-
Notifications
You must be signed in to change notification settings - Fork 790
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Node patch releases 18.19.1, 20.11.1, 21.6.2 break OpenPGP when RSA keys are used #1727
Comments
Just wanted to add a link to https://github.com/orgs/nodejs/discussions/51784#discussioncomment-8494516 - Node maintainers are great, explained the policy is that critical security fixes can go in minor version updates, which means this change should have gone in a minor version and not a patch, but honestly that still would have likely hit us anyway. Just good to know the defined policy on this. |
NodeJS 18.19.1 introduced the same change breaking OpenPGP.js decryption. |
Thanks @chazcross , I updated the title and also added a minimal test case to the description. |
My Production server uses NodeJS 18.19.1 it is working fine on my local as I had version NodeJS 18.19.0 I am not able to find 18.19.0 in docker images and I can not downgrade it further cause of few functionalities doesn't work on lower version. What can i do to make this work on Production It's super critical for me to fix it. Can anyone please guide me what can i do here. |
Thanks for the detailed report -- we are going to release a patch of OpenPGP.js v5 to address this 👍 |
Fixed in v5.11.1 (just released). |
We hit this bug after an automatic upgrade in Google App Engine to the latest stable patch release of Node, 20.11.1, broke all of our PGP decryption. Reverting to Node.js 20.9.0 fixed the issue for us (but pretty sure the problem is just in the 20.11.1 patch, as explained below).
I believe this commit in this Node version, nodejs/node@7079c062bb, which disables PKCS # 1, is what is responsible for this issue. We were getting an error thrown when calling
decrypt
, down in thenodeDecrypt
method here: https://github.com/openpgpjs/openpgpjs/blob/main/src/crypto/public_key/rsa.js#L483 (one note about where that bug is thrown - note it swallows the bug thrown from Node'sprivateDecrypt
method and throws a new Error, which made this a little harder to debug). Note I understand this was a security issue from Node's perspective, but I still think doing this in a patch release was a bad decision from Node for a change that is fundamentally not backwards compatible.I created the following minimal test case that passes in Node 20.11.0, and throws an exception in 20.11.1. Per the Node release notes, it should also be possible to pass the flag
--security-revert=CVE-2023-46809
to disable the change in behavior in the patch release.The text was updated successfully, but these errors were encountered: