Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Release Proposal: v4.1.1 #2943

Closed
trevnorris opened this issue Sep 18, 2015 · 30 comments
Closed

Release Proposal: v4.1.1 #2943

trevnorris opened this issue Sep 18, 2015 · 30 comments
Labels
meta Issues and PRs related to the general management of the project.

Comments

@trevnorris
Copy link
Contributor

Contains fix that prevents ArrayBuffers from possibly returning non zero filled memory.

@nodejs/release

@trevnorris trevnorris added the meta Issues and PRs related to the general management of the project. label Sep 18, 2015
@rvagg
Copy link
Member

rvagg commented Sep 18, 2015

suggesting we defer this until Monday, it's late in the week and while #2931 fixes a very important issue, the impact isn't likely to be super large - you have to be:

  1. using TypedArrays
  2. relying on them being zero-filled
  3. be also creating zero-length buffers

One of my primary concerns is in the perception that such a rapid series of releases so close to v4 creates, particularly for people not accustomed with how we've done things with io.js.

@ChALkeR
Copy link
Member

ChALkeR commented Sep 18, 2015

@rvagg Correct. Though, here a view from the other side, for balance.
To exploit this, the attacker should be able to:

  1. Trigger a creation of a zero-length Buffer.
    A presense of an empty file in /public server dir might (or might not) be enough for that (no time to check now). There could also be a way to trigger that solely by the means of HTTP requests (Buffers are heavily used in Node.js network stack).
  2. Trigger a creation of a TypedArray that doesn't have at least some bytes manually set at least in some situations that he later receives data from. This one is project-dependant and may be tricky.
  3. The server has to run Node.js 4.1.0 (exactly). This is also not likely, because it has been just released.

Note that 1-2 do not necessary have to be done in a single request, an attacker could launch two parallel tasks — one that creates zero-length Buffers and one that retrives the data. Due to the server be highly async, this could work.

IMO, it would be better to fix that asap just to be on the safe side. This is a data leak.

@ChALkeR
Copy link
Member

ChALkeR commented Sep 18, 2015

@nodejs/tsc

@rvagg
Copy link
Member

rvagg commented Sep 18, 2015

@ChALkeR there's another step in there which is doing something with the TypedArray which is likely to be even more tricky than the other steps you've mentioned. I'm not viewing this as a vulnerability, it's just a bug.

@ChALkeR
Copy link
Member

ChALkeR commented Sep 18, 2015

@rvagg Doing what something? Check the testcase. Just creating and recieving data from it (which I mentioned being tricky already) is enough.

Atm, 2+3 almost guarantee that nothing is affected. But if and when a new (affected) version is deployed on more systems, just 2 won't be enough.

TypedArrays not being zero-filled in some cases (especially those that are triggerable by user actions) is a security issue no matter how one views it.

Quick steps to check (for this case):

  1. Is this against the docs? Yes. So, it's a bug.
  2. Could there be installs where this bug triggers a security vulnerability (i.e. data leak) in otherwise solid app? Yes. So, this bug is a security issue.

@rvagg
Copy link
Member

rvagg commented Sep 18, 2015

TypedArrays not being zero-filled in some cases (especially those that are triggerable by user actions) is a security issue no matter how one views it.

In the browser, that's why they are zero-filled by default in the browser because it's a sandbox, which Node is not and which is we don't zero-fill buffers, this is a break in assumptions and therefore a bug. By "doing something" I'm saying that you'd need to get the TypedArray data out of the server, so it's indeed an extra step, just because it exists in memory on the server doesn't make it an exploit.

@trevnorris
Copy link
Contributor Author

Note that 1-2 do not necessary have to be done in a single request, an attacker could launch two parallel tasks — one that creates zero-length Buffers and one that retrives the data.

If the attacker had the ability to launch tasks to perform this type of operation then they could just check the contents of a Buffer. If the attack were along the lines of the http module then this would be near impossible because a Buffer would be instantiated by core internals, which would have reset the flag. Remember, the calls have to precisely follow each other for this to work.

Bug patches, even non armageddon security patches, are often not released immediately after patching. Based on the practical and possible impact this has waiting until Monday shouldn't be an issue.

@trevnorris
Copy link
Contributor Author

I might be willing to concede this is a security issue based on a hypothetical and highly unlikely scenario along the lines of the dev partially filling a typed array with a crypto key, and depending on the remaining bits to be zero filled. Somehow then allowing false identification to the server. Did I mention the planets would need to be aligned for this to work?

So even though it might possibly be a security patch, the impact doesn't come close enough to warrant releasing today instead of Monday.

@rvagg
Copy link
Member

rvagg commented Sep 18, 2015

Here's my main concern here: we're at the beginning of converged Node, effectively we're proving ourselves as the new crew that's shipping Node.js and we have many eyes on us, many of whom are excited about what we're now doing, some of whom are wanting us to fail but even more who are watching on the sidelines waiting to see how it pans out–many of these are enterprise users of Node and prospective enterprise users of Node who are an important audience for the sustainability of our platform. So, what we have here is a balancing act between the perception of being cowboys with code, vs cowboys with security issues. Having a 4.1.0 9 days after 4.0.0 is going to be a big enough deal for many people, having a 4.1.1 straight after 4.1.0 is going to be read by a lot of people that we can't be trusted to ship quality code.

With regard to this specific issue, it's my personal judgement that it's a non-trivial bug, something we should get fixed as soon as practical, but it's far from a clear security exploit vector, i.e. it's very much in the realm of hypothetical. So, weighing that against the cost of releasing a new version ASAP (i.e. releases aren't free, they have a cost associated with them for the reasons outlined above), combined with the hassles of Friday & weekend releases suggest that we should just defer until early next week.

But I'm also inviting critique of all of this, this certainly isn't a final say, I can only suggest. I'm happy to change my mind in light of evidence or expertise to the contrary and even without that others' can push for a release if they think it's important enough.

@rvagg
Copy link
Member

rvagg commented Sep 18, 2015

Combine #2931 with #2945 and we have an interesting 4.1.1 that's worth making a bit of noise about.

@ChALkeR
Copy link
Member

ChALkeR commented Sep 18, 2015

Note that 1-2 do not necessary have to be done in a single request, an attacker could launch two parallel tasks — one that creates zero-length Buffers and one that retrives the data.

If the attacker had the ability to launch tasks to perform this type of operation then they could just check the contents of a Buffer. If the attack were along the lines of the http module then this would be near impossible because a Buffer would be instantiated by core internals, which would have reset the flag. Remember, the calls have to precisely follow each other for this to work.

@trevnorris You are wrong here. I explained it above.

@kzc
Copy link

kzc commented Sep 18, 2015

Meta release methodology comment: This bug fix aside, before merging any feature to the stable release shouldn't it sit on master or the unstable release branch for at least a week? This Buffer optimization was first introduced a few days before release and wasn't really used in the wild before going into stable. It is very easy to miss subtleties in code reviews.

But then there's the counter argument that no one would actually test it unless it was an official release.

Related question - is iojs 3.x or node 5.x considered to be the latest "unstable" release branch? Or just master?

@piscisaureus
Copy link
Contributor

+1 on deferring to next week, and rolling it up with a few other fixes.

@ChALkeR
Copy link
Member

ChALkeR commented Sep 18, 2015

@piscisaureus I sent you an example over gitter =).
@rvagg @trevnorris I sent you an example over email.

@piscisaureus
Copy link
Contributor

@ChALkeR I've seen that you have written a server where this bug has security implications; nonetheless, it seems a little far-fetched to expect that any actual servers are currently vulnerable. Therefore I don't think we actually do anyone a service by rushing out a release before or during the weekend.

Nobody is proposing that we defer releasing a fix for months or even weeks - @rvagg is proposing to wait a couple of days - that seems entirely reasonable.

@ChALkeR
Copy link
Member

ChALkeR commented Sep 18, 2015

@piscisaureus Did you check the code? The only unlikely thing that it does is leaking an Uint8Array to the client. Are you sure that there are no actual servers that do that?

But ok, I understand your reasoning and will not escalate this discussion further.

@rvagg

be also creating zero-length buffers

This code is enough to trigger that:

http.createServer(function(req, res) {
    var chunks = [];
    req.on('data', function(chunk) {
        // chunk is a Buffer
        chunks.push(chunk);
    });
    req.on('end', function() {
        // This is a common way of collecting the request body.
        var data = Buffer.concat(chunks);
        res.end();
    });
});

Reading an empty file is also enough.

@trevnorris
Copy link
Contributor Author

@kzc You're correct that it should have baked in master a little while longer. Initial reason I wanted to pop it in is because we are hurting for performance with Buffers now that we're using Typed Arrays. Conceptually the change is straight forward, so I didn't see a big risk factor as I have with other performance changes I've made in the past.

@ChALkeR My point is the practicality of the exploit. I have a hard time believing this sort of thing exists in the wild. One reason being the streaming a string of null bytes to the client. As I said, it's theoretically possible but highly unlikely to exist in the wild. Also with your example code it depends on a Typed Array being created as the next allocation operation. The practical timing of that is also highly unlikely.

@vielmetti
Copy link
Contributor

I know enough creative security people, @trevnorris , that "practicality of the exploit" is not usually an impediment.

Is there a test case in the test suite that triggers this defect? That would be a nice first step.

@trevnorris
Copy link
Contributor Author

@vielmetti There's a test included in the commit that triggers the issue. My comment about practicality is to address weighing the need to rush out a build today vs waiting until Monday. IMO the statistical likelihood of this being exploited does not outweigh waiting for a few days before releasing a new build.

@misterdjules
Copy link

I would like to add #2959 to that release as well.

@ChALkeR
Copy link
Member

ChALkeR commented Sep 19, 2015

Also with your example code it depends on a Typed Array being created as the next allocation operation. The practical timing of that is also highly unlikely.

Not true. On a high-loaded server, this is very likely even by chance (not only intentionally caused by an attacker). Just firing many TypedArray creation operations and an endpoint like in #2943 (comment) will cause errors.

@sathishsoundharajan
Copy link

Is it possible to have this release with latest version of npm.. Now that it is out of beta ?https://github.com/npm/npm/blob/master/CHANGELOG.md

@orangemocha
Copy link
Contributor

npm@3 out of beta! I am really eager to get that integrated, as it fixes a long-standing problem with long nested paths on Windows. But would such a big change really be appropriate for a patch release?

@Fishrock123
Copy link
Contributor

But would such a big change really be appropriate for a patch release?

Not really. I think we already agreed it will go into node@5?

@mikeal
Copy link
Contributor

mikeal commented Sep 19, 2015

Not really. I think we already agreed it will go into node@5?

Yup, it has to land in a major. It should land on master, along with the new v8 I saw shoot by.

@Fishrock123
Copy link
Contributor

Updated OP with current commit list. Not sure what semver e0c3d2a is.

@ChALkeR
Copy link
Member

ChALkeR commented Sep 20, 2015

@Fishrock123 Changes in e0c3d2a are in files that are not packaged, they are used only by the tests. I'd say that's fine in a patch release.

mgol added a commit to mgol/check-dependencies that referenced this issue Sep 20, 2015
See nodejs/node#2943 for the discussion about the issue

Refs nodejs/node#2931
mgol added a commit to mgol/grunt-check-dependencies that referenced this issue Sep 20, 2015
See nodejs/node#2943 for the discussion about the issue

Refs nodejs/node#2931
mgol added a commit to EE/grunt-inline-images that referenced this issue Sep 20, 2015
See nodejs/node#2943 for the discussion about the issue

Refs nodejs/node#2931
mgol added a commit to EE/jscs-trailing-comma that referenced this issue Sep 20, 2015
See nodejs/node#2943 for the discussion about the issue

Refs nodejs/node#2931
mgol added a commit to mgol/npm-bump that referenced this issue Sep 20, 2015
See nodejs/node#2943 for the discussion about the issue

Refs nodejs/node#2931
@rvagg
Copy link
Member

rvagg commented Sep 21, 2015

I've had to take a few days properly off and am only just resyncing with the inevitable massive backlog that accrues when I do that and haven't been able to put anything for this together today like I intended. I'll attempt to work on it tomorrow if I get enough time and unless someone else in @nodejs/release gets to it first. We probably need to take a good look at what else on master can be pushed out for this one too, although I'd personally prefer if we kept it to a semver-patch bump for simpler messaging.

@thefourtheye
Copy link
Contributor

Any takers for #2966, #2967, #2968?

@rvagg
Copy link
Member

rvagg commented Sep 22, 2015

Continued @ #2995

@rvagg rvagg closed this as completed Sep 22, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
meta Issues and PRs related to the general management of the project.
Projects
None yet
Development

No branches or pull requests