search

nodejs / unofficial-builds

Unofficial binaries for Node.js
https://unofficial-builds.nodejs.org
250 stars 53 forks source link

Musl Contains a Security Issue up to v1.2.1 #25

Closed zFlux closed 3 years ago

zFlux commented 3 years ago

According to openwall musl contains a security bug up to v1.2.1 that needs patching or update to > v1.2.2

rvagg commented 3 years ago

This function is not used internally in musl and is not widely used, but does appear in some applications

It'd be interesting to find out if it appears in our binaries at all.

I don't think this is a major issue for us anyway, since this exists in musl and I don't think we're shipping anything static such that we're shipping code with an insecure implementation, rather that the library it calls contains an insecure implementation so it's the host that needs to be updated.

But, we're still building with Alpine 3.9 and should probably upgrade anyway. For now I've just flushed out all of the images that do the build and recreated them, so we've gone from:

musl-1.1.20-r4 x86_64 {musl} (MIT) [installed]

To:

musl-1.1.20-r6 x86_64 {musl} (MIT) [installed]

Its release date @ https://pkgs.alpinelinux.org/package/v3.9/main/x86_64/musl matches the wcsnrtombs-cve-2020-28928 commit @ https://git.alpinelinux.org/aports/log/main/musl?h=3.9-stable so I suppose that's included.

I've made an issue suggesting we upgrade all our Alpine images to a newer version, but I think this is a side issue to your original, so I'll close this for now (but let me know if you disagree with the resolution). https://github.com/nodejs/unofficial-builds/issues/26

rvagg commented 3 years ago

also, thanks for notifying us! this wasn't on my radar at all.