Fixes the following security issue:
DNS rebinding in --inspect via invalid octal IP address (Medium) (CVE-2022-43548)
The Node.js rebinding protector for --inspect still allows invalid IP
address, specifically, the octal format. An example of an octal IP address
is 1.09.0.0, the 09 octet is invalid because 9 is not a number in the base 8
number system. Browsers such as Firefox (tested on latest version m105)
will still attempt to resolve this invalid octal address via DNS. When
combined with an active --inspect session, such as when using VSCode, an
attacker can perform DNS rebinding and execute arbitrary code
Update license hash for an update of base64 (MIT license) and a change in
copyright year:
8ea9a71b159f14dc1a8f
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This is currently the latest version in the v16.x branch.
Patch 0001-add-qemu-wrapper-support.patch needs some minor adaptations
to resolve conflicts with other unrelated upstream changes. The other
patches are simply refreshed.
The license file is updates due to:
- Reformatting changes
- Addition of the mention of some files being under GPLv3, but it's
only the autoconf machinery: aclocal.m4 and config.guess, so it's
not relevant to add in our LICENSE variable.
- Addition of the mention of another file being under the MIT
license (install-sh), and MIT is already listed, and this file is
anyway only part of the autoconf machinery.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fixes the following security issues:
Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is
specifically defined to use a particular SAN type, can result in bypassing
name-constrained intermediates. Node.js was accepting URI SAN types, which
PKIs are often not defined to use. Additionally, when a protocol allows URI
SANs, Node.js did not match the URI correctly.
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
Node.js converts SANs (Subject Alternative Names) to a string format. It
uses this string to check peer certificates against hostnames when
validating connections. The string format was subject to an injection
vulnerability when name constraints were used within a certificate chain,
allowing the bypass of these name constraints.
Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
Node.js did not handle multi-value Relative Distinguished Names correctly.
Attackers could craft certificate subjects containing a single-value
Relative Distinguished Name that would be interpreted as a multi-value
Relative Distinguished Name, for example, in order to inject a Common Name
that would allow bypassing the certificate subject verification.
Prototype pollution via console.table properties (Low)(CVE-2022-21824)
Due to the formatting logic of the console.table() function it was not safe
to allow user controlled input to be passed to the properties parameter
while simultaneously passing a plain object with at least one property as
the first parameter, which could be __proto__. The prototype pollution has
very limited control, in that it only allows an empty string to be assigned
numerical keys of the object prototype.
For details, see the advisory:
https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Changes include:
- Remove the dependency on Python2, as nodejs 14 supports Python 3.
- Remove --without-snapshot as it's no longer a supported config
option.
- Remove /openssl to the shared-openssl-includes config option, as the
build system automatically appends /openssl to the includes path.
- License file changes:
- Removed deps/http_parser (MIT)
- Removed deps/node-inspect (MIT)
- Updated some URLs and license years
Since the removed parts are MIT like NodeJS itself, the license info
doesn't change.
- Add a qemu wrapper. V8's JIT infrastructure requires binaries such
as mksnapshot and mkpeephole to be run in the host during the build.
However, these binaries must have the same bit-width as the target
(e.g. a x86_64 host targeting ARMv6 needs to produce a 32-bit
binary). To work around this issue, cross-compile the binaries for
the target and run them on the host with QEMU, much like
gobject-introspection.
Signed-off-by: Adam Duskett <aduskett@gmail.com>
[Arnout:
- use exec in qemu-wrapper script;
- remove s390x support - qemu doesn't have it.
]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fixes the following security issues:
- CVE-2021-37701: Arbitrary File Creation/Overwrite via insufficient symlink
protection due to directory cache poisoning using symbolic links
- CVE-2021-37712: Arbitrary File Creation/Overwrite via insufficient symlink
protection due to directory cache poisoning using symbolic links
- CVE-2021-37713: Arbitrary File Creation/Overwrite on Windows via
insufficient relative path sanitization
- CVE-2021-39134: UNIX Symbolic Link (Symlink) Following in @npmcli/arborist
- CVE-2021-39135: UNIX Symbolic Link (Symlink) Following in @npmcli/arborist
For more details, see the advisory:
https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases2/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fixes the following security issues:
- CVE-2021-22930: Use after free on close http2 on stream canceling (High)
Node.js is vulnerable to a use after free attack where an attacker might
be able to exploit the memory corruption, to change process behavior.
Drop 0002-Fix-build-with-ICU-68.patch as this is now fixed upstream since
https://github.com/nodejs/node/commit/e459c79b02
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2020-7774: npm upgrade to 6.14.12 - Update y18n to fix
Prototype-Pollution (High)
This is a vulnerability in the y18n npm module which may be exploited by
prototype pollution.
https://github.com/advisories/GHSA-c4w7-xm78-47vh
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
Affected Node.js versions are vulnerable to denial of service attacks when
too many connection attempts with an 'unknownProtocol' are established.
This leads to a leak of file descriptors. If a file descriptor limit is
configured on the system, then the server is unable to accept new
connections and prevent the process also from opening, e.g. a file. If no
file descriptor limit is configured, then this lead to an excessive memory
usage and cause the system to run out of memory.
CVE-2021-22884: DNS rebinding in --inspect
Affected Node.js versions are vulnerable to denial of service attacks when
the whitelist includes “localhost6”. When “localhost6” is not present in
/etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e.,
over network. If the attacker controls the victim's DNS server or can spoof
its responses, the DNS rebinding protection can be bypassed by using the
“localhost6” domain. As long as the attacker uses the “localhost6” domain,
they can still apply the attack described in CVE-2018-7160.
For more details, see the advisory:
https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2020-8265: use-after-free in TLSWrap (High) Affected Node.js versions
are vulnerable to a use-after-free bug in its TLS implementation. When
writing to a TLS enabled socket, node::StreamBase::Write calls
node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first
argument. If the DoWrite method does not return an error, this object is
passed back to the caller as part of a StreamWriteResult structure. This
may be exploited to corrupt memory leading to a Denial of Service or
potentially other exploits
- CVE-2020-8287: HTTP Request Smuggling in nodejs Affected versions of
Node.js allow two copies of a header field in a http request. For
example, two Transfer-Encoding header fields. In this case Node.js
identifies the first header field and ignores the second. This can lead
to HTTP Request Smuggling
- CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js.
You can read more about it in
https://www.openssl.org/news/secadv/20201208.txt
Update the license hash for the addition of the (MIT licensed)
cjs-module-lexer module:
9eb1fa1924
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fixes the following security issue:
- CVE-2020-8277: Denial of Service through DNS request (High). A Node.js
application that allows an attacker to trigger a DNS request for a host of
their choice could trigger a Denial of Service by getting the application
to resolve a DNS record with a larger number of responses.
https://nodejs.org/en/blog/release/v12.19.1/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2020-8201: HTTP Request Smuggling due to CR-to-Hyphen conversion
Affected Node.js versions converted carriage returns in HTTP request
headers to a hyphen before parsing. This can lead to HTTP Request
Smuggling as it is a non-standard interpretation of the header.
Impacts:
All versions of the 14.x and 12.x releases line
- CVE-2020-8252: fs.realpath.native may cause buffer overflow
libuv's realpath implementation incorrectly determined the buffer size
which can result in a buffer overflow if the resolved path is longer than
256 bytes.
Impacts:
All versions of the 10.x release line
All versions of the 12.x release line
For more details, see the advisory:
https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/
Adjust license hash for the addition of the BSD-3c licensed highlight.js:
6f8b7a85d2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This is a security release.
Vulnerabilities fixed:
CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High).
CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
CVE-2020-8174: napi_get_value_string_*() allows various kinds of memory corruption (High).
See https://nodejs.org/en/blog/release/v12.18.0/
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fixes the following security issues (12.15.0):
- CVE-2019-15606: HTTP header values do not have trailing OWS trimmed
- CVE-2019-15605: HTTP request smuggling using malformed Transfer-Encoding
header
- CVE-2019-15604: Remotely trigger an assertion on a TLS server with a
malformed certificate string
For more details, see the advisory:
https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
On top of this, 12.16.0 brings a number of changes and bugfixes.
Update the license hash for an addition of the (MIT) licensing terms for the
uvwsai module:
+
+- uvwasi, located at deps/uvwasi, is licensed as follows:
+ """
+ MIT License
+
+ Copyright (c) 2019 Colin Ihrig and Contributors
+
+ Permission is hereby granted, free of charge, to any person obtaining a copy
+ of this software and associated documentation files (the "Software"), to deal
+ in the Software without restriction, including without limitation the rights
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ copies of the Software, and to permit persons to whom the Software is
+ furnished to do so, subject to the following conditions:
+
+ The above copyright notice and this permission notice shall be included in all
+ copies or substantial portions of the Software.
+
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ SOFTWARE.
+ """
While we are at it, adjust the white space in the .hash function to match
the new agreements.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Removed libhttpparser dependency as nodejs now uses built in llhttp.
Installed additional build tools to host that are required for target build.
License file change is due to 3rd party dependency changes and date updates.
Dependencies still appear to have Apache and BSD family licenses.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security vulnerabilities:
- CVE-2019-9511 "Data Dribble": The attacker requests a large amount of data
from a specified resource over multiple streams. They manipulate window
size and stream priority to force the server to queue the data in 1-byte
chunks. Depending on how efficiently this data is queued, this can
consume excess CPU, memory, or both, potentially leading to a denial of
service.
- CVE-2019-9512 "Ping Flood": The attacker sends continual pings to an
HTTP/2 peer, causing the peer to build an internal queue of responses.
Depending on how efficiently this data is queued, this can consume excess
CPU, memory, or both, potentially leading to a denial of service.
- CVE-2019-9513 "Resource Loop": The attacker creates multiple request
streams and continually shuffles the priority of the streams in a way that
causes substantial churn to the priority tree. This can consume excess
CPU, potentially leading to a denial of service.
- CVE-2019-9514 "Reset Flood": The attacker opens a number of streams and
sends an invalid request over each stream that should solicit a stream of
RST_STREAM frames from the peer. Depending on how the peer queues the
RST_STREAM frames, this can consume excess memory, CPU, or both,
potentially leading to a denial of service.
- CVE-2019-9515 "Settings Flood": The attacker sends a stream of SETTINGS
frames to the peer. Since the RFC requires that the peer reply with one
acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost
equivalent in behavior to a ping. Depending on how efficiently this data
is queued, this can consume excess CPU, memory, or both, potentially
leading to a denial of service.
- CVE-2019-9516 "0-Length Headers Leak": The attacker sends a stream of
headers with a 0-length header name and 0-length header value, optionally
Huffman encoded into 1-byte or greater headers. Some implementations
allocate memory for these headers and keep the allocation alive until the
session dies. This can consume excess memory, potentially leading to a
denial of service.
- CVE-2019-9517 "Internal Data Buffering": The attacker opens the HTTP/2
window so the peer can send without constraint; however, they leave the
TCP window closed so the peer cannot actually write (many of) the bytes on
the wire. The attacker then sends a stream of requests for a large
response object. Depending on how the servers queue the responses, this
can consume excess memory, CPU, or both, potentially leading to a denial
of service.
- CVE-2019-9518 "Empty Frames Flood": The attacker sends a stream of frames
with an empty payload and without the end-of-stream flag. These frames
can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends
time processing each frame disproportionate to attack bandwidth. This can
consume excess CPU, potentially leading to a denial of service.
(Discovered by Piotr Sikora of Google)
Notice that this version bump requires nghttp2 1.39.2. It also includes an
(unconditional) embedded copy of brotli.
Update the license hash because of copyright year changes and the addition
of the MIT-style license text for large_pages and brotli.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
See https://nodejs.org/en/blog/release/v10.15.3/
The host tool "torque" is unfortunately not built by complying to our
LDFLAGS, so it is not built with the proper RPATH. We fix that using
patchelf, and install it to $(HOST_DIR) to make it available during
the build of the target nodejs.
Signed-off-by: Martin Bark <martin@barkynet.com>
[Thomas:
- add explanation in the commit log about torque
- install torque in $(HOST_DIR)/bin and not $(HOST_DIR)/usr/bin]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes regressions introduced by the v8.14.0 security release. From the
announcement:
The 8.14.0 security release introduced some unexpected breakages on the 8.x
release line. This is a special release to fix a regression in the HTTP
binary upgrade response body and add a missing CLI flag to adjust the max
header size of the http parser.
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V8.md#8.15.0
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
- Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
- Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
- Node.js: Hostname spoofing in URL parser for javascript protocol
(CVE-2018-12123)
- Node.js: HTTP request splitting (CVE-2018-12116)
- OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
- OpenSSL: Microarchitecture timing vulnerability in ECC scalar
multiplication (CVE-2018-5407)
For more details, see the announcement:
https://nodejs.org/en/blog/release/v8.14.0/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issues:
- (CVE-2018-7167): Fixes Denial of Service vulnerability where calling
Buffer.fill() could hang
- (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the
http2 implementation to not crash under certain circumstances during
cleanup
- (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading
nghttp2 to 1.32.0
See https://nodejs.org/en/blog/release/v8.11.3/ for more details
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issues:
- Fix for inspector DNS rebinding vulnerability (CVE-2018-7160): A malicious
website could use a DNS rebinding attack to trick a web browser to bypass
same-origin-policy checks and allow HTTP connections to localhost or to
hosts on the local network, potentially to an open inspector port as a
debugger, therefore gaining full code execution access. The inspector now
only allows connections that have a browser Host value of localhost or
localhost6.
- Fix for 'path' module regular expression denial of service
(CVE-2018-7158): A regular expression used for parsing POSIX paths could
be used to cause a denial of service if an attacker were able to have a
specially crafted path string passed through one of the impacted 'path'
module functions.
- Reject spaces in HTTP Content-Length header values (CVE-2018-7159): The
Node.js HTTP parser allowed for spaces inside Content-Length header
values. Such values now lead to rejected connections in the same way as
non-numeric values.
While we are at it, also add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2017-14919 - In zlib v1.2.9, a change was made that causes an
error to be raised when a raw deflate stream is initialized with windowBits
set to 8. On some versions this crashes Node and you cannot recover from
it, while on some versions it throws an exception. Node.js will now
gracefully set windowBits to 9 replicating the legacy behavior to avoid a
DOS vector.
For more details, see the announcement:
https://nodejs.org/en/blog/vulnerability/oct-2017-dos/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <<a href="mailto:peter@korsgaard.com">peter@korsgaard.com</a>><br>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(), which
is used for parsing NAPTR responses, could be triggered to read memory
outside of the given input buffer if the passed in DNS response packet was
crafted in a particular way. This patch checks that there is enough data
for the required elements of an NAPTR record (2 int16, 3 bytes for string
lengths) before processing a record.
See https://nodejs.org/en/blog/release/v8.1.4/
[Peter: add CVE info]
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
