Bug 1190054 (CVE-2021-39134)

Summary: VUL-0: CVE-2021-39134: nodejs4,nodejs6,nodejs8,nodejs14,nodejs12,nodejs10: nodejs-arborist: symlink following vulnerability
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: smash_bz, thomas.leroy
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/308822/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-39134:8.1:(AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2021-09-01 10:55:51 UTC 
rh#1999744

@npmcli/arborist, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder.

This is, in part, accomplished by resolving dependency specifiers defined in package.json manifests for dependencies with a specific name, and nesting folders to resolve conflicting dependencies.

When multiple dependencies differ only in the case of their name, Arborist's internal data structure saw them as separate items that could coexist within the same level in the node_modules hierarchy. However, on case-insensitive file systems (such as macOS and Windows), this is not the case. Combined with a symlink dependency such as file:/some/path, this allowed an attacker to create a situation in which arbitrary contents could be written to any location on the filesystem.

For example, a package pwn-a could define a dependency in their package.json file such as "foo": "file:/some/path". Another package, pwn-b could define a dependency such as FOO: "file:foo.tgz". On case-insensitive file systems, if pwn-a was installed, and then pwn-b was installed afterwards, the contents of foo.tgz would be written to /some/path, and any existing contents of /some/path would be removed.

Anyone using npm v7.20.6 or earlier on a case-insensitive filesystem is potentially affected.

Reference:
https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1999744
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-39134
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39134
https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc
https://www.npmjs.com/package/@npmcli/arborist
Comment 1 OBSbugzilla Bot 2021-11-10 13:40:17 UTC 
This is an autogenerated message for OBS integration:
This bug (1190054) was mentioned in
https://build.opensuse.org/request/show/930657 Factory / nodejs14
Comment 3 Swamp Workflow Management 2021-12-02 17:17:46 UTC 
SUSE-SU-2021:3886-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs14-14.18.1-6.18.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Swamp Workflow Management 2021-12-06 17:41:05 UTC 
SUSE-SU-2021:3940-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs12-12.22.7-4.22.1
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    nodejs12-12.22.7-4.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2021-12-06 18:04:06 UTC 
openSUSE-SU-2021:3940-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs12-12.22.7-4.22.1
Comment 6 Swamp Workflow Management 2021-12-07 11:16:45 UTC 
openSUSE-SU-2021:3964-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs14-14.18.1-15.21.2
Comment 7 Swamp Workflow Management 2021-12-07 11:18:58 UTC 
SUSE-SU-2021:3964-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs14-14.18.1-15.21.2
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    nodejs14-14.18.1-15.21.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2021-12-10 14:33:55 UTC 
openSUSE-SU-2021:1552-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nodejs14-14.18.1-lp152.17.1
Comment 9 Swamp Workflow Management 2021-12-12 05:18:47 UTC 
openSUSE-SU-2021:1574-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nodejs12-12.22.7-lp152.3.21.1
Comment 11 Swamp Workflow Management 2022-01-18 14:38:41 UTC 
SUSE-SU-2022:0101-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602,1194511,1194512,1194513,1194514
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135,CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs12-12.22.9-1.38.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Adam Majer 2022-08-09 12:06:08 UTC 
All affected codestreams fixed. Reassigning to security team.
Comment 13 Thomas Leroy 2022-08-09 12:11:23 UTC 
(In reply to Adam Majer from comment #12)
> All affected codestreams fixed. Reassigning to security team.

Thanks Adam, closing