Arch Linux 811 Published by

A nodejs-lts-dubnium security update has been released for Arch Linux.



ASA-202101-13: nodejs-lts-dubnium: multiple issues


Arch Linux Security Advisory ASA-202101-13
=========================================
Severity: High
Date : 2021-01-12
CVE-ID : CVE-2020-8265 CVE-2020-8287
Package : nodejs-lts-dubnium
Type : multiple issues
Remote : No
Link :   https://security.archlinux.org/AVG-1403

Summary
======
The package nodejs-lts-dubnium before version 10.23.1-1 is vulnerable
to multiple issues including arbitrary code execution and url request
injection.

Resolution
=========
Upgrade to 10.23.1-1.

# pacman -Syu "nodejs-lts-dubnium>.23.1-1"

The problems have been fixed upstream in version 10.23.1.

Workaround
=========
None.

Description
==========
- CVE-2020-8265 (arbitrary code execution)

The nodejs release lines 15.x, 14.x, 12.x and 10.x are vulnerable to a
use-after-free bug in its TLS implementation. When writing to a TLS
enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite
with a freshly allocated WriteWrap object as first argument. If the
DoWrite method does not return an error, this object is passed back to
the caller as part of a StreamWriteResult structure. This may be
exploited to corrupt memory leading to a Denial of Service or
potentially other exploits. The issue is fixed in nodejs versions
15.5.1, 14.15.4, 12.20.1 and 10.23.1.

- CVE-2020-8287 (url request injection)

The nodejs release lines 15.x, 14.x, 12.x and 10.x allow two copies of
a header field in an HTTP request. For example, two Transfer-Encoding
header fields. In this case Node.js identifies the first header field
and ignores the second. This can lead to HTTP Request Smuggling. The
issue is fixed in nodejs versions 15.5.1, 14.15.4, 12.20.1 and 10.23.1.

Impact
=====
A malicious user could achieve data exfiltration through HTTP headers
or execute arbitrary code through poor API usage.

References
=========
  https://groups.google.com/g/nodejs-sec/c/kyzmwvQdUfs/m/7mjPCzY2BAAJ
  https://github.com/nodejs-private/node-private/issues/227
  https://hackerone.com/bugs?subject=nodejs&report_id?8103
  https://github.com/nodejs/node/commit/9834ef85a0a549a45a98f04dc51af1782a7126ee
  https://github.com/nodejs/node/commit/4f8772f9b731118628256189b73cd202149bbd97
  https://github.com/nodejs/node/commit/5b00de7d67a1372aa342115ad28edd3f78268bb6
  https://github.com/nodejs/node/commit/7f178663ebffc82c9f8a5a1b6bf2da0c263a30ed
  https://github.com/nodejs/node/commit/357e2857c8385c303782ced2ac8b568df06d4326
  https://hackerone.com/bugs?report_id02188&subject=nodejs
  https://github.com/nodejs-private/llhttp-private/pull/3
  https://github.com/nodejs/node/commit/e0c9a2285cfe18642d15d5ed9b7122755c6e66e0
  https://github.com/nodejs/node/commit/c5dbe831b714b3a98c59ba2406b791fb27016d79
  https://github.com/nodejs/node/commit/641f786bb1a1f6eb1ff8750782ed939780f2b31a
  https://github.com/nodejs/node/commit/7ecac8143f0a91785ed0bd3b4d9aab5d98419b41
  https://github.com/nodejs/node/commit/92d430917a63a567bb528100371263c46e50ee4a
  https://github.com/nodejs/node/commit/4a30ac8c755d0701e773831ce22153b66bb36305
  https://github.com/nodejs/node/commit/420244e4d9ca6de2612e7f503f5c87e448fbc14b
  https://github.com/nodejs/node/commit/fc70ce08f5818a286fb5899a1bc3aff5965a745e
  https://github.com/nodejs/node/commit/aa6b97fb99d7528649fadb4c6a894e078fe4323c
  https://security.archlinux.org/CVE-2020-8265
  https://security.archlinux.org/CVE-2020-8287