nodejs: CVE-2014-7192

Debian Bug report logs - #773623
nodejs: CVE-2014-7192

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: nodejs: CVE-2014-7192

Date: Sat, 20 Dec 2014 22:07:24 -0500

package: src:nodejs
severity: important
tags: security

Hi,

the following vulnerability was published for nodejs.

CVE-2014-7192[0],[1]:
| Eval injection vulnerability in index.js in the syntax-error package
| before 1.1.1 for Node.js 0.10.x, as used in IBM Rational Application
| Developer and other products, allows remote attackers to execute
| arbitrary code via a crafted file.

The advisories seem to indicate that this is fixed in the development
version 0.11, but I haven't checked that.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2014-7192
[1] https://nodesecurity.io/advisories/syntax-error-potential-script-injection

Please adjust the affected versions in the BTS as needed.

Message #10 received at 773623@bugs.debian.org (full text, mbox, reply):

From: Jérémy Lal <kapouer@melix.org>

To: Michael Gilbert <mgilbert@debian.org>, 773623@bugs.debian.org

Subject: Re: Bug#773623: nodejs: CVE-2014-7192

Date: Sun, 21 Dec 2014 11:31:35 +0100

Le samedi 20 décembre 2014 à 22:07 -0500, Michael Gilbert a écrit :
> package: src:nodejs
> CVE-2014-7192[0],[1]:
> | Eval injection vulnerability in index.js in the syntax-error package
> | before 1.1.1 for Node.js 0.10.x, as used in IBM Rational Application
> | Developer and other products, allows remote attackers to execute
> | arbitrary code via a crafted file.

This doesn't affect nodejs, but the "syntax-error" module, a dependency
of browserify - both not packaged in debian.

Cannot reassign, then. Maybe close ?

Jérémy.

Message #15 received at 773623@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: 773623@bugs.debian.org

Subject: Re: Bug#773623: nodejs: CVE-2014-7192

Date: Sun, 21 Dec 2014 12:43:54 -0500

On Sun, Dec 21, 2014 at 5:31 AM, Jérémy Lal wrote:
> Le samedi 20 décembre 2014 à 22:07 -0500, Michael Gilbert a écrit :
>> package: src:nodejs
>> CVE-2014-7192[0],[1]:
>> | Eval injection vulnerability in index.js in the syntax-error package
>> | before 1.1.1 for Node.js 0.10.x, as used in IBM Rational Application
>> | Developer and other products, allows remote attackers to execute
>> | arbitrary code via a crafted file.
>
> This doesn't affect nodejs, but the "syntax-error" module, a dependency
> of browserify - both not packaged in debian.
>
> Cannot reassign, then. Maybe close ?

The advisories seem to indicate that the origin of the flaw lies
within nodejs, not the libraries using it.  That may be right or
wrong, but it should be checked.

Best wishes,
Mike

Message #20 received at 773623@bugs.debian.org (full text, mbox, reply):

From: Jérémy Lal <kapouer@melix.org>

To: Michael Gilbert <mgilbert@debian.org>, 773623@bugs.debian.org

Cc: "control@bugs.debian.org" <control@bugs.debian.org>

Subject: Re: Bug#773623: nodejs: CVE-2014-7192

Date: Sun, 21 Dec 2014 22:36:55 +0100

reassign 773623 libv8-3.14
thanks

Le dimanche 21 décembre 2014 à 12:43 -0500, Michael Gilbert a écrit :
> On Sun, Dec 21, 2014 at 5:31 AM, Jérémy Lal wrote:
> > Le samedi 20 décembre 2014 à 22:07 -0500, Michael Gilbert a écrit :
> >> package: src:nodejs
> >> CVE-2014-7192[0],[1]:
> >> | Eval injection vulnerability in index.js in the syntax-error package
> >> | before 1.1.1 for Node.js 0.10.x, as used in IBM Rational Application
> >> | Developer and other products, allows remote attackers to execute
> >> | arbitrary code via a crafted file.
> >
> > This doesn't affect nodejs, but the "syntax-error" module, a dependency
> > of browserify - both not packaged in debian.
> >
> > Cannot reassign, then. Maybe close ?
> 
> The advisories seem to indicate that the origin of the flaw lies
> within nodejs, not the libraries using it.  That may be right or
> wrong, but it should be checked.

Right, two hours of skimming through v8 issues later, here is a proper
report of the issue with a link to the patch fixing it.

https://code.google.com/p/v8/issues/detail?id=2470

I confirm the issue is real, reproducible in v8-3.14, and serious (since
it is so easy to reproduce).

Side note: any javascript code using "eval" directly, or indirectly
through Function(str), in nodejs, in browser, whereever, will have
security issues today or tomorrow... there are several developers still
using eval for checking syntax errors and it is wrong.

Jérémy.

Message #31 received at 773623@bugs.debian.org (full text, mbox, reply):

From: Adrian Bunk <bunk@debian.org>

To: 760385@bugs.debian.org, 773623@bugs.debian.org, 773671@bugs.debian.org

Subject: Unfixed old CVEs should really be RC

Date: Tue, 28 Feb 2017 14:28:28 +0200

Control: severity -1 serious

Dozens of unfixed CVEs, the oldest unfixed CVEs will be more than
4 years old when stretch gets released.

In the current state the package is really too buggy for shipping
in a new stable release.

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Message #38 received at 773623@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Adrian Bunk <bunk@debian.org>

Cc: 760385@bugs.debian.org, 773623@bugs.debian.org, 773671@bugs.debian.org

Subject: Re: Unfixed old CVEs should really be RC

Date: Mon, 3 Apr 2017 20:03:16 +0200

On Tue, Feb 28, 2017 at 02:28:28PM +0200, Adrian Bunk wrote:
> Control: severity -1 serious
> 
> Dozens of unfixed CVEs, the oldest unfixed CVEs will be more than
> 4 years old when stretch gets released.
> 
> In the current state the package is really too buggy for shipping
> in a new stable release.

Note that nodejs will not be covered by security support in stretch (as it was
done for jessie already). We had initially considered it, but with
nodejs 6 not having it made into stretch, that's not realistic.

So these can be downgraded to non-RC (or if the release team thinks
nodejs should rather be remove from testing, removal is also an option
of course).

Cheers,
        Moritz

Message #43 received at 773623@bugs.debian.org (full text, mbox, reply):

From: Adrian Bunk <bunk@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: 760385@bugs.debian.org, 773623@bugs.debian.org, 773671@bugs.debian.org

Subject: Re: Unfixed old CVEs should really be RC

Date: Mon, 3 Apr 2017 21:13:56 +0300

On Mon, Apr 03, 2017 at 08:03:16PM +0200, Moritz Muehlenhoff wrote:
> On Tue, Feb 28, 2017 at 02:28:28PM +0200, Adrian Bunk wrote:
> > Control: severity -1 serious
> > 
> > Dozens of unfixed CVEs, the oldest unfixed CVEs will be more than
> > 4 years old when stretch gets released.
> > 
> > In the current state the package is really too buggy for shipping
> > in a new stable release.
> 
> Note that nodejs will not be covered by security support in stretch (as it was
> done for jessie already). We had initially considered it, but with
> nodejs 6 not having it made into stretch, that's not realistic.
> 
> So these can be downgraded to non-RC (or if the release team thinks
> nodejs should rather be remove from testing, removal is also an option
> of course).

This is not even the normal Node.js, this is a version of V8 from an 
upstream branch that is dead for 4 years already.

> Cheers,
>         Moritz

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Message #48 received at 773623@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Adrian Bunk <bunk@debian.org>

Cc: 760385@bugs.debian.org, 773623@bugs.debian.org, 773671@bugs.debian.org

Subject: Re: Unfixed old CVEs should really be RC

Date: Mon, 3 Apr 2017 21:01:34 +0200

On Mon, Apr 03, 2017 at 09:13:56PM +0300, Adrian Bunk wrote:
> On Mon, Apr 03, 2017 at 08:03:16PM +0200, Moritz Muehlenhoff wrote:
> > On Tue, Feb 28, 2017 at 02:28:28PM +0200, Adrian Bunk wrote:
> > > Control: severity -1 serious
> > > 
> > > Dozens of unfixed CVEs, the oldest unfixed CVEs will be more than
> > > 4 years old when stretch gets released.
> > > 
> > > In the current state the package is really too buggy for shipping
> > > in a new stable release.
> > 
> > Note that nodejs will not be covered by security support in stretch (as it was
> > done for jessie already). We had initially considered it, but with
> > nodejs 6 not having it made into stretch, that's not realistic.
> > 
> > So these can be downgraded to non-RC (or if the release team thinks
> > nodejs should rather be remove from testing, removal is also an option
> > of course).
> 
> This is not even the normal Node.js, this is a version of V8 from an 
> upstream branch that is dead for 4 years already.

Right. Initially there was some plan to provide a supported libv8
from src:nodejs, though.

libv8 has never been covered by security support in any Debian release
so far, upstream does no real security support apart from what lands
in Chrome.

Cheers,
        Moritz

Message #57 received at 773623@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <andreas@an3as.eu>

To: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>, Jérémy Lal <kapouer@melix.org>, Jonas Smedegaard <dr@jones.dk>, Balint Reczey <balint@balintreczey.hu>

Cc: 853512@bugs.debian.org, 760385@bugs.debian.org, 773623@bugs.debian.org, 773671@bugs.debian.org

Subject: Status of libv8?

Date: Fri, 18 Jan 2019 11:37:30 +0100

Hi,

I just realised that one of my packages does not migrate to testing due
to its dependency from r-cran-v8 and in turn from libv8-devel.  I
realised that while libv8 has 3 security bugs which are set to
stretch-ignore (#760385, #773623, #773671 - should this somehow also be
set to buster-ignore??? - I had no idea that we ignore CVEs at all but
anyway) it probably can not migrate to testing since it does not even
build:

   #853512 libv8-3.14: ftbfs with GCC-7

This bug is RC since 6 months but there is no response from any
uploader.  So I tried to clone the repository from Salsa and realised
that there is none at the place I would have expected
(https://salsa.debian.org/js-team/libv8).  Is there any other place
(besides digging into Alioth archives where I could find the
repository?)  I admit I'm not motivated to find out how to restore
old repositories but would rather use

   gbp import-dscs --ignore-repo-config --debsnap --pristine-tar libv8

instead.  Any information about the status of this package would be
really welcome.

However, when reading

   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773671#59

it might rather the best idea to remove this lib from Debian at all and
I need to see how I can avoid depending from this package.

Kind regards

       Andreas.

PS: Please CC me.  I'm not subscribed to this list.

-- 
http://fam-tille.de

Message #62 received at 773623@bugs.debian.org (full text, mbox, reply):

From: Jérémy Lal <kapouer@melix.org>

To: Andreas Tille <andreas@an3as.eu>

Cc: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>, Jonas Smedegaard <dr@jones.dk>, Balint Reczey <balint@balintreczey.hu>, 853512@bugs.debian.org, 760385@bugs.debian.org, 773623@bugs.debian.org, 773671@bugs.debian.org

Subject: Re: Status of libv8?

Date: Fri, 18 Jan 2019 11:51:38 +0100

[Message part 1 (text/plain, inline)]

Le ven. 18 janv. 2019 à 11:37, Andreas Tille <andreas@an3as.eu> a écrit :

> Hi,
>
> I just realised that one of my packages does not migrate to testing due
> to its dependency from r-cran-v8 and in turn from libv8-devel.  I
> realised that while libv8 has 3 security bugs which are set to
> stretch-ignore (#760385, #773623, #773671 - should this somehow also be
> set to buster-ignore??? - I had no idea that we ignore CVEs at all but
> anyway) it probably can not migrate to testing since it does not even
> build:
>
>    #853512 libv8-3.14: ftbfs with GCC-7
>
> This bug is RC since 6 months but there is no response from any
> uploader.  So I tried to clone the repository from Salsa and realised
> that there is none at the place I would have expected
> (https://salsa.debian.org/js-team/libv8).  Is there any other place
> (besides digging into Alioth archives where I could find the
> repository?)  I admit I'm not motivated to find out how to restore
> old repositories but would rather use
>
>    gbp import-dscs --ignore-repo-config --debsnap --pristine-tar libv8
>
> instead.  Any information about the status of this package would be
> really welcome.
>
> However, when reading
>
>    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773671#59
>
> it might rather the best idea to remove this lib from Debian at all and
> I need to see how I can avoid depending from this package.
>

Indeed, i am sorry for this bad state of things; i thought i could handle
it,
but obviously i couldn't.

Possible solutions (besides not using it at all):
- bundle it - nodejs bundles it
- change nodejs to build its v8 as a shared lib, and provide it
it makes sense because upstream nodejs do all the work of keeping ABI
stability,
backporting security fixes, choosing the right version, and so on.
- take over maintenance and distribute it independently of nodejs

Jérémy

[Message part 2 (text/html, inline)]

Message #67 received at 773623@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <andreas@an3as.eu>

To: Jérémy Lal <kapouer@melix.org>

Cc: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>, Jonas Smedegaard <dr@jones.dk>, Balint Reczey <balint@balintreczey.hu>, 853512@bugs.debian.org, 760385@bugs.debian.org, 773623@bugs.debian.org, 773671@bugs.debian.org

Subject: Re: Status of libv8?

Date: Fri, 18 Jan 2019 13:04:30 +0100

Hi Jérémy,

On Fri, Jan 18, 2019 at 11:51:38AM +0100, Jérémy Lal wrote:
> > However, when reading
> >
> >    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773671#59
> >
> > it might rather the best idea to remove this lib from Debian at all and
> > I need to see how I can avoid depending from this package.
> 
> Indeed, i am sorry for this bad state of things; i thought i could handle
> it,
> but obviously i couldn't.
> 
> Possible solutions (besides not using it at all):
> - bundle it - nodejs bundles it
> - change nodejs to build its v8 as a shared lib, and provide it
> it makes sense because upstream nodejs do all the work of keeping ABI
> stability,
> backporting security fixes, choosing the right version, and so on.
> - take over maintenance and distribute it independently of nodejs

This sounds like a pretty sensible solution.  I see you and Jonas are
also uploaders for nodejs.  It would be really great if you could do
this.

Kind regards

       Andreas.

-- 
http://fam-tille.de

Send a report that this bug log contains spam.