1565614 - lodash vulnerability in shipped versions Firefox

Status: RESOLVED FIXED

(Firefox :: PDF Viewer, defect, P2)

Description

[hwine]

CVE-2019-10744 rated severity High -- unknown if exploitable in desktop

Best description at time of filing is the lodash fix

Also: dependabot created a fix, but it could not completely apply. See PDF.js security alerts for more details.

Comment 1

[Paul Theriault [:pauljt] (no longer reading bugmail)]

Looks like the fix is already merged? https://github.com/mozilla/pdf.js/pull/10964/files

Comment 2

[hwine]

Attachment: 1/2

Error message 1/2

Comment 3

[hwine]

Attachment: 2/2 error message

Comment 4

[hwine]

(In reply to Paul Theriault [:pauljt] (needinfo pls) from comment #1)

Looks like the fix is already merged? https://github.com/mozilla/pdf.js/pull/10964/files

Part of it, yes. I just uploaded the 2 remaining error messages from the PDF.js security alerts page. The remaining issue is with lodash.template.

Comment 5

[Paul Theriault [:pauljt] (no longer reading bugmail)]

(In reply to Hal Wine [:hwine] (use NI, please) from comment #4)

Part of it, yes. I just uploaded the 2 remaining error messages from the PDF.js security alerts page. The remaining issue is with lodash.template.

I can't access this alerts page do you mean we updated one package, but there is a lodash.template package which is not updated?

(Re: the rating Dan applied:)

I very much doubt this is sec-high or priv-esc. Per the advisory:

Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.

I mean its possible, but I had a quick skim and I couldn't see any eval usage like this (and i'd be inclined to call this eval usage dangerous regardless of the lodash issue) . Not to say we shouldn't fix, but sec-high feels overblown here. But I can't say for certain that we DON'T do something terrible like this, so I guess we could stick with the conservative. I couldn't actually find any of the unsafe functions actually used from a quick skim.

Comment 6

[Paul Theriault [:pauljt] (no longer reading bugmail)]

For reference here is a LGTM query looking for calls to a function named "merge" in pdf.js: https://lgtm.com/query/4666792578740743474/
The only calls I see are to Dict.merge which is not lodash. Still, we should still update if we havent already.

Comment 7

[hwine]

(In reply to Paul Theriault [:pauljt] (needinfo pls) from comment #5)

(In reply to Hal Wine [:hwine] (use NI, please) from comment #4)

Part of it, yes. I just uploaded the 2 remaining error messages from the PDF.js security alerts page. The remaining issue is with lodash.template.

I can't access this alerts page do you mean we updated one package, but there is a lodash.template package which is not updated?

Correct. And that is still the case as of now.

As near as I can tell, there is some sort of dependency conflict that a developer will need to resolve.

Comment 8

[Dave Townsend [:mossop] (PTO until Aug 21st)]

Can someone set a priority on this? For some reason I'm getting bugged about it.

Comment 9

[Brendan Dahl [:bdahl]]

Sorry, just finally got CCed on this. Lodash is only used by babel to compile for non-firefox versions, so I don't think this was really an issue. I'll update it anyways here in a bit.

Comment 10

[Liz Henry (:lizzard) (relman/hg->git project)]

Brendan is this something you can help resolve? Thanks!

Comment 11

[Brendan Dahl [:bdahl]]

The package with the security vulnerability is used by another package that appears to be abandoned by the author. It doesn't look like the security vulnerability is actually an issue for how it's used, but I've filed a bug upstream with pdf.js to remove the dependency.

Comment 12

[Brendan Dahl [:bdahl]]

Since this doesn't affect the built in version of pdf.js I'm moving this to sec-other.

Comment 13

[Brendan Dahl [:bdahl]]

Fixed by https://github.com/mozilla/pdf.js/pull/11325