Twenty Nineteen: Vulnerability Due To Old Dependency Version

[mikebronner]

Github reported the following:

CVE-2018-20834 More information

high severity
Vulnerable versions: < 4.4.2
Patched version: 4.4.2
A vulnerability was found in node-tar before version 4.4.2. An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content.

Further details: ​https://nvd.nist.gov/vuln/detail/CVE-2018-20834

(I'm not considering this a sensitive security matter, as this vulnerability has already been widely published.)

[jeremyfelt]

Hi @mikebronner, thanks for the ticket!

It looks like a few of our dependencies (postcss-cli, node-sass, chokidar-cli) have node-gyp or node-pre-gyp as dependencies of their own. These in turn have older tar dependencies.

I'm not sure that we can/need to do anything immediately. This code is only used as part of the theme's build tooling and is not distributedand should be relatively low risk. I don't believe that we process any tarballs.

Once the issue has been addressed in upstream packages, we can update the theme's package file.

It looks like chokidar has updated its dependency, and that affects postcss-cli and chokidar-cli, so it may be that node-sass is the only remaining package to wait for.

The node-sass project has an open issue tracking this: ​https://github.com/sass/node-sass/issues/2625

I'm going to propose closing this, as this is more of an upstream issue, but happy to leave it open if others think it's helpful.

[desrosj]

While I agree with @jeremyfelt's assessment that this is not going to affect any distributed version of the theme, it does seem that all the packages have been updated upstream.

47175.diff​ is the result of running npm audit fix. The result is postcss-cli and chokidar-cli being upgraded. The problem dependency for node-sass worked itself out in the process due to the way the version ranges were defined.

I also added src/wp-content/themes/twentynineteen/node_modules directory to the ignore list in 47175.diff​.

After the upgrade, running npm run-script build results in no changes to any theme files.

[sabernhardt]

Is this already fixed?

[poena]

The most recent package update was on Sep 7, 2023, I believe this is fixed.
https://core.trac.wordpress.org/ticket/58863#comment:4

[karmatosed]

I also believe this is fixed @poena so for now going to close as advised. We can always reopen if this doesn't feel the case. Thank you everyone for collaborating.