Does BDSA-2023-1613 (CVE-2023-3420) impacts Node?

[ambercool99]

Details

In our Node project we currently use 18..16.1 version, our security scans reported vulnerability https://nvd.nist.gov/vuln/detail/CVE-2023-3420
with V8.
the vulnerability details says that it impacts Chrome and Dabian_Linux.
Note sure if this impacts Node runtime.
I could not find anything which related this vulnerability to Node.
Please help...

Node.js version

18.16.1

Example code

No response

Operating system

Alpine (Linux)

Scope

runtime

Module and version

V8

[gireeshpunathil]

@nodejs/v8 - pls advise!

[preveen-stack]

cc @nodejs/security-release

[RafaelGSS]

The CVE details don't say much. https://bugs.chromium.org/p/chromium/issues/detail?id=1452137 isn't public. I will wait for v8 advise.

[mhdawson]

@targos do you know who a good v8 contact might be to follow up with?

[camillobruni]

V8-dev here: which V8 version are you using?

[camillobruni]

This issue applies to node as well.
The disclosed version numbers by the NVD apply as well, up to Chrome 114.0.5735.198 (v8 11.4.183.25).

The issue was related to V8's optimizing JIT compiler (Turbofan) and could be triggered by an attacker able to execute arbitrary JavaScript code.

[mcollina]

@camillobruni that was my assessment, thanks for confirming my initial assessment by looking at the CVE!

This is outside our threat model.

Having said that, I think we should aim to backport a fix anyway.

[mhdawson]

To clarify what @camillobruni and @mcollina said in the above comments. My understanding is that while the issue exists in the Node.js code base, it is not considered a vulnerability in Node.js because protecting againts how it can be used is outside of the Node.js threat model. This is because based on the threat model we trust the code that Node.js has been asked to run.

[preveen-stack]

Ref: https://en.m.wikipedia.org/wiki/Threat_model

[RafaelGSS]

@camillobruni I'm looking at it over the weekend, was it backported to v10.x? Otherwise, I believe we won't be able to add that patch to Node.js 18, unless we are sure it doesn't mix semver-major features (v11.x).

[targos]

I opened nodejs/node#50077 with the fixes that V8 applied to their 11.4 branch.

@RafaelGSS There is no concept of v10.x or v11.x in V8. The project doesn't follow semver.

[RafaelGSS]

@ambercool99 nodejs/node#50077 was merged into v20.x-staging and will be released tomorrow.

[mhdawson]

@RafaelGSS can this be closed now?

[mhdawson]

I'm going to close this on the assumption it has been resolved due to the comment above.

[richardlau]

@mhdawson to my knowledge this was not patched in Node.js 18.

[RafaelGSS]

It was merged on Node.js 20.x-staging, but wasn't released yet.

[richardlau]

It was merged on Node.js 20.x-staging, but wasn't released yet.

For Node.js 20 nodejs/node#50077 went out in Node.js 20.10.0.

[RafaelGSS]

Oh right, I didn't remember the backport.

[richardlau]

For Node.js 18, the v20.x backport PR does not cherry-pick cleanly onto v18.x-staging so we'd need a specific v18.x backport.

[RafaelGSS]

@targos I was trying to backport it to v18.x but, I think git node v8 backport has a bug?

➜  node git:(backport-v8-to-v18) ✗ git node v8 backport f7d000a7ae7b731805338338eb51a81fbcfe2628
✔ Update local V8 clone
❯ V8 commit backport
  ✔ Get current V8 version
  ✔ Generate patches
  ❯ Apply and commit patches to deps/v8
    ❯ Commit f7d000a7ae7b
      ⠴ Apply patch
      ◼ Increment embedder version number
      ◼ Commit patch

? Resolve merge conflicts and enter 'RESOLVED' ›

It doesn't show any conflict to resolve

➜  node git:(backport-v8-to-v18) git status
On branch backport-v8-to-v18
nothing to commit, working tree clean

Am I using it wrong?

[targos]

It happens when the diff doesn't apply at all (because code has changed too much between versions)