WordPress.org

Make WordPress Core

Opened 5 months ago

Last modified 4 months ago

#47175 new defect (bug)

Twenty Nineteen: Vulnerability Due To Old Dependency Version

Reported by: mikebronner Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Bundled Theme Keywords: 2nd-opinion has-patch
Focuses: Cc:
PR Number:

Description

Github reported the following:

CVE-2018-20834 More information

high severity
Vulnerable versions: < 4.4.2
Patched version: 4.4.2
A vulnerability was found in node-tar before version 4.4.2. An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content.

Further details: https://nvd.nist.gov/vuln/detail/CVE-2018-20834

(I'm not considering this a sensitive security matter, as this vulnerability has already been widely published.)

Attachments (1)

47175.diff (47.5 KB) - added by desrosj 4 months ago.

Download all attachments as: .zip

Change History (4)

#1 @jeremyfelt
5 months ago

  • Keywords close added
  • Severity changed from major to normal

Hi @mikebronner, thanks for the ticket!

It looks like a few of our dependencies (postcss-cli, node-sass, chokidar-cli) have node-gyp or node-pre-gyp as dependencies of their own. These in turn have older tar dependencies.

I'm not sure that we can/need to do anything immediately. This code is only used as part of the theme's build tooling and is not distributedand should be relatively low risk. I don't believe that we process any tarballs.

Once the issue has been addressed in upstream packages, we can update the theme's package file.

It looks like chokidar has updated its dependency, and that affects postcss-cli and chokidar-cli, so it may be that node-sass is the only remaining package to wait for.

The node-sass project has an open issue tracking this: https://github.com/sass/node-sass/issues/2625

I'm going to propose closing this, as this is more of an upstream issue, but happy to leave it open if others think it's helpful.

#2 @SergeyBiryukov
5 months ago

  • Component changed from Themes to Bundled Theme
  • Summary changed from TwentyNineteen Vulnerability Due To Old Dependency Version to Twenty Nineteen: Vulnerability Due To Old Dependency Version

@desrosj
4 months ago

#3 @desrosj
4 months ago

  • Keywords 2nd-opinion has-patch added; close removed

While I agree with @jeremyfelt's assessment that this is not going to affect any distributed version of the theme, it does seem that all the packages have been updated upstream.

47175.diff is the result of running npm audit fix. The result is postcss-cli and chokidar-cli being upgraded. The problem dependency for node-sass worked itself out in the process due to the way the version ranges were defined.

I also added src/wp-content/themes/twentynineteen/node_modules directory to the ignore list in 47175.diff.

After the upgrade, running npm run-script build results in no changes to any theme files.

Note: See TracTickets for help on using tickets.