Update vulnerable lodash version in Browsertime
Categories
(Firefox Build System :: General, defect)
Tracking
(Not tracked)
People
(Reporter: cr, Unassigned)
References
(Regression)
Details
(Keywords: regression, sec-other, Whiteboard: [third-party-lib-testing])
The lodash team released a security update for a critical prototype pollution vulnerability that can lead to remote code execution.
- https://github.com/lodash/lodash/issues/4348
- https://github.com/lodash/lodash/pull/4336
- https://github.com/lodash/lodash/pull/4355
Only the latest release of lodash is not vulnerable. Please update dependencies to the latest release version, or at least verify that our code does not expose the vulnerability to untrusted input. (If not, I'd advise to update anyway.)
The non-vulnerable release versions are:
- lodash 4.17.14
- lodash.merge 4.6.2
- lodash.template 4.5.0
Any older releases contain the vulnerable code.
I'm assuming that this lodash code is not actually shipping. Please report back here if it is.
@nalexander, can you shed some light on what component this bug should best be associated with and who else to involve?
Reporter | ||
Updated•5 years ago
|
Comment 1•5 years ago
|
||
(In reply to Christiane Ruetten [:cr] from comment #0)
The lodash team released a security update for a critical prototype pollution vulnerability that can lead to remote code execution.
- https://github.com/lodash/lodash/issues/4348
- https://github.com/lodash/lodash/pull/4336
- https://github.com/lodash/lodash/pull/4355
Only the latest release of lodash is not vulnerable. Please update dependencies to the latest release version, or at least verify that our code does not expose the vulnerability to untrusted input. (If not, I'd advise to update anyway.)
The non-vulnerable release versions are:
- lodash 4.17.14
- lodash.merge 4.6.2
- lodash.template 4.5.0
Any older releases contain the vulnerable code.
I'm assuming that this lodash code is not actually shipping. Please report back here if it is.
It is not shipping in any product we deliver to end users.
It is installed for developers by ./mach browsertime --setup
. The set of such developers is very small, and would probably be reached by emailing perfteam@, firefox-dev@, and dev-platform@.
Denis has already addressed this issue in https://github.com/mozilla/browsertime/pull/26 but I see that the landed commit hasn't made it into the definition in m-c at https://searchfox.org/mozilla-central/rev/07f7390618692fa4f2a674a96b9b677df3a13450/tools/browsertime/package.json.
@nalexander, can you shed some light on what component this bug should best be associated with and who else to involve?
Certainly. I've set "regressed by", and left the component simply because there's no more specific place for browsertime-related tickets at this time.
Denis, could you turn this ticket into a "bump browsertime SHA" ticket and submit a patch to get that done? Thanks!
Updated•5 years ago
|
Comment 2•5 years ago
|
||
I actually already posted a patch in bug 1565399, it's just awaiting review.
Updated•5 years ago
|
Updated•2 years ago
|
Updated•11 months ago
|
Description
•