Bug 1190054 - (CVE-2021-39134) VUL-0: CVE-2021-39134: nodejs4,nodejs6,nodejs8,nodejs14,nodejs12,nodejs10: nodejs-arborist: symlink following vulnerability
(CVE-2021-39134)
VUL-0: CVE-2021-39134: nodejs4,nodejs6,nodejs8,nodejs14,nodejs12,nodejs10: no...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/308822/
CVSSv3.1:SUSE:CVE-2021-39134:8.1:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-09-01 10:55 UTC by Robert Frohl
Modified: 2022-08-09 12:11 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2021-09-01 10:55:51 UTC
rh#1999744

@npmcli/arborist, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder.

This is, in part, accomplished by resolving dependency specifiers defined in package.json manifests for dependencies with a specific name, and nesting folders to resolve conflicting dependencies.

When multiple dependencies differ only in the case of their name, Arborist's internal data structure saw them as separate items that could coexist within the same level in the node_modules hierarchy. However, on case-insensitive file systems (such as macOS and Windows), this is not the case. Combined with a symlink dependency such as file:/some/path, this allowed an attacker to create a situation in which arbitrary contents could be written to any location on the filesystem.

For example, a package pwn-a could define a dependency in their package.json file such as "foo": "file:/some/path". Another package, pwn-b could define a dependency such as FOO: "file:foo.tgz". On case-insensitive file systems, if pwn-a was installed, and then pwn-b was installed afterwards, the contents of foo.tgz would be written to /some/path, and any existing contents of /some/path would be removed.

Anyone using npm v7.20.6 or earlier on a case-insensitive filesystem is potentially affected.

Reference:
https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1999744
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-39134
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39134
https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc
https://www.npmjs.com/package/@npmcli/arborist
Comment 1 OBSbugzilla Bot 2021-11-10 13:40:17 UTC
This is an autogenerated message for OBS integration:
This bug (1190054) was mentioned in
https://build.opensuse.org/request/show/930657 Factory / nodejs14
Comment 3 Swamp Workflow Management 2021-12-02 17:17:46 UTC
SUSE-SU-2021:3886-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs14-14.18.1-6.18.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Swamp Workflow Management 2021-12-06 17:41:05 UTC
SUSE-SU-2021:3940-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs12-12.22.7-4.22.1
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    nodejs12-12.22.7-4.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2021-12-06 18:04:06 UTC
openSUSE-SU-2021:3940-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs12-12.22.7-4.22.1
Comment 6 Swamp Workflow Management 2021-12-07 11:16:45 UTC
openSUSE-SU-2021:3964-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs14-14.18.1-15.21.2
Comment 7 Swamp Workflow Management 2021-12-07 11:18:58 UTC
SUSE-SU-2021:3964-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs14-14.18.1-15.21.2
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    nodejs14-14.18.1-15.21.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2021-12-10 14:33:55 UTC
openSUSE-SU-2021:1552-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nodejs14-14.18.1-lp152.17.1
Comment 9 Swamp Workflow Management 2021-12-12 05:18:47 UTC
openSUSE-SU-2021:1574-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nodejs12-12.22.7-lp152.3.21.1
Comment 11 Swamp Workflow Management 2022-01-18 14:38:41 UTC
SUSE-SU-2022:0101-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602,1194511,1194512,1194513,1194514
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135,CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs12-12.22.9-1.38.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Adam Majer 2022-08-09 12:06:08 UTC
All affected codestreams fixed. Reassigning to security team.
Comment 13 Thomas Leroy 2022-08-09 12:11:23 UTC
(In reply to Adam Majer from comment #12)
> All affected codestreams fixed. Reassigning to security team.

Thanks Adam, closing