 CEST
Signal-desktop for sure. The issue being with Electron, I would not be surprised Matrix clients (like Element) will also face issues, sooner or later. 
14.x still receives security patches but the recommended LTS on nodejs web site is now 16.x
Comment 7 David Walser 2022-09-26 14:09:04 CEST
We don't build any electron apps, so that doesn't affect us.
Comment 8 christian barranco 2022-09-27 10:18:40 CEST
Hi. We don't provide such apps in our repo but some users do build these apps, thanks to the dev environment we provide in MGA. 
I am one of them. I have my own repo and I have updated nodejs for MGA8. Not sure all users will do that even if they are knowledgeable enough to compile from source.
Comment 9 christian barranco 2022-09-27 13:20:25 CEST
Hi again. I took care of Cauldron, which started to be behind version wise, pending direction for MGA8.
Comment 10 David Walser 2022-09-27 13:36:10 CEST
Perhaps 16.x could go in backports.  We can update 14.x for core.
Comment 11 christian barranco 2022-09-27 14:03:03 CEST
ADVISORY NOTICE PROPOSAL
========================
Updated nodejs packages fix security vulnerability


Description
This is a security release.

The following CVEs are fixed in this release:

CVE-2022-32212: DNS rebinding in --inspect on macOS (High)
CVE-2022-32213: bypass via obs-fold mechanic (Medium)
CVE-2022-35256: HTTP Request Smuggling Due to Incorrect Parsing of Header Fields (Medium)

           
References
https://bugs.mageia.org/show_bug.cgi?id=30887
https://github.com/nodejs/node/releases/tag/v14.20.1
https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/



SRPMS
8/core
nodejs-14.20.1-1.1.mga8.src.rpm


PROVIDED PACKAGES:

nodejs-docs-14.20.1-1.1.mga8
nodejs-libs-14.20.1-1.1.mga8
nodejs-devel-14.20.1-1.1.mga8
nodejs-14.20.1-1.1.mga8
v8-devel-8.4.371.23.1.mga8-4.1.mga8
npm-6.14.17-1.14.20.1.1.1.mga8
corepack-14.20.1-1.1.mga8

    
PACKAGES FOR QA TESTING
=======================
x86_64:

nodejs-docs-14.20.1-1.1.noarch.rpm
nodejs-libs-14.20.1-1.1.mga8.x86_64.rpm
nodejs-devel-14.20.1-1.1.mga8.x86_64.rpm
nodejs-14.20.1-1.1.mga8.x86_64.rpm
v8-devel-8.4.371.23.1.mga8-4.1.mga8.x86_64.rpm
npm-6.14.17-1.14.20.1.1.1.mga8.x86_64.rpm
corepack-14.20.1-1.1.mga8.x86_64.rpm


i586:

nodejs-docs-14.20.1-1.1.noarch.rpm
nodejs-libs-14.20.1-1.1.mga8i586.rpm
nodejs-devel-14.20.1-1.1.mga8i586.rpm
nodejs-14.20.1-1.1.mga8i586.rpm
v8-devel-8.4.371.23.1.mga8-4.1.mga8i586.rpm
npm-6.14.17-1.14.20.1.1.1.mga8i586.rpm
corepack-14.20.1-1.1.mga8i586.rpm
Comment 12 christian barranco 2022-09-27 15:39:03 CEST
nodejs 14.20.1 ready for QA.

Having 16.x in backport could be, indeed, a good idea. The only is we'll have 3 versions de maintain. So, as MGA9 is not so far away, I propose we monitor if someone ask for it.

Assignee: joequant => qa-bugs

Comment 13 David Walser 2022-09-27 16:42:25 CEST
Agreed.

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Status comment: Fixed upstream in 14.20.1 and 18.9.1 => (none)

Comment 14 Len Lawrence 2022-09-28 21:00:50 CEST
mga8, x86_64
Just tried to install the release packages but faltered on corepack because there is no /usr/bin/pwsh.  Where does pwsh come from?

CC: (none) => tarazed25

Len Lawrence 2022-09-28 21:01:54 CEST

Keywords: (none) => feedback

Comment 15 Dave Hodgins 2022-09-29 00:11:19 CEST
corepack is a broken package. /usr/bin/pwsh is Microsoft's powershell.

It is available on some other distros, but not on Mageia.
https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-linux?view=powershell-7.2

It's distributed under the MIT license via github.
https://github.com/PowerShell/PowerShell/blob/master/LICENSE.txt

CC: (none) => davidwhodgins

Comment 16 Dave Hodgins 2022-09-29 00:14:34 CEST
Either powershell can be added to fix the bug, or corepack can be excluded
from the testing as it's bug is not a regression. Up to Christian to decide.
Comment 17 christian barranco 2022-09-29 08:35:58 CEST
Hi. I don't remember we had this issue with corepack before. Have we?
Comment 18 christian barranco 2022-09-29 09:20:55 CEST
Ok. Got it now. In fact, in all my tests, I have installed only nodejs (an npm). I have never had to install corepack.
corepack is indeed provided by the nodejs package, but it is not always required and not installed together with nodejs, by default.

Corepack was already broken in the previous release.  

Looking at Cauldron package, corepack package is not provided anymore. However, its bin files are still installed through nodejs installation.

Fedora Nodejs ships the corepack package as well, but doesn't have a pwsh package in their official repo. One can get it through a tier repo, listed on MSFT site.

openSUSE Nodejs ships the corepack pacakge and they have also a package for PoWerSHell. However, the pwsh package is in fact the pwsh bin found in GitHub, encapsulated into an openSUSE rpm; it is not built from source.

Looking quickly on GitHub how to build from source, it looks like we'll need to do things offline with some MSFT tools before packaging. I am not sure everything can be built from source. It might the reason why openSUSE is not doing it either.

My proposal: as this package was broken already (has it even worked one day?) and it is not in Cauldron anymore, I propose to remove it and to remove the bin from the installation.

Let me know in case you think differently.
christian barranco 2022-09-29 10:17:12 CEST

Source RPM: nodejs-18.7.0-2.mga9.src.rpm => nodejs-14.20.0-1.1.mga8.src.rpm

Comment 19 David Walser 2022-09-29 12:03:14 CEST
If it's usable if you do install powershell, I don't see a need to remove it.
Comment 20 Len Lawrence 2022-09-29 12:40:59 CEST
Updated the packages without corepack.  There was a problem with v8-devel.  Lost the error message but it referred to a missing version of nodejs-devel.
Installed the v8-devel package manually from the local repository later without any trouble.
$ rpm -qa | grep nodejs
nodejs-libs-14.20.1-1.1.mga8
nodejs-docs-14.20.1-1.1.mga8
nodejs-14.20.1-1.1.mga8
nodejs-packaging-23-3.mga8
nodejs-devel-14.20.1-1.1.mga8
$ rpm -q v8-devel
v8-devel-8.4.371.23.1.mga8-4.1.mga8

Referred to bug 29872 for testing.

Removed previous installation from the test directory:
$ rm -rf node_modules
$ npm ls -g
displayed a tree at /usr/lib/npm@6.14.17
$ npm ls
returned a stream of errors like:
npm ERR! missing: http-errors@1.8.1, required by raw-body@2.4.3
npm ERR! missing: iconv-lite@0.4.24, required by raw-body@2.4.3
npm ERR! missing: unpipe@1.0.0, required by raw-body@2.4.3
npm ERR! missing: safe-buffer@5.2.1, required by content-disposition@0.5.4
$ npm install express
<various packages downloaded and installed locally>
npm WARN saveError ENOENT: no such file or directory, open '/home/lcl/qa/nodejs/package.json'
npm WARN enoent ENOENT: no such file or directory, open '/home/lcl/qa/nodejs/package.json'
npm WARN nodejs No description
npm WARN nodejs No repository field.
npm WARN nodejs No README data
npm WARN nodejs No license field.

+ express@4.18.1
added 57 packages from 42 contributors and audited 57 packages in 7.307s

7 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

$ npm ls
<lists the modules installed locally>
[...]
  │ └── mime-types@2.1.35 deduped
  ├── utils-merge@1.0.1
  └── vary@1.1.2

npm ERR! extraneous: ms@2.1.3 /home/lcl/qa/nodejs/node_modules/send/node_modules/ms

That all looks OK.
$ npm search express
$ npm search express
NAME                      | DESCRIPTION          | AUTHOR          | DATE 
express                   | Fast,…               | =mikeal…        | 2022-
path-to-regexp            | Express style path…  | =blakeembrey…   | 2022-
express-handlebars        | A Handlebars view…   | =ericf =sahat…  | 2022-
.....

$ node helloworld.js
Hello World!
$ node main.js
Server running at http://127.0.0.1:8081/
....

Tried http://localhost:8081/ in firefox - 'Hello World' displayed.

Ran node interactively using
$ node --print-code

That worked fine for simple arithmetic.
Ran the main.js in an interactive session and that worked as well.  'Hello World' appeared in the browser at port 8081.  All the code involved was listed in the terminal down to assembler level.

$ urpmq --whatrequires nodejs | sort -u | grep -v nodejs
corepack
jupyter-jupyterlab
npm
python3-jupyterlab
ruby-execjs
uglify-js1
ycssmin

Leaving it there but need to reproduce the installation error.  IIRC there was a problem in the v8 area on an earlier bug.
Comment 21 christian barranco 2022-09-29 13:02:30 CEST
Hi
There is an update on Testing. I mirrored the approach of Cauldron. The corepack package is no more there.
Please, give it a try. It should work.

ADVISORY NOTICE PROPOSAL => UPDATE
========================
Updated nodejs packages fix security vulnerability


Description
This is a security release.

The following CVEs are fixed in this release:

CVE-2022-32212: DNS rebinding in --inspect on macOS (High)
CVE-2022-32213: bypass via obs-fold mechanic (Medium)
CVE-2022-35256: HTTP Request Smuggling Due to Incorrect Parsing of Header Fields (Medium)

           
References
https://bugs.mageia.org/show_bug.cgi?id=30887
https://github.com/nodejs/node/releases/tag/v14.20.1
https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/



SRPMS
8/core
nodejs-14.20.1-2.1.mga8.src.rpm


PROVIDED PACKAGES:

nodejs-docs-14.20.1-2.1.mga8
nodejs-libs-14.20.1-2.1.mga8
nodejs-devel-14.20.1-2.1.mga8
nodejs-14.20.1-2.1.mga8
v8-devel-8.4.371.23.1.mga8-4.1.mga8
npm-6.14.17-1.14.20.1.1.1.mga8

    
PACKAGES FOR QA TESTING
=======================
x86_64:

nodejs-docs-14.20.1-2.1.noarch.rpm
nodejs-libs-14.20.1-2.1.mga8.x86_64.rpm
nodejs-devel-14.20.1-2.1.mga8.x86_64.rpm
nodejs-14.20.1-2.1.mga8.x86_64.rpm
v8-devel-8.4.371.23.1.mga8-4.1.mga8.x86_64.rpm
npm-6.14.17-1.14.20.1.1.1.mga8.x86_64.rpm


i586:

nodejs-docs-14.20.1-2.1.noarch.rpm
nodejs-libs-14.20.1-2.1.mga8i586.rpm
nodejs-devel-14.20.1-2.1.mga8i586.rpm
nodejs-14.20.1-2.1.mga8i586.rpm
v8-devel-8.4.371.23.1.mga8-4.1.mga8i586.rpm
npm-6.14.17-1.14.20.1.1.1.mga8i586.rpm
christian barranco 2022-09-29 13:02:40 CEST

Keywords: feedback => (none)

Comment 22 christian barranco 2022-09-29 13:07:08 CEST
Sorry, forgot I had to increment as well the v8 package. 
Here is the right list of packages:


ADVISORY NOTICE PROPOSAL => UPDATE #2
========================
Updated nodejs packages fix security vulnerability


Description
This is a security release.

The following CVEs are fixed in this release:

CVE-2022-32212: DNS rebinding in --inspect on macOS (High)
CVE-2022-32213: bypass via obs-fold mechanic (Medium)
CVE-2022-35256: HTTP Request Smuggling Due to Incorrect Parsing of Header Fields (Medium)

           
References
https://bugs.mageia.org/show_bug.cgi?id=30887
https://github.com/nodejs/node/releases/tag/v14.20.1
https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/



SRPMS
8/core
nodejs-14.20.1-2.1.mga8.src.rpm


PROVIDED PACKAGES:

nodejs-docs-14.20.1-2.1.mga8
nodejs-libs-14.20.1-2.1.mga8
nodejs-devel-14.20.1-2.1.mga8
nodejs-14.20.1-2.1.mga8
v8-devel-8.4.371.23.1.mga8-5.1.mga8
npm-6.14.17-1.14.20.1.2.1.mga8

    
PACKAGES FOR QA TESTING
=======================
x86_64:

nodejs-docs-14.20.1-2.1.noarch.rpm
nodejs-libs-14.20.1-2.1.mga8.x86_64.rpm
nodejs-devel-14.20.1-2.1.mga8.x86_64.rpm
nodejs-14.20.1-2.1.mga8.x86_64.rpm
v8-devel-8.4.371.23.1.mga8-5.1.mga8.x86_64.rpm
npm-6.14.17-1.14.20.1.2.1.mga8.x86_64.rpm


i586:

nodejs-docs-14.20.1-2.1.noarch.rpm
nodejs-libs-14.20.1-2.1.mga8i586.rpm
nodejs-devel-14.20.1-2.1.mga8i586.rpm
nodejs-14.20.1-2.1.mga8i586.rpm
v8-devel-8.4.371.23.1.mga8-5.1.mga8i586.rpm
npm-6.14.17-1.14.20.1.2.1.mga8i586.rpm
Comment 23 Len Lawrence 2022-09-29 17:32:44 CEST
Thanks Christian.
Moved to another system and started again.  All went well.
Repeated the tests in the same test directory and again, no problems.
Finished with
$ node --print-code
> .load main.js
> .save session
> .exit

During session ort 8081 available in a browser -> Hello World
Server closed by the exit command.  All the code was displayed on screen.
The session file contained the javascript code only.

This looks good.

Whiteboard: (none) => MGA8-64-OK

Comment 24 christian barranco 2022-09-29 18:19:18 CEST
(In reply to David Walser from comment #19)
> If it's usable if you do install powershell, I don't see a need to remove it.

The thing is that I don't see how to install it as a package. Maybe the bin could be provided by powershell website, extracted from their linux tarball.
The trick used in Cauldron is the corepack bin is still installed during the nodejs package install, but no anymore as a separate package. The hard dependencies to pwsh have been stripped as well. 
I don't know how to test this, assuming it works to get pwsh bin from their website. But, as it is the Cauldron strategy, I am assuming it should work. Or, am I overlooking something?
Comment 25 David Walser 2022-09-29 18:24:49 CEST
What you described as to what the Cauldron version does, makes sense.  But yeah, presumably if you wanted to use it, you would install it from Microsoft's repo.  But since we can't provide it, we do need to strip the requires on /bin/pwsh (could also add Recommends: powershell, for those that do have the repo configured).
Comment 26 christian barranco 2022-09-29 20:15:15 CEST
(In reply to David Walser from comment #25)
> What you described as to what the Cauldron version does, makes sense.  But
> yeah, presumably if you wanted to use it, you would install it from
> Microsoft's repo.  But since we can't provide it, we do need to strip the
> requires on /bin/pwsh 
So, this part is done in the update I pushed earlier on. The only change is corepack is not a separate package anymore. It is bundled within nodejs package.
Is it ok like this (and so, like in Cauldron)?

>(could also add Recommends: powershell, for those that
> do have the repo configured).
The thing is, beside RedHat repo, assuming it really works with Mageia, there will be no repo to turn to for our Mageia users. The only way would be to download powershell directly from GitHub; this one might work, but I have not tested:
https://github.com/PowerShell/PowerShell/releases/download/v7.2.6/powershell-7.2.6-linux-x64.tar.gz
In such condition, is it still useful to add Recommends: powershell? Would it lead to an installation issue, especially with CCM, if not found?
Comment 27 David Walser 2022-09-29 20:46:42 CEST
Their repo would work with dnf, so the Recommends could still be moderately useful on Mageia, but it's not that important.  The important thing is to filter out the requires on /bin/pwsh.
Comment 28 christian barranco 2022-09-29 20:51:08 CEST
(In reply to David Walser from comment #27)
> Their repo would work with dnf, so the Recommends could still be moderately
> useful on Mageia, but it's not that important.  The important thing is to
> filter out the requires on /bin/pwsh.

Done in the update pushed earlier on.
Ok with you David?
Thanks for taking the time to share your knowledge with me.
Comment 29 David Walser 2022-09-29 21:26:13 CEST
Yeah it doesn't sound like any more adjustments need to be made to the update candidate.  If you want to add the recommends, I would just do that in Cauldron (and only in SVN, no need to push a new build).
Comment 30 christian barranco 2022-09-29 21:30:19 CEST
(In reply to David Walser from comment #29)
> Yeah it doesn't sound like any more adjustments need to be made to the
> update candidate.  If you want to add the recommends, I would just do that
> in Cauldron (and only in SVN, no need to push a new build).

There is an update to be done for Cauldron to stick to the latest release.
I can do it.
Just to make sure, because I have never done it, it Recomnends: powershell is added and it doesn't exist in the repo, it will not block or raise warnings during the the installation, especially with MCC?
Comment 31 David Walser 2022-09-29 21:44:48 CEST
That's correct.
Comment 32 Thomas Andrews 2022-09-30 02:04:38 CEST
Validating. Advisory in Comment 22.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-10-01 16:40:25 CEST

Keywords: (none) => advisory

Comment 33 Mageia Robot 2022-10-01 19:50:10 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0354.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.