Closed Bug 1566042 Opened 5 years ago Closed 5 years ago

Update vulnerable lodash version in Browsertime

Categories

(Firefox Build System :: General, defect)

Product:
Firefox Build System
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1565399

People

(Reporter: cr, Unassigned)

References

(Regression)

Details

(Keywords: regression, sec-other, Whiteboard: [third-party-lib-testing])

The lodash team released a security update for a critical prototype pollution vulnerability that can lead to remote code execution.

Only the latest release of lodash is not vulnerable. Please update dependencies to the latest release version, or at least verify that our code does not expose the vulnerability to untrusted input. (If not, I'd advise to update anyway.)

The non-vulnerable release versions are:

  • lodash 4.17.14
  • lodash.merge 4.6.2
  • lodash.template 4.5.0

Any older releases contain the vulnerable code.

I'm assuming that this lodash code is not actually shipping. Please report back here if it is.

@nalexander, can you shed some light on what component this bug should best be associated with and who else to involve?

Flags: needinfo?(nalexander)
See Also: → 1565614
See Also: → CVE-2019-10744
See Also: → 1566031
See Also: → 1566036
Flags: needinfo?(kmoir)
See Also: → 1566043

(In reply to Christiane Ruetten [:cr] from comment #0)

The lodash team released a security update for a critical prototype pollution vulnerability that can lead to remote code execution.

Only the latest release of lodash is not vulnerable. Please update dependencies to the latest release version, or at least verify that our code does not expose the vulnerability to untrusted input. (If not, I'd advise to update anyway.)

The non-vulnerable release versions are:

  • lodash 4.17.14
  • lodash.merge 4.6.2
  • lodash.template 4.5.0

Any older releases contain the vulnerable code.

I'm assuming that this lodash code is not actually shipping. Please report back here if it is.

It is not shipping in any product we deliver to end users.

It is installed for developers by ./mach browsertime --setup. The set of such developers is very small, and would probably be reached by emailing perfteam@, firefox-dev@, and dev-platform@.

Denis has already addressed this issue in https://github.com/mozilla/browsertime/pull/26 but I see that the landed commit hasn't made it into the definition in m-c at https://searchfox.org/mozilla-central/rev/07f7390618692fa4f2a674a96b9b677df3a13450/tools/browsertime/package.json.

@nalexander, can you shed some light on what component this bug should best be associated with and who else to involve?

Certainly. I've set "regressed by", and left the component simply because there's no more specific place for browsertime-related tickets at this time.

Denis, could you turn this ticket into a "bump browsertime SHA" ticket and submit a patch to get that done? Thanks!

Flags: needinfo?(nalexander) → needinfo?(dpalmeiro)
Regressed by: 1543247
Keywords: regression

I actually already posted a patch in bug 1565399, it's just awaiting review.

Flags: needinfo?(dpalmeiro)

removing ni since a patch is up for review

Flags: needinfo?(kmoir)

Thanks, everyone!

Depends on: 1565399
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Keywords: sec-other
Has Regression Range: --- → yes
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.