This is *mentioned* in a nodejs security release but the vulnerability is in libuv, which has release notes that merely mention: " * unix: don't use _POSIX_PATH_MAX (Ben Noordhuis) "[0] whereas use of those functions in nodejs say: " Vulnerabilities fixed: CVE-2020-8201: HTTP Request Smuggling due to CR-to-Hyphen conversion (High). CVE-2020-8252: fs.realpath.native on may cause buffer overflow (Medium). "[1] With respect to nodejs, this bug was reported against libuv as "`uv_fs_realpath` causes `SIGABRT` on darwin when the realpath is really long"[2]. In order to make sure all users of libuv do not suffer the same vulnerability, please consider keeping CVE-2020-8252 separated from the nodejs vulnerability that is to follow this one and will DEPEND on this one. [0] https://github.com/libuv/libuv/releases/tag/v1.39.0 [1] https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V12.md#12.18.4 [2] https://github.com/libuv/libuv/issues/2965
Thanks. Got to enjoy stuff like this hidden in the notes..
amd64 done
arm stable
arm64 done
x86 stable
hppa/sparc stable
ppc stable
ppc64 stable
s390 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=160764f1cfc225e3435dbd773f4f067413471d80 commit 160764f1cfc225e3435dbd773f4f067413471d80 Author: Jeroen Roovers <jer@gentoo.org> AuthorDate: 2020-09-23 13:45:43 +0000 Commit: Jeroen Roovers <jer@gentoo.org> CommitDate: 2020-09-23 13:46:07 +0000 dev-libs/libuv: Old Package-Manager: Portage-3.0.8, Repoman-3.0.1 Bug: https://bugs.gentoo.org/show_bug.cgi?id=742890 Signed-off-by: Jeroen Roovers <jer@gentoo.org> dev-libs/libuv/Manifest | 4 --- dev-libs/libuv/libuv-1.35.0.ebuild | 47 --------------------------------- dev-libs/libuv/libuv-1.37.0.ebuild | 47 --------------------------------- dev-libs/libuv/libuv-1.38.0-r1.ebuild | 49 ----------------------------------- dev-libs/libuv/libuv-1.38.1.ebuild | 49 ----------------------------------- 5 files changed, 196 deletions(-)
Thanks!
This issue was resolved and addressed in GLSA 202009-15 at https://security.gentoo.org/glsa/202009-15 by GLSA coordinator Sam James (sam_c).