Skip to content
This repository has been archived by the owner on Mar 3, 2023. It is now read-only.

Address libnode vulnerability #19583

Closed
leopck opened this issue Jun 21, 2019 · 6 comments
Closed

Address libnode vulnerability #19583

leopck opened this issue Jun 21, 2019 · 6 comments

Comments

@leopck
Copy link

leopck commented Jun 21, 2019

Description

Discovered vulnerability on libnode.so in Atom
CVE-2018-7161
CVE-2018-7167
CVE-2018-12122
CVE-2018-12121
CVE-2018-12116
CVE-2018-12115
CVE-2018-1000168
CVE-2018-7160
CVE-2017-15399
CVE-2017-5132
CVE-2017-5122
CVE-2017-5121
CVE-2017-15413
CVE-2017-15406
CVE-2017-15896
CVE-2017-14952

Atom seems to be using an older version of NodeJS. Please review and see if these vulnerabilities are valid.

Versions

1.37.0
1.38.0
@leopck
Copy link
Author

leopck commented Jun 22, 2019

I tried building the latest Atom from master branch and the libnode.so shows that it is only v10.2 even though I've compiled it using NodeJS v10.16. Is there some mistake or is this using an older node?

@rsese
Copy link
Contributor

rsese commented Jun 24, 2019

Thanks for the heads up! The version of Node that Atom uses comes via Electron. So any updates to the version of Node that we use would come specifically with us upgrading our version of Electron (e.g. #19373 for example). We also keep an eye out for any releases of Electron that fix security vulnerabilities and update Atom as needed.

shows that it is only v10.2 even though I've compiled it using NodeJS v10.16. Is there some mistake or is this using an older node?

This comes from Electron, you can see by running atom -v, e.g. for the latest stable release (Atom 1.38.2), we're on Electron 2 which uses Node 8.9.3:

$ atom -v
Atom    : 1.38.2
Electron: 2.0.18
Chrome  : 61.0.3163.100
Node    : 8.9.3

master is currently on Electron 3 which uses Node v10.2 (https://github.com/electron/node).

Since these CVEs aren't something we would specifically resolve directly in Atom, we'll go ahead and close this out but thanks again for the heads up!

@rsese rsese closed this as completed Jun 24, 2019
@leopck
Copy link
Author

leopck commented Jun 24, 2019

@rsese any reason why we are not moving to Electron v4 or v5? These versions has newer dependencies that would help in this issue.

@Arcanemagus
Copy link
Contributor

Upgrading Electron in a massive project like Atom isn't a simple undertaking as there are many parts that it touches on, being the core runtime after all.

You can see previous efforts in the Electron 3 PRs (#18815, #18916), and @rsese already linked you to the current work on Electron 4 in #19373.

Feel free to subscribe to that PR if you are interested in following along as the team works on getting that stable 😉.

@leopck
Copy link
Author

leopck commented Jun 24, 2019

@Arcanemagus Thanks for the clarification. Must have missed that #19373 while I was reading.

@lock
Copy link

lock bot commented Dec 22, 2019

This issue has been automatically locked since there has not been any recent activity after it was closed. If you can still reproduce this issue in Safe Mode then please open a new issue and fill out the entire issue template to ensure that we have enough information to address your issue. Thanks!

@lock lock bot locked as resolved and limited conversation to collaborators Dec 22, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Arcanemagus @rsese @leopck