| Summary: | <dev-libs/libuv-1.4.2: incorrect revocation order while relinquishing privileges (CVE-2015-0278) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | hasufell, kde |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1194651 | ||
| Whiteboard: | B2 [glsa cve] | ||
| Package list: | Runtime testing required: | --- | |
there is nothing to bump, this code is already in 1.4.0: https://github.com/libuv/libuv/blob/v1.4.0/src/unix/process.c#L328 just stabilize it WHILE TESTING REVERSE DEPS CVE-2015-0278 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0278): libuv before 0.10.34 does not properly drop group privileges, which allows context-dependent attackers to gain privileges via unspecified vectors. please finalize this bug, the affected versions are gone Upstream GitHub links confirm this is in 1.10.0 which is the oldest in Portage as well. (In reply to Aaron Bauman from comment #4) > Upstream GitHub links confirm this is in 1.10.0 which is the oldest in > Portage as well. 1.10.0 is the newest in the gentoo tree, not the oldest. But the version reference in CVE is for nodejs, not libuv, which has fix in 1.4.0 as described in comment 1. This issue was resolved and addressed in GLSA 201611-10 at https://security.gentoo.org/glsa/201611-10 by GLSA coordinator Aaron Bauman (b-man). |
From ${URL} : It was found [1] that libuv does not call setgoups before calling setuid/setgid. This may potentially allow an attacker to gain elevated privileges. Upstream fix for 0.10: https://github.com/libuv/libuv/pull/215 [1]: https://github.com/libuv/libuv/commit/66ab38918c911bcff025562cf06237d7fedaba0c @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.