|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2023-45143: nodejs, nodejs-electron: cookie leakage in undici | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | SMASH SMASH <smash_bz> |
| Component: | Incidents | Assignee: | Bruno Pitrus <brunopitrus> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Minor | ||
| Priority: | P3 - Medium | CC: | amajer, brunopitrus, dheidler, gabriele.sonnu |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/381722/ | ||
| Whiteboard: | CVSSv3.1:SUSE:CVE-2023-45143:3.9:(AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
SMASH SMASH
2023-10-13 07:51:55 UTC
Tracking as affected: - SUSE:ALP:Source:Standard:1.0/nodejs20 (undici v5.23.0) - SUSE:SLE-12-SP5:Update/nodejs16 (undici v5.20.0) - SUSE:SLE-12-SP5:Update/nodejs18 (undici v5.22.1) - SUSE:SLE-15-SP3:Update/nodejs16 (undici v5.20.0) - SUSE:SLE-15-SP4:Update/nodejs16 (undici v5.20.0) - SUSE:SLE-15-SP4:Update/nodejs18 (undici v5.22.1) - SUSE:SLE-15-SP5:Update/nodejs18 (undici v5.22.1) - openSUSE:Factory/nodejs-electron (undici v5.20.0) - openSUSE:Factory/nodejs20 (undici v5.25.2) Upstream advisory: https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g Upstream fix: https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76 This is an autogenerated message for OBS integration: This bug (1216205) was mentioned in https://build.opensuse.org/request/show/1118025 Factory / nodejs20 SUSE-SU-2023:4133-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1216190, 1216205, 1216272, 1216273 CVE References: CVE-2023-38552, CVE-2023-39333, CVE-2023-44487, CVE-2023-45143 Sources used: Web and Scripting Module 15-SP4 (src): nodejs18-18.18.2-150400.9.15.1 Web and Scripting Module 15-SP5 (src): nodejs18-18.18.2-150400.9.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2023:4132-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1216190, 1216205, 1216272, 1216273 CVE References: CVE-2023-38552, CVE-2023-39333, CVE-2023-44487, CVE-2023-45143 Sources used: Web and Scripting Module 12 (src): nodejs18-18.18.2-8.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2023:4150-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1216190, 1216205, 1216272, 1216273 CVE References: CVE-2023-38552, CVE-2023-39333, CVE-2023-44487, CVE-2023-45143 Sources used: Web and Scripting Module 12 (src): nodejs16-16.20.2-8.36.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2023:4155-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1216190, 1216205, 1216272, 1216273 CVE References: CVE-2023-38552, CVE-2023-39333, CVE-2023-44487, CVE-2023-45143 Sources used: Web and Scripting Module 15-SP4 (src): nodejs16-16.20.2-150400.3.27.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. I noticed you've decided to upgrade undici wholesale in nodejs16: https://build.opensuse.org/package/view_file/devel:languages:nodejs/nodejs16/CVE-2023-45143.patch?expand=1 whereas i've only backported the specific patch to electron: https://build.opensuse.org/package/view_file/openSUSE:Factory/nodejs-electron/CVE-2023-45143-undici-cookie-leakage.patch?expand=1 Do you think that's ok Adam? [I don't know if the node testsuite does test undici, and i don't run it anyway for electron] I basically just followed what upstream NodeJS has done in this case. There are 2 or 3 bundled deps in nodejs these days that are a real pain to patch and undici is one of these. I've complained about this upstream some time ago, but solution is ... complicated, https://github.com/nodejs/node/issues/42199 If you look at the sources, https://github.com/nodejs/node/tree/main/deps/undici you will find that these are not actually used. They are just the reference version. You then have to build the actual undici.js , which will include things like WASM binary inside it. Looking in the sources of package.json of the undici package, https://github.com/nodejs/node/blob/main/deps/undici/src/package.json#L73-L75 So the patch is OK. But you'll have to rebuild undici in this case. Worse, the entire ecosystem is built like this. It's a can of worms that you don't want to touch too much or it will unravel like Pandora's Box and we don't get too much benefit from unraveling it anyway :-) Unbundling these deps would be beneficial but we can't just stick them inside RPMs. Well this vulnerability does not affect the serialized WASM binary in `require_llhttp_wasm`, only code that is pasted near-verbatim in the amalgamation. Closing this as all tracked packages are patched now (In reply to Bruno Pitrus from comment #15) > Well this vulnerability does not affect the serialized WASM binary in > `require_llhttp_wasm`, only code that is pasted near-verbatim in the > amalgamation. > > Closing this as all tracked packages are patched now just FYI, but the amalgamation is not rebuilt for undici. So you have to patch the amalgamation. i do patch it — see https://build.opensuse.org/package/view_file/home:dziobian:gulgul-ultron:19/nodejs-electron/CVE-2023-45143-undici-cookie-leakage.patch?expand=1 the amalgamation is in third_party/electron_node/deps/undici/undici.js SUSE-SU-2023:4207-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1216190, 1216205, 1216272, 1216273 CVE References: CVE-2023-38552, CVE-2023-39333, CVE-2023-44487, CVE-2023-45143 Sources used: openSUSE Leap 15.3 (src): nodejs16-16.20.2-150300.7.30.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): nodejs16-16.20.2-150300.7.30.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): nodejs16-16.20.2-150300.7.30.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): nodejs16-16.20.2-150300.7.30.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): nodejs16-16.20.2-150300.7.30.1 SUSE Manager Server 4.2 (src): nodejs16-16.20.2-150300.7.30.1 SUSE Enterprise Storage 7.1 (src): nodejs16-16.20.2-150300.7.30.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. |