PR-URL: #51124

SYS_capget with _LINUX_CAPABILITY_VERSION_3 returns the process's
permitted capabilities as two 32-bit values. To determine if the only
permitted capability is indeed CAP_NET_BIND_SERVICE, it is necessary to
check both of those values.

Not doing so creates a vulnerability that potentially allows
unprivileged users to inject code into a privileged Node.js process
through environment variables such as NODE_OPTIONS.

PR-URL: nodejs-private/node-private#505
Reviewed-By: Rafael Gonzaga <[email protected]>
CVE-ID: CVE-2024-21892

Refs: https://hackerone.com/bugs?subject=nodejs&report_id=2269177

Disable RSA_PKCS1_PADDING for crypto.privateDecrypt() in order
to protect against the Marvin attack.

Includes a security revert flag that can be used to restore
support.

Signed-off-by: Michael Dawson <[email protected]>
PR-URL: nodejs-private/node-private#525
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=2269177
Reviewed-By: Rafael Gonzaga <[email protected]>
CVE-ID: CVE-2023-46809

PR-URL: nodejs-private/node-private#519
Fixes: https://hackerone.com/reports/2233486
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: Rafael Gonzaga <[email protected]>
CVE-ID: CVE-2024-22019

Signed-off-by: Matteo Collina <[email protected]>
PR-URL: nodejs-private/node-private#541
Reviewed-By: Robert Nagy <[email protected]>
Ref: https://hackerone.com/reports/2284065
CVE-ID: CVE-2024-22025

Signed-off-by: Matteo Collina <[email protected]>
PR-URL: nodejs-private/node-private#539
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: Rafael Gonzaga <[email protected]>
CVE-ID: CVE-2024-24758

PR-URL: #51614
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: Rafael Gonzaga <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>

PR-URL: #51614
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: Rafael Gonzaga <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>

setuid() does not affect libuv's internal io_uring operations if
initialized before the call to setuid(). This potentially allows the
process to perform privileged operations despite presumably having
dropped such privileges through a call to setuid(). Similar concerns
apply to other functions that modify the process's user identity.

This commit changes libuv's io_uring behavior from opt-out (through
UV_USE_IO_URING=0) to opt-in (through UV_USE_IO_URING=1) until we figure
out a better long-term solution.

PR-URL: nodejs-private/node-private#529
Reviewed-By: Rafael Gonzaga <[email protected]>
CVE-ID: CVE-2024-22017

Within Node.js, attempt to determine if libuv is using io_uring. If it
is, disable process.setuid() and other user identity setters.

We cannot fully prevent users from changing the process's user identity,
but this should still prevent some accidental, dangerous scenarios.

PR-URL: nodejs-private/node-private#529
Reviewed-By: Rafael Gonzaga <[email protected]>
CVE-ID: CVE-2024-22017

Refs: GHSA-f74f-cvh7-c6q6

PR-URL: #51737
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Rafael Gonzaga <[email protected]>
CVE-ID: CVE-2024-24806

Use encodeUtf8String from the encoding_binding internal binding to
convert the result of path.resolve() to a Uint8Array instead of using
Buffer.from(), whose result can be manipulated by the user by
monkey-patching internals such as Buffer.prototype.utf8Write.

HackerOne report: https://hackerone.com/reports/2218653

PR-URL: nodejs-private/node-private#497
Reviewed-By: Rafael Gonzaga <[email protected]>
CVE-ID: CVE-2024-21896

PR-URL: nodejs-private/node-private#516
Fixes: https://hackerone.com/bugs?subject=nodejs&report_id=2259914
Reviewed-By: Moshe Atlow <[email protected]>
CVE-ID: CVE-2024-21891

PR-URL: #51209
Fixes: #50659
Reviewed-By: Stephen Belanger <[email protected]>
Reviewed-By: Paolo Insogna <[email protected]>
Reviewed-By: Rich Trott <[email protected]>

Follow-up: #51209
PR-URL: nodejs-private/node-private#517
Fixes: https://hackerone.com/bugs?subject=nodejs&report_id=2257156
CVE-ID: CVE-2024-21890

This is a security release.

Notable changes:

crypto:
  * disable PKCS#1 padding for privateDecrypt (Michael Dawson) nodejs-private/node-private#525
deps:
  * upgrade libuv to 1.48.0 (Santiago Gimeno) #51699
  * update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) #51614
  * upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) #51614
  * disable io\_uring support in libuv by default (Tobias Nießen) nodejs-private/node-private#529
  * fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) #51737
fs:
  * protect against modified Buffer internals in possiblyTransformPath (Tobias Nießen) nodejs-private/node-private#49
http:
  * add maximum chunk extension size (Paolo Insogna) nodejs-private/node-private#519
lib:
  * update undici to v5.28.3 (Matteo Collina) nodejs-private/node-private#539
  * use cache fs internals against path traversal (RafaelGSS) nodejs-private/node-private#516
src:
  * fix HasOnly(capability) in node::credentials (Tobias Nießen) nodejs-private/node-private#505
src,deps:
  * disable setuid() etc if io\_uring enabled (Tobias Nießen) nodejs-private/node-private#529
test,doc:
  * clarify wildcard usage (RafaelGSS) nodejs-private/node-private#517
zlib:
  * pause stream if outgoing buffer is full (Matteo Collina) nodejs-private/node-private#541

PR-URL: nodejs-private/node-private#544