CVE-2024-5129

[lmkoduru]

No description provided.

[olegbck]

The exploit seems to be working, but could you please add another command after curl, that would prove that the 'lunary' database was indeed deleted?

[olegbck]

Do we need exactly 0.39.1? If we do, please move this file to the data folder, do not pull it by URL. Otherwise use https://raw.githubusercontent.com/creationix/nvm/master/install.sh

[lmkoduru]

no, we don't need the specific version. I've just changed it to use https://raw.githubusercontent.com/creationix/nvm/master/install.sh

[lmkoduru]

I've also added another command after curl that shows we deleted the database

[olegbck]

Does "nvm install 20.18.0" pull something from the Internet? Is it possible to keep this version of that thing in the data folder? Imagine 20.18.0 is not available anymore for download. What do we do?

[lmkoduru]

I added a version in the data folder

[olegbck]

What I meant is: please not only put the archive to the data folder, but also install it from the file. My mistake, sorry if it wasn't obvious.

[olegbck]

Still waiting for node-v20.18.0-darwin-x64.tar.gz to be used during installation, then I'll test the changes

[lmkoduru]

Hi Oleg,
I just updated the code to use node-v20.18.0-darwin-x64.tar.gz during installation. Please let me know if it looks ok or if I should modify anything.

[olegbck]

It fails at this stage:

024-12-05 08:20:22,435 - INFO - [ubuntu1] TASK [Install node and project deps] *******************************************
2024-12-05 08:20:24,388 - INFO - [ubuntu1] fatal: [ubuntu1]: FAILED! => {"changed": true, "cmd": "export NODE_PATH=/desired/install/path/node-v20.18.0-darwin-x64 && export PATH=$NODE_PATH/bin:$PATH && cd /tmp/lunary && npm install && npm run migrate:db\n", "delta": "0:00:00.038004", "end": "2024-12-05 07:20:23.364126", "msg": "non-zero return code", "rc": 127, "start": "2024-12-05 07:20:23.326122", "stderr": "/bin/bash: line 1: npm: command not found", "stderr_lines": ["/bin/bash: line 1: npm: command not found"], "stdout": "", "stdout_lines": []}

[lmkoduru]

Hi Oleg,
Does the latest code seem to work?

[olegbck]

Please do not pull this package from the Internet. It's already in the data folder, please install it from the file.

[lmkoduru]

just made some changes, does it look ok?

[olegbck]

This variant still doesn't work:

2024-12-06 12:06:12,197 - INFO - [ubuntu1] TASK [Install node and project deps] *******************************************
2024-12-06 12:06:12,814 - INFO - [ubuntu1] fatal: [ubuntu1]: FAILED! => {"changed": true, "cmd": "tar -xzf data/node-v20.18.0-darwin-x64.tar.gz -C /usr/local && export PATH=/usr/local/node-v20.18.0-darwin-x64/bin:$PATH && npm install && npm run migrate:db\n", "delta": "0:00:00.045951", "end": "2024-12-06 11:06:11.648362", "msg": "non-zero return code", "rc": 2, "start": "2024-12-06 11:06:11.602411", "stderr": "tar (child): data/node-v20.18.0-darwin-x64.tar.gz: Cannot open: No such file or directory\ntar (child): Error is not recoverable: exiting now\ntar: Child returned status 2\ntar: Error is not recoverable: exiting now", "stderr_lines": ["tar (child): data/node-v20.18.0-darwin-x64.tar.gz: Cannot open: No such file or directory", "tar (child): Error is not recoverable: exiting now", "tar: Child returned status 2", "tar: Error is not recoverable: exiting now"], "stdout": "", "stdout_lines": []}

Could you please test your changes before commiting them?

[olegbck]

The error message above can't find node-v20.18.0-darwin-x64.tar.gz because it hasn't been copied to ubuntu1. This file is only 112 bytes in size, and "darwin" in the name implies that the archive targets MacOS (we need the one for Ubuntu). I tried to use https://nodejs.org/dist/v20.18.0/node-v20.18.0-linux-x64.tar.xz from https://nodejs.org/en/blog/release/v20.18.0, but I still get these errors:

$ sudo npm install
npm error code ENOENT
npm error syscall open
npm error path /home/vagrant/package.json
npm error errno -2
npm error enoent Could not read package.json: Error: ENOENT: no such file or directory, open '/home/vagrant/package.json'
npm error enoent This is related to npm not being able to find a file.
npm error enoent
npm error A complete log of this run can be found in: /root/.npm/_logs/2025-01-07T13_18_07_334Z-debug-0.log