Bug 1927293 (CVE-2018-21270)

Summary: CVE-2018-21270 nodejs-stringstream: out-of-bounds read leading to uninitialized memory exposure
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aos-bugs, bdettelb, bmontgom, eparis, extras-orphan, jburrell, jcantril, jokerman, mrunge, nodejs-sig, nstielau, piotr1212, sd-operator-metering, sgallagh, sponnaga, tchollingsworth, tflannag, thrcka, tomckay, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs-stringstream 0.0.6 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nodejs-stringstream. Node.js stringstream module is vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-23 01:01:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1927294, 1927295, 1927296, 1927297, 1927298, 1927299    
Bug Blocks: 1927301    

Description Dhananjay Arunesh 2021-02-10 13:22:30 UTC 
Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x).

Refernces:
https://github.com/mhart/StringStream/issues/7
Comment 2 Dhananjay Arunesh 2021-02-10 13:24:02 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 1927294]
Affects: fedora-all [bug 1927296]


Created nodejs:10/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1927295]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1927297]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1927298]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1927299]
Comment 3 Zuzana Svetlikova 2021-02-10 14:47:11 UTC 
I have several questions here.

Why is this reported against nodejs, when the flaw was found in a separate module? None of the current releases contain the module.
Why is this reported against nodejs v13, which has been EOL for almost a year now? On top of that, latest build doesn't contain the module anyway.
Why is this reported at all, when the package has been updated to 0.0.6 since May 2019? The module has been orphaned since F33 as well.
Also, this flaw is related to nodejs v4.x, which has been EOL for years now.
Why is CVE from 2018 reported in 2021?
Comment 4 Tomas Hoger 2021-02-10 15:46:33 UTC 
(In reply to Zuzana Svetlikova from comment #3)
> Why is this reported against nodejs v13, which has been EOL for almost a
> year now? On top of that, latest build doesn't contain the module anyway.

I can only answer this - it's because nodejs:13 can still be found in Fedora repos.  See e.g.:

ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/updates/33/Modular/x86_64/Packages/n/

I do not understand what you mean by "latest build doesn't contain the module" - Fedora Modular repos contain modules for nodejs 10, 12, 13, 14, and 15 (this one is a recent addition that was missed here).
Comment 5 Zuzana Svetlikova 2021-02-10 15:54:03 UTC 
(In reply to Tomas Hoger from comment #4)
> (In reply to Zuzana Svetlikova from comment #3)
> I do not understand what you mean by "latest build doesn't contain the
> module" - Fedora Modular repos contain modules for nodejs 10, 12, 13, 14,
> and 15 (this one is a recent addition that was missed here).

I meant latest v13 build of nodejs 
https://koji.fedoraproject.org/koji/rpminfo?rpmID=21406997 
https://koji.fedoraproject.org/koji/buildinfo?buildID=1504300
Comment 6 Tomas Hoger 2021-02-11 09:33:11 UTC 
(In reply to Zuzana Svetlikova from comment #5)
> (In reply to Tomas Hoger from comment #4)
> > (In reply to Zuzana Svetlikova from comment #3)
> > I do not understand what you mean by "latest build doesn't contain the
> > module" - Fedora Modular repos contain modules for nodejs 10, 12, 13, 14,
> > and 15 (this one is a recent addition that was missed here).
> 
> I meant latest v13 build of nodejs

Now I understand - I assumed "the module" there referred to modularity modules (e.g. nodejs:13), not the stringstream library/module.

Do not assume those nodejs affects were added because of stringstream being bundled with nodejs/npm, but because this CVE was incorrectly assumed to affect nodejs instead of nodejs-stringstream.
Comment 7 Przemyslaw Roguski 2021-02-11 17:44:22 UTC 
Upstream fix:
https://github.com/mhart/StringStream/commit/afbc7442220358419e330618e47f3a65fc265b1b
Comment 8 Dhananjay Arunesh 2021-02-16 07:36:58 UTC 
In reply to comment #3:
> I have several questions here.
> 
> Why is CVE from 2018 reported in 2021?
agree that the CVE was reported in 2018, but our automated tool caught this vulnerability and reported in in Dec 2018
Comment 9 Product Security DevOps Team 2021-02-23 01:01:54 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-21270
Comment 10 Jason Shepherd 2021-05-07 00:58:25 UTC 
Statement:

Red Hat Quay include stringstream as a dependency of Karma. Karma is only used at build time, and not at runtime reducing the impact of this vulnerability to low.
Comment 12 errata-xmlrpc 2021-10-19 12:10:40 UTC 
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917