Bug 1185083 – VUL-0: CVE-2021-21372: nim: doCmd can be leveraged to execute arbitrary commands

Bug 1185083 - (CVE-2021-21372) VUL-0: CVE-2021-21372: nim: doCmd can be leveraged to execute arbitrary commands

(CVE-2021-21372)
Summary:	VUL-0: CVE-2021-21372: nim: doCmd can be leveraged to execute arbitrary commands

Status:	IN_PROGRESS

Classification:	openSUSE
Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security
Version:	Leap 15.3
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal (vote)
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/280574/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2021-04-21 11:23 UTC by Robert Frohl
Modified:	2022-09-12 14:33 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Frohl 2021-04-21 11:23:43 UTC

rh#1951714

Nimble is a package manager for the Nim programming language. In Nim release version before versions 1.2.10 and 1.4.4, Nimble doCmd is used in different places and can be leveraged to execute arbitrary commands. An attacker can craft a malicious entry in the packages.json package list to trigger code execution.

https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/
https://github.com/nim-lang/nimble/blob/master/changelog.markdown#0130
https://github.com/nim-lang/nimble/commit/7bd63d504a4157b8ed61a51af47fb086ee818c37
https://github.com/nim-lang/security/security/advisories/GHSA-rg9f-w24h-962p

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1951714
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21372
https://github.com/nim-lang/security/security/advisories/GHSA-rg9f-w24h-962p
https://github.com/nim-lang/nimble/blob/master/changelog.markdown#0130
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21372
https://github.com/nim-lang/nimble/commit/7bd63d504a4157b8ed61a51af47fb086ee818c37
https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/

Comment 1 Robert Frohl 2021-04-21 11:25:35 UTC

affects Factory and Leap

Comment 2 Robert Frohl 2021-04-21 11:28:31 UTC

@Anna: it is not clear who the main maintainer is, please re-assign this bug and the others if the assignment is wrong

Comment 3 John Paul Adrian Glaubitz 2021-04-21 11:32:18 UTC

(In reply to Robert Frohl from comment #2)
> @Anna: it is not clear who the main maintainer is, please re-assign this bug
> and the others if the assignment is wrong

I can take care of this.

Comment 4 OBSbugzilla Bot 2021-04-22 07:00:18 UTC

This is an autogenerated message for OBS integration:
This bug (1185083) was mentioned in
https://build.opensuse.org/request/show/887450 Factory / nim

Comment 5 OBSbugzilla Bot 2021-04-22 07:50:03 UTC

This is an autogenerated message for OBS integration:
This bug (1185083) was mentioned in
https://build.opensuse.org/request/show/887465 15.2 / nim

Comment 6 Swamp Workflow Management 2021-04-25 22:20:55 UTC

openSUSE-SU-2021:0618-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1185083,1185084,1185085
CVE References: CVE-2021-21372,CVE-2021-21373,CVE-2021-21374
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nim-1.2.12-lp152.2.3.1

Comment 7 Swamp Workflow Management 2021-04-29 19:19:18 UTC

openSUSE-SU-2021:0628-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1185083,1185084,1185085
CVE References: CVE-2021-21372,CVE-2021-21373,CVE-2021-21374
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP2 (src):    nim-1.2.12-bp152.4.3.1

Comment 8 David Anes 2022-08-10 11:15:13 UTC

Codestream                  Vers.           Request
----------------------------------------------------------------------
Leap:15.1:Update            0.19.6 EOL [4]
Leap:15.2:Update            1.2.12 EOL [4]
Backports:SLE-15:Update     0.19.6 EOL [4]
Backports:SLE-15-SP1:Update 0.19.6 EOL [4]
Backports:SLE-15-SP2:Update 1.2.12 EOL [4]
Backports:SLE-15-SP3:Update 0.19.6 -> 1.6.6 [1]
Backports:SLE-15-SP4:Update 1.2.12 -> 1.6.6 [1]
Factory                     1.6.6 [3] (already there, make the CVE explicitly in changelog)

[1] https://build.opensuse.org/request/show/994306
[2] https://build.opensuse.org/request/show/994305
[3] https://build.opensuse.org/request/show/994303
[4] We are still building up-to-date packages for all Leap and SLE >= 15
in the development project:
* https://build.opensuse.org/package/show/devel:languages:misc/nim

Comment 9 Swamp Workflow Management 2022-08-24 07:16:27 UTC

openSUSE-SU-2022:10095-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1175332,1175333,1175334,1181705,1185083,1185084,1185085,1185948,1192712
CVE References: CVE-2020-15690,CVE-2020-15692,CVE-2020-15693,CVE-2020-15694,CVE-2021-21372,CVE-2021-21373,CVE-2021-21374,CVE-2021-29495,CVE-2021-41259
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    nim-1.6.6-bp153.2.3.1

Comment 10 Swamp Workflow Management 2022-08-27 16:16:16 UTC

openSUSE-SU-2022:10101-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1175332,1175333,1175334,1181705,1185083,1185084,1185085,1185948,1192712
CVE References: CVE-2020-15690,CVE-2020-15692,CVE-2020-15693,CVE-2020-15694,CVE-2021-21372,CVE-2021-21373,CVE-2021-21374,CVE-2021-29495,CVE-2021-41259
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP4 (src):    nim-1.6.6-bp154.2.3.1

Comment 11 David Anes 2022-09-12 14:33:28 UTC

All done. Assigning back to security.