Page MenuHomePhabricator

MediaWiki `cryptiles` in package-lock.json affected by CVE-2018-1000620
Closed, ResolvedPublic

Description

GitHub security suggest to upgrade cryptiles to version 4.1.2 or later as it is affected by CVE-2018-1000620 (high severity).

Vulnerable dependency can be found at: https://github.com/wikimedia/mediawiki/blob/dd69e92a2c133574d72147cfcd0210f6add6025a/package-lock.json#L1409

I've never worked with package-lock.json files nor NPM much.

Thank you.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 25 2019, 9:51 PM
Reedy added a subscriber: Reedy.Jun 25 2019, 10:00 PM

https://github.com/wikimedia/mediawiki/network/alert/package-lock.json/cryptiles/open

https://nvd.nist.gov/vuln/detail/CVE-2018-1000620

The NPM package cryptiles version 4.1.1 and earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.
  • > cryptiles 3.1.4.
    • > hawk 6.0.2 requires cryptiles 3.x.x
      • > request 2.83.0 requires hawk ~6.0.2 (‽ see below)
        • > mwbot 1.0.10 requires request ^2.75.0
          • > wdio-mediawiki (local) requires mw bot 1.0.10 (direct requirement)
        • > wdio-sauce-service 0.4.15 requires request ^2.88.0 (direct requirement)
        • > webdriverio 4.12.0 requires request ~2.83.0 (direct requirement)

hawk is deprecated, replaced by @hapi/hawk, but anyway we're currently using the almost-latest version of request, which [[https://github.com/request/request/commit/a6741d415aba31cd01e9c4544c96f84ea6ed11e3#diff-aebcbf97ec318328efd650f5aa2f7b11|since 2.87.0 has a local version of hawk]] that it is somehow not using?

Jdforrester-WMF added a subscriber: zeljkofilipin.

Pinging @zeljkofilipin, as this is a browser tests dependency issue.

zeljkofilipin triaged this task as Medium priority.
zeljkofilipin moved this task from Backlog 🔙 to In Progress 🔨 on the User-zeljkofilipin board.
Jdforrester-WMF closed this task as Resolved.Jul 8 2019, 4:38 PM
Jdforrester-WMF changed the visibility from "Custom Policy" to "Public (No Login Required)".

Change 519157 abandoned by Jforrester:
[DNM] build: Experimentally fiddle with packages to purge cryptiles

https://gerrit.wikimedia.org/r/519157

Change 519158 abandoned by Jforrester:
[DNM] build: Re-build package-lock.json for demo purposes

https://gerrit.wikimedia.org/r/519158