Is Nodejs vulnerable to ICU: Integer overflow in UnicodeString::doAppend() (CVE-2020-10531)?

[Satishktp]

• Node.js 8 to 10.15.x:
• OS:
• Scope (install, code, runtime, meta, other?):
• Module (and version) (if relevant):

Is Nodejs vulnerable to ICU: Integer overflow in UnicodeString::doAppend() (CVE-2020-10531)?
Red Hat and many other vendors have released patches to patch the ICU buffer overflow issue in their platforms
As we notice, we have ICU being used in Nodejs.
Example: Node 8.x has "icu: '59.1' & Node 10.x has icu: '62.1'
Please see the below links for this ICU vulnerability
https://www.tenable.com/cve/CVE-2020-10531 ICU: Integer overflow in UnicodeString::doAppend() (CVE-2020-10531)
https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20201317%20-%20Security%20Advisory
Red Hat has released an update for the nodejs:10 module to address the ICU issue.

I didn't find any reference from Nodejs security on this ICU issue.

Can anybody from Nodejs confirm if Nodejs is vulnerable for this ICU Integer Overflow vulnerability?

Thank you

[Satishktp]

I don't know if this is the right place to enquire about his ICU vulnerability being used in Node.
Looking forward for inputs from Nodejs support

[richardlau]

cc @nodejs/security

@srl295 Would it be possible to find out which versions of ICU were affected?

[richardlau]

Adapting the testcase from https://bugs.chromium.org/p/chromium/issues/detail?id=1044570:

-bash-4.2$ cat CVE-2020-10531.js
'use strict';

console.log(process.versions);
var s = "a".repeat(0xAFFFFFF); // maybe system-dependent

console.log("len:", new Intl.ListFormat().format(Array(16).fill(s)).length);
-bash-4.2$

With Node.js 14.3.0:

-bash-4.2$ node CVE-2020-10531.js
{
  node: '14.3.0',
  v8: '8.1.307.31-node.33',
  uv: '1.37.0',
  zlib: '1.2.11',
  brotli: '1.0.7',
  ares: '1.16.0',
  modules: '83',
  nghttp2: '1.40.0',
  napi: '6',
  llhttp: '2.0.4',
  openssl: '1.1.1g',
  cldr: '37.0',
  icu: '67.1',
  tz: '2019c',
  unicode: '13.0'
}
len: 0
-bash-4.2$

Node.js 13.14.0:

-bash-4.2$ node CVE-2020-10531.js
{
  node: '13.14.0',
  v8: '7.9.317.25-node.32',
  uv: '1.37.0',
  zlib: '1.2.11',
  brotli: '1.0.7',
  ares: '1.16.0',
  modules: '79',
  nghttp2: '1.40.0',
  napi: '6',
  llhttp: '2.0.4',
  openssl: '1.1.1g',
  cldr: '36.1',
  icu: '66.1',
  tz: '2019c',
  unicode: '13.0'
}
Segmentation fault (core dumped)
-bash-4.2$

Node.js 12.16.3:

-bash-4.2$ node CVE-2020-10531.js
{
  node: '12.16.3',
  v8: '7.8.279.23-node.35',
  uv: '1.34.2',
  zlib: '1.2.11',
  brotli: '1.0.7',
  ares: '1.16.0',
  modules: '72',
  nghttp2: '1.40.0',
  napi: '5',
  llhttp: '2.0.4',
  http_parser: '2.9.3',
  openssl: '1.1.1g',
  cldr: '36.0',
  icu: '65.1',
  tz: '2019c',
  unicode: '12.1'
}
Segmentation fault (core dumped)
-bash-4.2$

Node.js 10.20.1 (can't run the test because of the Intl.ListFormat API)

-bash-4.2$ node CVE-2020-10531.js
{ http_parser: '2.9.3',
  node: '10.20.1',
  v8: '6.8.275.32-node.56',
  uv: '1.34.2',
  zlib: '1.2.11',
  brotli: '1.0.7',
  ares: '1.15.0',
  modules: '64',
  nghttp2: '1.39.2',
  napi: '6',
  openssl: '1.1.1e',
  icu: '64.2',
  unicode: '12.1',
  cldr: '35.1',
  tz: '2019c' }
/home/users/riclau/tmp/CVE-2020-10531.js:6
console.log("len:", new Intl.ListFormat().format(Array(16).fill(s)).length);
                    ^

TypeError: Intl.ListFormat is not a constructor
    at Object.<anonymous> (/home/users/riclau/tmp/CVE-2020-10531.js:6:21)
    at Module._compile (internal/modules/cjs/loader.js:778:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:789:10)
    at Module.load (internal/modules/cjs/loader.js:653:32)
    at tryModuleLoad (internal/modules/cjs/loader.js:593:12)
    at Function.Module._load (internal/modules/cjs/loader.js:585:3)
    at Function.Module.runMain (internal/modules/cjs/loader.js:831:12)
    at startup (internal/bootstrap/node.js:283:19)
    at bootstrapNodeJSCore (internal/bootstrap/node.js:623:3)
-bash-4.2$

Visually inspecting deps/icu-small/source/common/unistr.cpp in the Node.js source tree it looks like only 14.x/master using ICU 67.1 contains unicode-org/icu#971.

[richardlau]

In terms of updating the release:
Node.js 14.x - N/A (uses ICU 67.1 which contains the fix for the CVE)
Node.js 13.x - Goes End-of-Life on 1 June 2020 so will either need to be patched next week or never
Node.js 12.x - nodejs/node#33337 proposes upgrading to ICU 67.1. @targos is the plan to get that into next week's 12.17.0?
Node.js 10.x - Testcase doesn't work so no idea if it is vulnerable but uses ICU 64.2 which doesn't contain the patch for the CVE.

[srl295]

• 13.x could easily go to 67.1
• 64.2 does not contain the patch, correct. I do not know if there are any surfaces which could reach this situation from 10.x

[targos]

I included 67.1 in the v12.17.0 proposal.

[sam-github]

The fix was released in the most recent 10.x sec release.

See https://nodejs.org/en/blog/vulnerability/june-2020-security-releases/

I think that fixes this issue.

[meravkochavi]

I saw that the security issue affects version 58.1 as well.

If I cherry pick the changes from the changeset 'ICU-20958 Prevent SEGV_MAPERR in append'
unicode-org/icu@b7d08bc
(and add the missing function uprv_add32_overflow as well)
Should fix the issue for the CVE:
https://nvd.nist.gov/vuln/detail/CVE-2020-10531#vulnCurrentDescriptionTitle
for the 58.1 version ?