Opened 4 years ago
Last modified 2 months ago
#47175 new defect (bug)
Twenty Nineteen: Vulnerability Due To Old Dependency Version
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Bundled Theme | Keywords: | 2nd-opinion has-patch |
| Focuses: | Cc: |
Description
Github reported the following:
CVE-2018-20834 More information
high severity
Vulnerable versions: < 4.4.2
Patched version: 4.4.2
A vulnerability was found in node-tar before version 4.4.2. An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content.
Further details: https://nvd.nist.gov/vuln/detail/CVE-2018-20834
(I'm not considering this a sensitive security matter, as this vulnerability has already been widely published.)
Attachments (1)
Change History (5)
#2
@
4 years ago
- Component changed from Themes to Bundled Theme
- Summary changed from TwentyNineteen Vulnerability Due To Old Dependency Version to Twenty Nineteen: Vulnerability Due To Old Dependency Version
#3
@
4 years ago
- Keywords 2nd-opinion has-patch added; close removed
While I agree with @jeremyfelt's assessment that this is not going to affect any distributed version of the theme, it does seem that all the packages have been updated upstream.
47175.diff is the result of running npm audit fix. The result is postcss-cli and chokidar-cli being upgraded. The problem dependency for node-sass worked itself out in the process due to the way the version ranges were defined.
I also added src/wp-content/themes/twentynineteen/node_modules directory to the ignore list in 47175.diff.
After the upgrade, running npm run-script build results in no changes to any theme files.
Hi @mikebronner, thanks for the ticket!
It looks like a few of our dependencies (
postcss-cli,node-sass,chokidar-cli) havenode-gypornode-pre-gypas dependencies of their own. These in turn have oldertardependencies.I'm not sure that we can/need to do anything immediately. This code is only used as part of the theme's build tooling and is not distributedand should be relatively low risk. I don't believe that we process any tarballs.
Once the issue has been addressed in upstream packages, we can update the theme's package file.
It looks like
chokidarhas updated its dependency, and that affectspostcss-cliandchokidar-cli, so it may be thatnode-sassis the only remaining package to wait for.The
node-sassproject has an open issue tracking this: https://github.com/sass/node-sass/issues/2625I'm going to propose closing this, as this is more of an upstream issue, but happy to leave it open if others think it's helpful.