MediaWiki `cryptiles` in package-lock.json affected by CVE-2018-1000620
Closed, ResolvedPublic
Actions

Description

GitHub security suggest to upgrade cryptiles to version 4.1.2 or later as it is affected by CVE-2018-1000620 (high severity).

Vulnerable dependency can be found at: https://github.com/wikimedia/mediawiki/blob/dd69e92a2c133574d72147cfcd0210f6add6025a/package-lock.json#L1409

I've never worked with package-lock.json files nor NPM much.

Thank you.

Details

Project	Branch	Lines +/-	Subject
mediawiki/core	master	+229 -430	[DNM] build: Re-build package-lock.json for demo purposes
mediawiki/core	master	+49 -104	[DNM] build: Experimentally fiddle with packages to purge cryptiles
mediawiki/core	master	+97 -253	build: use the latest webdriverio 4.x related packages

Customize query in gerrit

Event Timeline

MarcoAurelio created this task.Jun 25 2019, 9:51 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 25 2019, 9:51 PM

MarcoAurelio added a project: MediaWiki-General.Jun 25 2019, 9:52 PM

https://github.com/wikimedia/mediawiki/network/alert/package-lock.json/cryptiles/open

https://nvd.nist.gov/vuln/detail/CVE-2018-1000620

The NPM package cryptiles version 4.1.1 and earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.

> cryptiles 3.1.4.
- > hawk 6.0.2 requires cryptiles 3.x.x
  - > request 2.83.0 requires hawk ~6.0.2 (‽ see below)
    - > mwbot 1.0.10 requires request ^2.75.0
      - > wdio-mediawiki (local) requires mw bot 1.0.10 (direct requirement)
    - > wdio-sauce-service 0.4.15 requires request ^2.88.0 (direct requirement)
    - > webdriverio 4.12.0 requires request ~2.83.0 (direct requirement)

hawk is deprecated, replaced by @hapi/hawk, but anyway we're currently using the almost-latest version of request, which [[https://github.com/request/request/commit/a6741d415aba31cd01e9c4544c96f84ea6ed11e3#diff-aebcbf97ec318328efd650f5aa2f7b11|since 2.87.0 has a local version of hawk]] that it is somehow not using?

Pinging @zeljkofilipin, as this is a browser tests dependency issue.

Jdforrester-WMF added a project: Release-Engineering-Team.Jun 25 2019, 11:49 PM

See https://gerrit.wikimedia.org/r/#/c/mediawiki/core/+/519157 for some fiddling.

zeljkofilipin claimed this task.Jul 2 2019, 10:57 AM

zeljkofilipin triaged this task as Medium priority.

zeljkofilipin added a project: User-zeljkofilipin.

zeljkofilipin moved this task from Backlog ⏪ to In Progress 🏋️‍♂️ on the User-zeljkofilipin board.

See https://gerrit.wikimedia.org/r/c/mediawiki/core/+/519158 too.

greg moved this task from INBOX to Unit & Int & System Tooling on the Release-Engineering-Team board.Jul 6 2019, 5:49 AM

greg edited projects, added Release-Engineering-Team (Unit & Int & System Tooling); removed Release-Engineering-Team.

https://gerrit.wikimedia.org/r/c/mediawiki/core/+/521269 merged.

Jdforrester-WMF closed this task as Resolved.Jul 8 2019, 4:38 PM

Jdforrester-WMF changed the visibility from "Custom Policy" to "Public (No Login Required)".

Change 519157 abandoned by Jforrester:
[DNM] build: Experimentally fiddle with packages to purge cryptiles

https://gerrit.wikimedia.org/r/519157

Change 519158 abandoned by Jforrester:
[DNM] build: Re-build package-lock.json for demo purposes

https://gerrit.wikimedia.org/r/519158

• chasemp added a project: Security.Feb 10 2020, 10:56 PM

• chasemp removed a project: acl*security.Feb 20 2020, 8:16 PM

MediaWiki `cryptiles` in package-lock.json affected by CVE-2018-1000620Closed, ResolvedPublicActions

Description

Details

Event Timeline

MediaWiki `cryptiles` in package-lock.json affected by CVE-2018-1000620
Closed, ResolvedPublic
Actions