search

homebridge-eufy-security / plugin

Homebridge plugin to control certain Eufy Security devices
Apache License 2.0
172 stars 23 forks source link

[Bug]: RSA_PKCS1_PADDING #624

Open guitardoc opened 2 months ago

guitardoc commented 2 months ago

What happened?

I am still on node 20.11.0 due to the RSA_PKCS1_PADDING issue. Will this ever be addressed or is this a permanent issue which can not be remedied? Thank you for giving me (and others) some information.

Device Type

Doorbell (Supported)

Plugin Version

v3.0.x (Best Effort)

HomeBridge Version

v1.7.x (Supported)

NodeJS Version

v20 (Supported)

Operating System

Raspbian 10+ (Supported)

Relevant log output

see above

config

see above
github-actions[bot] commented 2 months ago

Did you check this Common Issues pages ?

guitardoc commented 2 months ago

Anything?

Longjohn8 commented 2 months ago

This is a show stopper and urgent

guitardoc commented 2 months ago

Still nothing from the developers?

jadonbaker commented 1 month ago

Any updates on this issue?

guitardoc commented 5 days ago

Anything?

dfberger commented 5 days ago

potentially relevant: https://github.com/homebridge-eufy-security/eufy-security-client/commit/dff3508e8ba7d892e6a7e9902e1479a483e0d3ee

guitardoc commented 5 days ago

Thank you for the information! I am on openssl 3.0.15 and node 20.11.0 (the last node version which supported RSA_PKCS1_PADDING). Do you think it is safe to update to node 20.18.0 (LTS) and not have the RSA_PKCS1_PADDING issue anymore?

dfberger commented 5 days ago

That change hasn't been incorporated into the plugin yet - so if you upgrade node, you'll at least break live-streaming.

Having said that, I'm running node 20.18.0, but you need to add a launch command line flag to revert the node deprecation.

You can't set it the flag in NODE_OPTIONS, it has to go into the homebridge start script.

I created a pre-start file that does the needful. YMMV, and no warranty expressed or implied.

Note: I'm running homebridge in an lxc/lxd container, there may be a way to do a similar thing if you're running out of docker, but 🤷. Oh, and the scary error message about incompatible node versions will still appear in the logs, because the code that "tests" node is just doing a simple version compare.

# cat /etc/hb-service/homebridge/prestart.d/99-revert-cve-2023-46809
#!/bin/bash

CVE=CVE-2023-46809
CVE_REVERT_ARG="--security-revert=$CVE"

NODE_EXE_PATH=/opt/homebridge/bin/node
HOMEBRIDGE_START=/opt/homebridge/start.sh

grep -q -- "$CVE" "$NODE_EXE_PATH"
NEEDS_CVE_REVERT=$?

grep -q -- "$CVE_REVERT_ARG" "$HOMEBRIDGE_START"
HAS_CVE_REVERT=$?

LAUNCH_CMD="\$HB_SERVICE_NODE_EXEC_PATH \$HB_SERVICE_EXEC_PATH"

if [ "$HAS_CVE_REVERT" != "$NEEDS_CVE_REVERT" ]; then
  if [ "$HAS_CVE_REVERT" == "0" ]; then
    echo "removing CVE revert from start script..."
    sed -i.bck -- s/"$CVE_REVERT_ARG "//g $HOMEBRIDGE_START
  else
    echo "inserting CVE revert from start script..."
    sed -i.bck -- s/"\$HB_SERVICE_NODE_EXEC_PATH \$HB_SERVICE_EXEC_PATH"/"\$HB_SERVICE_NODE_EXEC_PATH $CVE_REVERT_ARG \$HB_SERVICE_EXEC_PATH"/g $HOMEBRIDGE_START
  fi
fi

If the node binary contains the CVE string, the argument is added to the launch command:

# diff -wu /opt/homebridge/start.sh.bck /opt/homebridge/start.sh
--- /opt/homebridge/start.sh.bck    2024-11-09 13:12:39.180010597 +0000
+++ /opt/homebridge/start.sh    2024-11-09 14:56:03.137404407 +0000
@@ -37,4 +37,4 @@
   rm -rf $HB_SERVICE_STORAGE_PATH/node_modules/homebridge-config-ui-x
 fi

-exec $HB_SERVICE_NODE_EXEC_PATH $HB_SERVICE_EXEC_PATH run -I -U $HB_SERVICE_STORAGE_PATH -P $HB_SERVICE_STORAGE_PATH/node_modules --strict-plugin-resolution "$@"
+exec $HB_SERVICE_NODE_EXEC_PATH --security-revert=CVE-2023-46809 $HB_SERVICE_EXEC_PATH run -I -U $HB_SERVICE_STORAGE_PATH -P $HB_SERVICE_STORAGE_PATH/node_modules --strict-plugin-resolution "$@"
guitardoc commented 5 days ago

Thank you for the extensive information. Maybe bropat will be able to incorporate the changes into the plugin soon.