[Bug]: RSA_PKCS1_PADDING
guitardoc opened this issue · 10 comments
What happened?
I am still on node 20.11.0 due to the RSA_PKCS1_PADDING issue.
Will this ever be addressed or is this a permanent issue which can not be remedied?
Thank you for giving me (and others) some information.
Device Type
Doorbell (Supported)
Plugin Version
v3.0.x (Best Effort)
HomeBridge Version
v1.7.x (Supported)
NodeJS Version
v20 (Supported)
Operating System
Raspbian 10+ (Supported)
Relevant log output
see above
config
see above
Did you check this Common Issues pages ?
Anything?
This is a show stopper and urgent
Still nothing from the developers?
Any updates on this issue?
Anything?
potentially relevant: homebridge-eufy-security/eufy-security-client@dff3508
Thank you for the information!
I am on openssl 3.0.15 and node 20.11.0 (the last node version which supported RSA_PKCS1_PADDING).
Do you think it is safe to update to node 20.18.0 (LTS) and not have the RSA_PKCS1_PADDING issue anymore?
That change hasn't been incorporated into the plugin yet - so if you upgrade node, you'll at least break live-streaming.
Having said that, I'm running node 20.18.0, but you need to add a launch command line flag to revert the node deprecation.
You can't set it the flag in NODE_OPTIONS, it has to go into the homebridge start script.
I created a pre-start file that does the needful. YMMV, and no warranty expressed or implied.
Note: I'm running homebridge in an lxc/lxd container, there may be a way to do a similar thing if you're running out of docker, but 🤷. Oh, and the scary error message about incompatible node versions will still appear in the logs, because the code that "tests" node is just doing a simple version compare.
# cat /etc/hb-service/homebridge/prestart.d/99-revert-cve-2023-46809
#!/bin/bash
CVE=CVE-2023-46809
CVE_REVERT_ARG="--security-revert=$CVE"
NODE_EXE_PATH=/opt/homebridge/bin/node
HOMEBRIDGE_START=/opt/homebridge/start.sh
grep -q -- "$CVE" "$NODE_EXE_PATH"
NEEDS_CVE_REVERT=$?
grep -q -- "$CVE_REVERT_ARG" "$HOMEBRIDGE_START"
HAS_CVE_REVERT=$?
LAUNCH_CMD="\$HB_SERVICE_NODE_EXEC_PATH \$HB_SERVICE_EXEC_PATH"
if [ "$HAS_CVE_REVERT" != "$NEEDS_CVE_REVERT" ]; then
if [ "$HAS_CVE_REVERT" == "0" ]; then
echo "removing CVE revert from start script..."
sed -i.bck -- s/"$CVE_REVERT_ARG "//g $HOMEBRIDGE_START
else
echo "inserting CVE revert from start script..."
sed -i.bck -- s/"\$HB_SERVICE_NODE_EXEC_PATH \$HB_SERVICE_EXEC_PATH"/"\$HB_SERVICE_NODE_EXEC_PATH $CVE_REVERT_ARG \$HB_SERVICE_EXEC_PATH"/g $HOMEBRIDGE_START
fi
fi
If the node binary contains the CVE string, the argument is added to the launch command:
# diff -wu /opt/homebridge/start.sh.bck /opt/homebridge/start.sh
--- /opt/homebridge/start.sh.bck 2024-11-09 13:12:39.180010597 +0000
+++ /opt/homebridge/start.sh 2024-11-09 14:56:03.137404407 +0000
@@ -37,4 +37,4 @@
rm -rf $HB_SERVICE_STORAGE_PATH/node_modules/homebridge-config-ui-x
fi
-exec $HB_SERVICE_NODE_EXEC_PATH $HB_SERVICE_EXEC_PATH run -I -U $HB_SERVICE_STORAGE_PATH -P $HB_SERVICE_STORAGE_PATH/node_modules --strict-plugin-resolution "$@"
+exec $HB_SERVICE_NODE_EXEC_PATH --security-revert=CVE-2023-46809 $HB_SERVICE_EXEC_PATH run -I -U $HB_SERVICE_STORAGE_PATH -P $HB_SERVICE_STORAGE_PATH/node_modules --strict-plugin-resolution "$@"
Thank you for the extensive information. Maybe bropat will be able to incorporate the changes into the plugin soon.