Bug 1550772 (CVE-2018-13863)

Summary: CVE-2018-13863 nodejs-bson: Regular expression denial of service in decimal128.js
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ccoleman, dedgar, dffrench, dmcphers, drusso, hhorak, jgoulding, jmadigan, jorton, jshepherd, lgriffin, ngough, nodejs-sig, pwright, rrajasek, tdawson, trepel, viktor.vix.jancik, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs-bson 1.0.5 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 19:57:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1550773, 1550774, 1554497, 1600003, 1600004    
Bug Blocks: 1550775    

Description Sam Fowler 2018-03-02 01:18:48 UTC 
nodejs-bson before version 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDos) in decimal128.js. 


Upstream Commit:

https://github.com/mongodb/js-bson/commit/bd61c45157c53a1698ff23770160cf4783e9ea4a


Additional References:

https://snyk.io/vuln/npm:bson:20180225
Comment 1 Sam Fowler 2018-03-02 01:19:14 UTC 
Created nodejs-bson tracking bugs for this issue:

Affects: fedora-all [bug 1550774]
Affects: epel-all [bug 1550773]
Comment 4 Tomas Hoger 2018-07-09 08:12:25 UTC 
The support for the Decimal128 data type was only introduce in bson module version 0.5.0.  The problematic regular expression was introduced via the following commit:

https://github.com/mongodb/js-bson/commit/e14b4d081a2704b86b8c3407382e107f23ad0da6

Note that the nodejs-bson packages in Fedora and Fedora EPEL are based upstream versions prior to 0.5.0 (0.4.23 in Fedora, and 0.2.x in EPEL), they were not affected by this flaw.
Comment 5 Tomas Hoger 2018-07-09 09:34:20 UTC 
Note that this flaw is not triggered when deserializing data from the BSON format.  It is only triggered when preparing objects for serialization to BSON if those objects need to contain fields with decimal128 type, and the value is constructed using Decimal128.fromString() from a long untrusted string.