Summary: | <dev-libs/libuv-1.4.2: incorrect revocation order while relinquishing privileges (CVE-2015-0278) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | hasufell, kde |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1194651 | ||
Whiteboard: | B2 [glsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2015-02-20 17:11:19 UTC
there is nothing to bump, this code is already in 1.4.0: https://github.com/libuv/libuv/blob/v1.4.0/src/unix/process.c#L328 just stabilize it WHILE TESTING REVERSE DEPS CVE-2015-0278 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0278): libuv before 0.10.34 does not properly drop group privileges, which allows context-dependent attackers to gain privileges via unspecified vectors. please finalize this bug, the affected versions are gone Upstream GitHub links confirm this is in 1.10.0 which is the oldest in Portage as well. (In reply to Aaron Bauman from comment #4) > Upstream GitHub links confirm this is in 1.10.0 which is the oldest in > Portage as well. 1.10.0 is the newest in the gentoo tree, not the oldest. But the version reference in CVE is for nodejs, not libuv, which has fix in 1.4.0 as described in comment 1. This issue was resolved and addressed in GLSA 201611-10 at https://security.gentoo.org/glsa/201611-10 by GLSA coordinator Aaron Bauman (b-man). |