Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 742890 (CVE-2020-8252) - <dev-libs/libuv-1.39.0: Possible buffer overruns when processing very long paths in uv_fs_readlink() and uv_fs_realpath() (CVE-2020-8252)
Summary: <dev-libs/libuv-1.39.0: Possible buffer overruns when processing very long pa...
Status: RESOLVED FIXED
Alias: CVE-2020-8252
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/libuv/libuv/issues...
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-09-16 07:15 UTC by Jeroen Roovers (RETIRED)
Modified: 2020-09-29 18:12 UTC (History)
1 user (show)

See Also:
Package list:
=dev-libs/libuv-1.39.0
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2020-09-16 07:15:31 UTC 
This is *mentioned* in a nodejs security release but the vulnerability is in libuv, which has release notes that merely mention:


"
* unix: don't use _POSIX_PATH_MAX (Ben Noordhuis)
"[0]


whereas use of those functions in nodejs say:


"
Vulnerabilities fixed:

CVE-2020-8201: HTTP Request Smuggling due to CR-to-Hyphen conversion (High).
CVE-2020-8252: fs.realpath.native on may cause buffer overflow (Medium).
"[1]


With respect to nodejs, this bug was reported against libuv as "`uv_fs_realpath` causes `SIGABRT` on darwin when the realpath is really long"[2].

In order to make sure all users of libuv do not suffer the same vulnerability, 
please consider keeping CVE-2020-8252 separated from the nodejs vulnerability that is to follow this one and will DEPEND on this one.



[0] https://github.com/libuv/libuv/releases/tag/v1.39.0
[1] https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V12.md#12.18.4
[2] https://github.com/libuv/libuv/issues/2965
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-17 05:58:26 UTC 
Thanks. Got to enjoy stuff like this hidden in the notes..
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-19 20:59:25 UTC 
amd64 done
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-19 21:40:44 UTC 
arm stable
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-19 21:45:15 UTC 
arm64 done
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2020-09-20 16:28:54 UTC 
x86 stable
Comment 6 Rolf Eike Beer archtester 2020-09-21 18:40:04 UTC 
hppa/sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-09-23 10:25:14 UTC 
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-09-23 10:29:45 UTC 
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-09-23 10:31:20 UTC 
s390 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 10 Larry the Git Cow gentoo-dev 2020-09-23 13:46:09 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=160764f1cfc225e3435dbd773f4f067413471d80

commit 160764f1cfc225e3435dbd773f4f067413471d80
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-09-23 13:45:43 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-09-23 13:46:07 +0000

    dev-libs/libuv: Old
    
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=742890
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 dev-libs/libuv/Manifest               |  4 ---
 dev-libs/libuv/libuv-1.35.0.ebuild    | 47 ---------------------------------
 dev-libs/libuv/libuv-1.37.0.ebuild    | 47 ---------------------------------
 dev-libs/libuv/libuv-1.38.0-r1.ebuild | 49 -----------------------------------
 dev-libs/libuv/libuv-1.38.1.ebuild    | 49 -----------------------------------
 5 files changed, 196 deletions(-)
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-23 13:48:59 UTC 
Thanks!
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2020-09-29 18:12:55 UTC 
This issue was resolved and addressed in
 GLSA 202009-15 at https://security.gentoo.org/glsa/202009-15
by GLSA coordinator Sam James (sam_c).