Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2019-15605 and CVE-2019-15606 on hackerone #631

Closed
Beuc opened this issue Feb 20, 2020 · 10 comments
Closed

CVE-2019-15605 and CVE-2019-15606 on hackerone #631

Beuc opened this issue Feb 20, 2020 · 10 comments

Comments

@Beuc
Copy link

@Beuc Beuc commented Feb 20, 2020

Hi,

I'm investigating CVE-2019-15604/5/6 for Debian (fixed in nodejs release 2020-02-06).
https://hackerone.com/reports/735748 and https://hackerone.com/reports/730779 are currently private - is there plan to make them public, so I can better locate and test vulnerabilities in older nodejs versions?

Cheers!

@sam-github

This comment has been minimized.

Copy link
Member

@sam-github sam-github commented Feb 20, 2020

Disclosure has been requested, they will be disclosed in 16 days (about) or when the reporters accept the request (whichever comes first).

@sam-github sam-github closed this Feb 20, 2020
@sam-github

This comment has been minimized.

Copy link
Member

@sam-github sam-github commented Feb 20, 2020

@Beuc

so I can better locate and test vulnerabilities in older nodejs versions

Do you mean pre-10.x Node.js versions? I'm curious, does Debian offer support for EOL Node.js release lines?

@Beuc

This comment has been minimized.

Copy link
Author

@Beuc Beuc commented Feb 20, 2020

Hi, thanks for the explanation (I'd read they were made public within 72h so I thought I'd ask).

This would help testing 10.x releases as well.
Also CVE-2019-15605 affects http-parser, not nodejs per-se AFAIU :)

WRT pre-10.x, normally not, see https://lists.debian.org/debian-lts/2020/02/msg00041.html , though Debian supporting EOL'd packages is not uncommon.

@sam-github

This comment has been minimized.

Copy link
Member

@sam-github sam-github commented Feb 20, 2020

It looks like H1 is setup so that it takes agreement of reporter AND the project before a report is disclosed, so the timing is not entirely under our control. I'm doing what I can to expedite it, though (I pinged the reporters).

Fwiw, the http-parser fixes are public (as are the node commits) nodejs/http-parser@7d5c99d

cc: @mralekzandr

@mralekzandr

This comment has been minimized.

Copy link

@mralekzandr mralekzandr commented Feb 20, 2020

Hey @sam-github - that is mostly correct!

We have two internal settings for disclosure: Mutual and Singular.

Mutual = both parties MUST agree to disclosure. Without dual consent, disclosure won't occur
Singular = You still have to request disclosure here, but if 30 days pass and the other party has neither approved nor denied the request, the report will automatically disclose.

Your program has "Singular" settings toggled on. So if 30 days pass after the request and an answer hasn't been given, it will be disclosed.

My apologies for not calling out these settings earlier!

Important to note that any sort of public advisory will suffice for CVE publication. Publicly disclosed reports are the most common, but not the only option.

@Beuc

This comment has been minimized.

Copy link
Author

@Beuc Beuc commented Feb 21, 2020

Thanks for the info.
To clarify: I had identified the fixes, but I'm interested in the reproducers and/or technical details so as to test that I properly applied the fix (e.g. if backporting to earlier release). Test-Driven Security ;)

@sam-github

This comment has been minimized.

Copy link
Member

@sam-github sam-github commented Feb 21, 2020

Fair enough. We're disclosing for transparency, but you'll find that the repro was in the sec release, for example: https://nodejs.org/en/blog/release/v13.8.0/ has

[eea3a7429b] - test: using TE to smuggle reqs is not possible (Sam Roberts)

similar tests landed in http-parser and llhttp.

@sam-github

This comment has been minimized.

Copy link
Member

@sam-github sam-github commented Feb 24, 2020

@mralekzandr can you look at https://hackerone.com/reports/730779 ? The reporter would like to approve disclosure, but can't figure out how. I don't know what it looks like from their end, but the UI doesn't seem to have a display of disclosure requests. I know I've requested disclosure, because it says so on the top of the report, but that's all I see.

@alyssawilk

This comment has been minimized.

Copy link

@alyssawilk alyssawilk commented Feb 24, 2020

Check again - should be good now :-)

@mralekzandr

This comment has been minimized.

Copy link

@mralekzandr mralekzandr commented Feb 24, 2020

They should have an inbox view in their own H1 inbox with reports that have disclosure requested. I believe an email notification is sent out, too.

Looks like they figured it out :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.