Closed zFlux closed 3 years ago
This function is not used internally in musl and is not widely used, but does appear in some applications
It'd be interesting to find out if it appears in our binaries at all.
I don't think this is a major issue for us anyway, since this exists in musl and I don't think we're shipping anything static such that we're shipping code with an insecure implementation, rather that the library it calls contains an insecure implementation so it's the host that needs to be updated.
But, we're still building with Alpine 3.9 and should probably upgrade anyway. For now I've just flushed out all of the images that do the build and recreated them, so we've gone from:
musl-1.1.20-r4 x86_64 {musl} (MIT) [installed]
To:
musl-1.1.20-r6 x86_64 {musl} (MIT) [installed]
Its release date @ https://pkgs.alpinelinux.org/package/v3.9/main/x86_64/musl matches the wcsnrtombs-cve-2020-28928 commit @ https://git.alpinelinux.org/aports/log/main/musl?h=3.9-stable so I suppose that's included.
I've made an issue suggesting we upgrade all our Alpine images to a newer version, but I think this is a side issue to your original, so I'll close this for now (but let me know if you disagree with the resolution). https://github.com/nodejs/unofficial-builds/issues/26
also, thanks for notifying us! this wasn't on my radar at all.
According to openwall musl contains a security bug up to v1.2.1 that needs patching or update to > v1.2.2