Bug 1200517 – VUL-0: CVE-2022-29244: nodejs14,nodejs4,nodejs6,nodejs12,nodejs16,nodejs10,nodejs8: npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace

Bug 1200517 - (CVE-2022-29244) VUL-0: CVE-2022-29244: nodejs14,nodejs4,nodejs6,nodejs12,nodejs16,nodejs10,nodejs8: npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace

(CVE-2022-29244)
Summary:	VUL-0: CVE-2022-29244: nodejs14,nodejs4,nodejs6,nodejs12,nodejs16,nodejs10,no...

Status:	IN_PROGRESS

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Adam Majer
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/334285/
Whiteboard:	CVSSv3.1:SUSE:CVE-2022-29244:6.5:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-06-14 09:02 UTC by Thomas Leroy
Modified:	2022-09-12 10:33 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Leroy 2022-06-14 09:02:06 UTC

CVE-2022-29244

npm pack ignores root-level .gitignore and .npmignore file exclusion directives
when run in a workspace or with a workspace flag (ie. `--workspaces`,
`--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` inside a
workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have
published files into the npm registry they did not intend to include. Users
should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g
npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the
patched v8.11.0 version of npm.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29244
https://github.com/nodejs/node/releases/tag/v16.15.1
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29244
https://github.com/nodejs/node/pull/43210
https://github.com/nodejs/node/releases/tag/v18.3.0
https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52
https://github.com/npm/cli/tree/latest/workspaces/libnpmpack
https://github.com/nodejs/node/releases/tag/v17.9.1
https://github.com/npm/npm-packlist
https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish
https://github.com/npm/cli/releases/tag/v8.11.0

Comment 1 Thomas Leroy 2022-06-14 09:10:06 UTC

Only SUSE:SLE-12-SP5:Update/nodejs16, SUSE:SLE-15-SP3:Update/nodejs16 and SUSE:SLE-15-SP4:Update/nodej16 ship a vulnerable version of npm.

However, it seems that the bug is in the package npm-packlist, fixed in v5.0.4 [0] (this commit [1] is also probably required) that we ship in every nodejs versions. 
@Adam, do you think we need to update npm-packlist in the other nodejs versions, even though they don't ship a vulnerable npm version?


[0] https://github.com/npm/npm-packlist/commit/839e6e8b13dc8c5ec14fab79509649d081c3ef54
[1] https://github.com/npm/npm-packlist/commit/b3e4cca5afb4cd33cf0792551513fd506c0b28d0

Comment 2 Adam Majer 2022-06-14 09:54:03 UTC

npm workspaces were added in npm 7.x and npm14 and below all ship npm 6.x. I don't believe we need to update the older versions for this since the feature is not present.

Comment 3 Thomas Leroy 2022-08-12 13:18:07 UTC

Hi Adam, it seems that the CVE and bsc id are not mentioned in the nodejs16
changes file (in every codestream), confusing our tracking system. Could you
please add the references in a new SR? :)
We would need a SR for:
- SUSE:SLE-12-SP5:Update/nodejs16
- SUSE:SLE-15-SP3:Update/nodejs16
- SUSE:SLE-15-SP4:Update/nodejs16

Comment 4 Adam Majer 2022-08-16 14:30:25 UTC

I've added references to .changes file and sr pending. Bug was fixed in nodejs16 16.15.1

Comment 6 Swamp Workflow Management 2022-09-08 13:59:26 UTC

SUSE-SU-2022:3196-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1200303,1200517,1201710,1202382,1202383
CVE References: CVE-2022-29244,CVE-2022-31150,CVE-2022-35948,CVE-2022-35949
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs16-16.17.0-8.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 7 Swamp Workflow Management 2022-09-12 10:26:48 UTC

SUSE-SU-2022:3250-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1200303,1200517,1201710,1202382,1202383
CVE References: CVE-2022-29244,CVE-2022-31150,CVE-2022-35948,CVE-2022-35949
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    nodejs16-16.17.0-150400.3.6.1
SUSE Linux Enterprise Module for Web Scripting 15-SP4 (src):    nodejs16-16.17.0-150400.3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 8 Swamp Workflow Management 2022-09-12 10:33:26 UTC

SUSE-SU-2022:3251-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1200303,1200517,1201710,1202382,1202383
CVE References: CVE-2022-29244,CVE-2022-31150,CVE-2022-35948,CVE-2022-35949
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs16-16.17.0-150300.7.9.1
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs16-16.17.0-150300.7.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.