Closed Bug 1566043 Opened 2 years ago Closed 2 years ago

Update vulnerable lodash dependency in eslint-plugin-mozilla

Categories

(Firefox Build System :: Lint and Formatting, defect)

defect
Not set
normal

Tracking

(firefox-esr60 wontfix, firefox-esr68 fixed, firefox68 wontfix, firefox69 fixed, firefox70 fixed)

RESOLVED FIXED
mozilla70
Tracking Status
firefox-esr60 --- wontfix
firefox-esr68 --- fixed
firefox68 --- wontfix
firefox69 --- fixed
firefox70 --- fixed

People

(Reporter: cr, Assigned: standard8)

References

Details

(Keywords: sec-other, Whiteboard: [third-party-lib-testing])

Attachments

(2 files)

The lodash team released a security update for a critical prototype pollution vulnerability that can lead to remote code execution.

Only the latest release of lodash is not vulnerable. Please update dependencies to the latest release version, or at least verify that our code does not expose the vulnerability to untrusted input. (If not, I'd advise to update anyway.)

The non-vulnerable release versions are:

  • lodash 4.17.14
  • lodash.merge 4.6.2
  • lodash.template 4.5.0

Any older releases contain the vulnerable code.

I'm assuming that this lodash code is not actually shipping. Please report back here if it is.

See Also: → 1565614
See Also: → CVE-2019-10744
See Also: → 1566031
See Also: → 1566036
See Also: → 1566039
See Also: → 1566042
Flags: needinfo?(ahal)

I can take this. Shouldn't be a big issue to update. Note this is developer-only stuff.

I'll update the package lists for eslint-plugin-mozilla and the top-level, as it is easier to do them at the same time.

Assignee: nobody → standard8
Status: NEW → ASSIGNED
Flags: needinfo?(ahal)

(In reply to Christiane Ruetten [:cr] from comment #0)

This link points to gfx. I assume it was meant to point to eslint-plugin-mozilla.

Christiane, Presumably as this relates to developer only tooling, we can land it any time we need to, without requesting security approval?

Should we land through autoland, or direct on central? I guess we want this on branches as well?

Flags: needinfo?(cr)

we can land it any time we need to, without requesting security approval?

I'm not aware of the requirements the linter team has established around landing code. From a security perspective, there wouldn't be much to review in this version bump.

Flags: needinfo?(cr)

Right, Searchfox link should have been this one.

Thanks, I'll get this landed.

Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70

Does this need backport?

Flags: needinfo?(standard8)

I've pushed this to beta as NPOTB as it was a simple update.

https://hg.mozilla.org/releases/mozilla-beta/rev/5def55cc75a70465407ab31228c77c6dd7bec349

I was thinking about skipping release as there shouldn't be many developers using that, and I suspect the only way this could be exploited is by getting something into the appropriate tree.

However, it might be worth doing this on esr, just so we're not raising any concerns there. I'll see if I can get a patch spun up.

Flags: needinfo?(standard8)

Doesn't sound likely that we need to worry about ESR60 here, but feel free to change that if that's incorrect.

Keywords: sec-other
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.