Published Critical vulnerabilities in kurento utils about bugtracker HOT 3 CLOSED

Hello @RobotnickIsrael! 👋 we're sorry you found a bug... so first of all, thank you very much for reporting it.

However, your report doesn't follow the issue template, so it is being automatically closed. We are really sorry for that, but we need all reports to follow the template, or else it won't be possible to understand and help with all issues.

Please, create a new issue following the template, or reopen this same issue to edit and provide all required information.

from bugtracker.

Kurento-utils js client, for some reason has jar files in it.

I don't see that kurento-utils-js (NPM package kurento-utils) has any jar file itself. Can you please point to what you mean?

But yes, it does depend on sdp-translator, a package that, apart from its JavaScript code, seems to bundle a complete Maven artifact too. sdp-translator is itself actually a renamed build of sdp-interop, an old Jitsi package. The fact that it includes both JS and Java modules leads me to think that its developers thought of making a single package that could be used for both platforms, albeit it seems to me a pretty arguable decision.

I do not think the vulnerability applies here, because as you mentioned, JS code will not end up invoking the vulnerable Java dependency. And in any case, there is not much that can be done. This is a summary of the situation:

• sdp-translator is a derived, renamed version of sdp-interop, an old Jitsi package that has since been moved.
• The source repository for sdp-translator was https://github.com/Kurento/sdp-translator-js, which doesn't exist any more, and there is no documentation at all about the reasons (very helpful, thanks guys).
• Currently, kurento-utils depends on sdp-translator ^0.1.15. But in NPM, the latest version is 0.1.24. I could update the dependency in kurento-utils, if that helps anything. But in any case, that's just delaying the inevitable, sooner or later a new security issue will affect it and then no more up to date versions will exist for this package.
• kurento-utils-js was these past years a source of distractions because there was nobody maintaining it, in a period of time where a lot was happening regarding the WebRTC API. Users would constantly find that the code was missing important new functionality (Transceivers-based API) or ancient methodology (like callbacks everywhere instead of async/await).

For all these reasons, kurento-utils was considered deprecated and it is currently marked as unmaintained, with a big warning on the README page: https://github.com/Kurento/kurento-utils-js. The Kurento JS tutorials still depend on it because they just work, and because there are not enough hands to do the bulk work of removing this dependency and replacing it with adequate calls directly to the WebRTC API. Otherwise, for actual apps, the strong recommendation is to avoid using it.

from bugtracker.

Hi Juan,

The problematic jar files are in
node_modules/sdp-translator/m2/repository/com/thoughworks/xstream/xstream/1.4.3
node_modules/sdp-translator/m2/repository/com/thoughworks/xstream/xstream-parent/1.4.3

Anyway, I checked what you said and you are right, I have imported kurento-utils since thats how it was in the examples, but I never actually used it, and I don't seem to need it at all to work.

Thanks you very much (:

Israel

from bugtracker.