Page MenuHomePhabricator

MediaWiki `cryptiles` in package-lock.json affected by CVE-2018-1000620
Closed, ResolvedPublic

Description

GitHub security suggest to upgrade cryptiles to version 4.1.2 or later as it is affected by CVE-2018-1000620 (high severity).

Vulnerable dependency can be found at: https://github.com/wikimedia/mediawiki/blob/dd69e92a2c133574d72147cfcd0210f6add6025a/package-lock.json#L1409

I've never worked with package-lock.json files nor NPM much.

Thank you.

Event Timeline

https://github.com/wikimedia/mediawiki/network/alert/package-lock.json/cryptiles/open

https://nvd.nist.gov/vuln/detail/CVE-2018-1000620

The NPM package cryptiles version 4.1.1 and earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.
  • > cryptiles 3.1.4.
    • > hawk 6.0.2 requires cryptiles 3.x.x
      • > request 2.83.0 requires hawk ~6.0.2 (‽ see below)
        • > mwbot 1.0.10 requires request ^2.75.0
          • > wdio-mediawiki (local) requires mw bot 1.0.10 (direct requirement)
        • > wdio-sauce-service 0.4.15 requires request ^2.88.0 (direct requirement)
        • > webdriverio 4.12.0 requires request ~2.83.0 (direct requirement)

hawk is deprecated, replaced by @hapi/hawk, but anyway we're currently using the almost-latest version of request, which [[https://github.com/request/request/commit/a6741d415aba31cd01e9c4544c96f84ea6ed11e3#diff-aebcbf97ec318328efd650f5aa2f7b11|since 2.87.0 has a local version of hawk]] that it is somehow not using?

Jdforrester-WMF added a subscriber: zeljkofilipin.

Pinging @zeljkofilipin, as this is a browser tests dependency issue.

zeljkofilipin triaged this task as Medium priority.
Jdforrester-WMF changed the visibility from "Custom Policy" to "Public (No Login Required)".

Change 519157 abandoned by Jforrester:
[DNM] build: Experimentally fiddle with packages to purge cryptiles

https://gerrit.wikimedia.org/r/519157

Change 519158 abandoned by Jforrester:
[DNM] build: Re-build package-lock.json for demo purposes

https://gerrit.wikimedia.org/r/519158