Bug 1200517 (CVE-2022-29244)

Summary: VUL-0: CVE-2022-29244: nodejs14,nodejs4,nodejs6,nodejs12,nodejs16,nodejs10,nodejs8: npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Leroy <thomas.leroy>
Component: IncidentsAssignee: Adam Majer <amajer>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: amajer, andreas.taschner, meissner, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/334285/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-29244:6.5:(AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Leroy 2022-06-14 09:02:06 UTC 
CVE-2022-29244

npm pack ignores root-level .gitignore and .npmignore file exclusion directives
when run in a workspace or with a workspace flag (ie. `--workspaces`,
`--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` inside a
workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have
published files into the npm registry they did not intend to include. Users
should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g
npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the
patched v8.11.0 version of npm.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29244
https://github.com/nodejs/node/releases/tag/v16.15.1
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29244
https://github.com/nodejs/node/pull/43210
https://github.com/nodejs/node/releases/tag/v18.3.0
https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52
https://github.com/npm/cli/tree/latest/workspaces/libnpmpack
https://github.com/nodejs/node/releases/tag/v17.9.1
https://github.com/npm/npm-packlist
https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish
https://github.com/npm/cli/releases/tag/v8.11.0
Comment 1 Thomas Leroy 2022-06-14 09:10:06 UTC 
Only SUSE:SLE-12-SP5:Update/nodejs16, SUSE:SLE-15-SP3:Update/nodejs16 and SUSE:SLE-15-SP4:Update/nodej16 ship a vulnerable version of npm.

However, it seems that the bug is in the package npm-packlist, fixed in v5.0.4 [0] (this commit [1] is also probably required) that we ship in every nodejs versions. 
@Adam, do you think we need to update npm-packlist in the other nodejs versions, even though they don't ship a vulnerable npm version?


[0] https://github.com/npm/npm-packlist/commit/839e6e8b13dc8c5ec14fab79509649d081c3ef54
[1] https://github.com/npm/npm-packlist/commit/b3e4cca5afb4cd33cf0792551513fd506c0b28d0
Comment 2 Adam Majer 2022-06-14 09:54:03 UTC 
npm workspaces were added in npm 7.x and npm14 and below all ship npm 6.x. I don't believe we need to update the older versions for this since the feature is not present.
Comment 3 Thomas Leroy 2022-08-12 13:18:07 UTC 
Hi Adam, it seems that the CVE and bsc id are not mentioned in the nodejs16
changes file (in every codestream), confusing our tracking system. Could you
please add the references in a new SR? :)
We would need a SR for:
- SUSE:SLE-12-SP5:Update/nodejs16
- SUSE:SLE-15-SP3:Update/nodejs16
- SUSE:SLE-15-SP4:Update/nodejs16
Comment 4 Adam Majer 2022-08-16 14:30:25 UTC 
I've added references to .changes file and sr pending. Bug was fixed in nodejs16 16.15.1
Comment 6 Swamp Workflow Management 2022-09-08 13:59:26 UTC 
SUSE-SU-2022:3196-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1200303,1200517,1201710,1202382,1202383
CVE References: CVE-2022-29244,CVE-2022-31150,CVE-2022-35948,CVE-2022-35949
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs16-16.17.0-8.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2022-09-12 10:26:48 UTC 
SUSE-SU-2022:3250-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1200303,1200517,1201710,1202382,1202383
CVE References: CVE-2022-29244,CVE-2022-31150,CVE-2022-35948,CVE-2022-35949
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    nodejs16-16.17.0-150400.3.6.1
SUSE Linux Enterprise Module for Web Scripting 15-SP4 (src):    nodejs16-16.17.0-150400.3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2022-09-12 10:33:26 UTC 
SUSE-SU-2022:3251-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1200303,1200517,1201710,1202382,1202383
CVE References: CVE-2022-29244,CVE-2022-31150,CVE-2022-35948,CVE-2022-35949
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs16-16.17.0-150300.7.9.1
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs16-16.17.0-150300.7.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.