Bug 1874775 (CVE-2020-8244)

Summary: CVE-2020-8244 nodejs-bl: buffer over-read vulnerability leads to corrupted BufferList which can result in uninitialized memory being leaked
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aos-bugs, bmontgom, dbaker, eparis, extras-orphan, jburrell, jcantril, jokerman, nodejs-sig, nstielau, piotr1212, sponnaga
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: bl 4.0.3, bl 3.0.1, bl 2.2.1, bl 1.2.3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 08:26:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1874776, 1874777, 1875856    
Bug Blocks: 1874779    

Description Marian Rehak 2020-09-02 08:20:33 UTC 
A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1 and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

External Reference:

https://hackerone.com/reports/966347
Comment 1 Marian Rehak 2020-09-02 08:21:09 UTC 
Created nodejs-bl tracking bugs for this issue:

Affects: epel-7 [bug 1874777]
Affects: fedora-all [bug 1874776]
Comment 5 Przemyslaw Roguski 2020-09-04 14:27:21 UTC 
Changes to CVSS score:
3.7/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
6.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
AC:H -> AC:L
A:N -> A:L

Also I increased the Impact to Moderate.
Comment 8 Mark Cooper 2020-09-08 00:20:49 UTC 
Upstream fix: https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190
Comment 9 Przemyslaw Roguski 2020-09-08 09:00:43 UTC 
Statement:

Red Hat OpenShift Container Platform 4 delivers the kibana package where the nodejs-bl module is used, but during the update to container first (to openshift4/ose-logging-kibana6) the dependency was removed and hence kibana package is marked as wontfix. This may be fixed in the future.