[ASA-202101-13] nodejs-lts-dubnium: multiple issues

Morten Linderud foxboron at archlinux.org
Fri Jan 15 21:08:37 UTC 2021


Arch Linux Security Advisory ASA-202101-13
==========================================

Severity: High
Date    : 2021-01-12
CVE-ID  : CVE-2020-8265 CVE-2020-8287
Package : nodejs-lts-dubnium
Type    : multiple issues
Remote  : No
Link    : https://security.archlinux.org/AVG-1403

Summary
=======

The package nodejs-lts-dubnium before version 10.23.1-1 is vulnerable
to multiple issues including arbitrary code execution and url request
injection.

Resolution
==========

Upgrade to 10.23.1-1.

# pacman -Syu "nodejs-lts-dubnium>=10.23.1-1"

The problems have been fixed upstream in version 10.23.1.

Workaround
==========

None.

Description
===========

- CVE-2020-8265 (arbitrary code execution)

The nodejs release lines 15.x, 14.x, 12.x and 10.x are vulnerable to a
use-after-free bug in its TLS implementation. When writing to a TLS
enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite
with a freshly allocated WriteWrap object as first argument. If the
DoWrite method does not return an error, this object is passed back to
the caller as part of a StreamWriteResult structure. This may be
exploited to corrupt memory leading to a Denial of Service or
potentially other exploits. The issue is fixed in nodejs versions
15.5.1, 14.15.4, 12.20.1 and 10.23.1.

- CVE-2020-8287 (url request injection)

The nodejs release lines 15.x, 14.x, 12.x and 10.x allow two copies of
a header field in an HTTP request. For example, two Transfer-Encoding
header fields. In this case Node.js identifies the first header field
and ignores the second. This can lead to HTTP Request Smuggling. The
issue is fixed in nodejs versions 15.5.1, 14.15.4, 12.20.1 and 10.23.1.

Impact
======

A malicious user could achieve data exfiltration through HTTP headers
or execute arbitrary code through poor API usage.

References
==========

https://groups.google.com/g/nodejs-sec/c/kyzmwvQdUfs/m/7mjPCzY2BAAJ
https://github.com/nodejs-private/node-private/issues/227
https://hackerone.com/bugs?subject=nodejs&report_id=988103
https://github.com/nodejs/node/commit/9834ef85a0a549a45a98f04dc51af1782a7126ee
https://github.com/nodejs/node/commit/4f8772f9b731118628256189b73cd202149bbd97
https://github.com/nodejs/node/commit/5b00de7d67a1372aa342115ad28edd3f78268bb6
https://github.com/nodejs/node/commit/7f178663ebffc82c9f8a5a1b6bf2da0c263a30ed
https://github.com/nodejs/node/commit/357e2857c8385c303782ced2ac8b568df06d4326
https://hackerone.com/bugs?report_id=1002188&subject=nodejs
https://github.com/nodejs-private/llhttp-private/pull/3
https://github.com/nodejs/node/commit/e0c9a2285cfe18642d15d5ed9b7122755c6e66e0
https://github.com/nodejs/node/commit/c5dbe831b714b3a98c59ba2406b791fb27016d79
https://github.com/nodejs/node/commit/641f786bb1a1f6eb1ff8750782ed939780f2b31a
https://github.com/nodejs/node/commit/7ecac8143f0a91785ed0bd3b4d9aab5d98419b41
https://github.com/nodejs/node/commit/92d430917a63a567bb528100371263c46e50ee4a
https://github.com/nodejs/node/commit/4a30ac8c755d0701e773831ce22153b66bb36305
https://github.com/nodejs/node/commit/420244e4d9ca6de2612e7f503f5c87e448fbc14b
https://github.com/nodejs/node/commit/fc70ce08f5818a286fb5899a1bc3aff5965a745e
https://github.com/nodejs/node/commit/aa6b97fb99d7528649fadb4c6a894e078fe4323c
https://security.archlinux.org/CVE-2020-8265
https://security.archlinux.org/CVE-2020-8287
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20210115/b7744a55/attachment.sig>


More information about the arch-security mailing list