Bug 1845256 (CVE-2020-8174)

Summary: CVE-2020-8174 nodejs: memory corruption in napi_get_value_string_* functions
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdettelb, bmikulov, cbuissar, hhorak, jorton, jschorr, jstanek, lmorse, mrunge, nodejs-maint, nodejs-sig, scorneli, security-response-team, sgallagh, tchollingsworth, thrcka, tomckay, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs-10.21.0, nodejs-12.18.0, nodejs-14.4.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nodejs. Calling napi_get_value_string_latin1(), napi_get_value_string_utf8(), or napi_get_value_string_utf16() with a non-NULL buf, and a bufsize of 0 will cause the entire string value to be written to buf, probably overrunning the length of the buffer.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-07 13:27:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1845263, 1845257, 1845258, 1845259, 1845260, 1845261, 1845262, 1846230, 1846231, 1846232, 1846233, 1846234, 1851861, 1851863, 1853305, 1853306, 1853317, 1853318, 1853319    
Bug Blocks: 1845265    

Description Guilherme de Almeida Suckevicz 2020-06-08 19:05:25 UTC 
Calling napi_get_value_string_latin1(), napi_get_value_string_utf8(), or napi_get_value_string_utf16() with a non-NULL buf, and a bufsize of 0 will cause the entire string value to be written to buf, probably overrunning the length of the buffer.

Reference:
https://nodejs.org/en/blog/vulnerability/june-2020-security-releases/
Comment 1 Guilherme de Almeida Suckevicz 2020-06-08 19:06:15 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 1845263]
Affects: fedora-all [bug 1845257]


Created nodejs:10/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1845260]


Created nodejs:11/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1845258]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1845259]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1845261]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1845262]
Comment 4 Cedric Buissart 2020-06-09 20:36:47 UTC 
Upstream fix: https://github.com/nodejs/node/commit/656260b4b65fec3b10f6da3fdc9f11fb941aafb5
Comment 8 Jason Shepherd 2020-06-11 20:28:04 UTC 
Statement:

NodeJS is a build time dependency of Red Hat Quay and is not used at runtime. Therefore this issue will not fixed in Quay 3.3.
Comment 9 Laurie Morse 2020-06-15 18:15:05 UTC 
What is the ETA for this fix with RHEL 8 and NodeJS 12?  We have a release deadline for July and this CVE is needed.
Comment 10 Cedric Buissart 2020-06-15 18:56:34 UTC 
In reply to comment #9:
> What is the ETA for this fix with RHEL 8 and NodeJS 12?  We have a release
> deadline for July and this CVE is needed.
This issue is currently treated with a Moderate severity : this flaw is currently theoretical only. It is considered unlikely that the vulnerability can be triggered from Node.JS.
Comment 18 errata-xmlrpc 2020-07-07 09:12:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2847 https://access.redhat.com/errata/RHSA-2020:2847
Comment 19 errata-xmlrpc 2020-07-07 09:15:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2849 https://access.redhat.com/errata/RHSA-2020:2849
Comment 20 errata-xmlrpc 2020-07-07 09:23:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2848 https://access.redhat.com/errata/RHSA-2020:2848
Comment 21 errata-xmlrpc 2020-07-07 09:39:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2852 https://access.redhat.com/errata/RHSA-2020:2852
Comment 22 Product Security DevOps Team 2020-07-07 13:27:52 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8174
Comment 23 Cedric Buissart 2020-07-10 07:12:44 UTC 
External References:

https://hackerone.com/reports/784186
Comment 24 errata-xmlrpc 2020-07-13 10:48:17 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:2895 https://access.redhat.com/errata/RHSA-2020:2895
Comment 25 errata-xmlrpc 2020-07-21 14:33:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:3042 https://access.redhat.com/errata/RHSA-2020:3042
Comment 26 errata-xmlrpc 2020-07-21 19:29:05 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:3084 https://access.redhat.com/errata/RHSA-2020:3084