Bug 742890 (CVE-2020-8252)

Summary:	<dev-libs/libuv-1.39.0: Possible buffer overruns when processing very long paths in uv_fs_readlink() and uv_fs_realpath() (CVE-2020-8252)
Product:	Gentoo Security	Reporter:	Jeroen Roovers (RETIRED) <jer>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	kde
Priority:	Normal	Flags:	nattka: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/libuv/libuv/issues/2965
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=742893
Whiteboard:	A3 [glsa+ cve]
Package list:	=dev-libs/libuv-1.39.0	Runtime testing required:	---

Description Jeroen Roovers (RETIRED) gentoo-dev

2020-09-16 07:15:31 UTC

This is *mentioned* in a nodejs security release but the vulnerability is in libuv, which has release notes that merely mention:


"
* unix: don't use _POSIX_PATH_MAX (Ben Noordhuis)
"[0]


whereas use of those functions in nodejs say:


"
Vulnerabilities fixed:

CVE-2020-8201: HTTP Request Smuggling due to CR-to-Hyphen conversion (High).
CVE-2020-8252: fs.realpath.native on may cause buffer overflow (Medium).
"[1]


With respect to nodejs, this bug was reported against libuv as "`uv_fs_realpath` causes `SIGABRT` on darwin when the realpath is really long"[2].

In order to make sure all users of libuv do not suffer the same vulnerability, 
please consider keeping CVE-2020-8252 separated from the nodejs vulnerability that is to follow this one and will DEPEND on this one.



[0] https://github.com/libuv/libuv/releases/tag/v1.39.0
[1] https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V12.md#12.18.4
[2] https://github.com/libuv/libuv/issues/2965

Comment 1 Sam James archtester

2020-09-17 05:58:26 UTC

Thanks. Got to enjoy stuff like this hidden in the notes..

Comment 2 Sam James archtester

2020-09-19 20:59:25 UTC

amd64 done

Comment 3 Sam James archtester

2020-09-19 21:40:44 UTC

arm stable

Comment 4 Sam James archtester

2020-09-19 21:45:15 UTC

arm64 done

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2020-09-20 16:28:54 UTC

x86 stable

Comment 6 Rolf Eike Beer archtester

2020-09-21 18:40:04 UTC

hppa/sparc stable

Comment 7 Agostino Sarubbo gentoo-dev

2020-09-23 10:25:14 UTC

ppc stable

Comment 8 Agostino Sarubbo gentoo-dev

2020-09-23 10:29:45 UTC

ppc64 stable

Comment 9 Agostino Sarubbo gentoo-dev

2020-09-23 10:31:20 UTC

s390 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 10 Larry the Git Cow gentoo-dev

2020-09-23 13:46:09 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=160764f1cfc225e3435dbd773f4f067413471d80

commit 160764f1cfc225e3435dbd773f4f067413471d80
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-09-23 13:45:43 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-09-23 13:46:07 +0000

    dev-libs/libuv: Old
    
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=742890
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 dev-libs/libuv/Manifest               |  4 ---
 dev-libs/libuv/libuv-1.35.0.ebuild    | 47 ---------------------------------
 dev-libs/libuv/libuv-1.37.0.ebuild    | 47 ---------------------------------
 dev-libs/libuv/libuv-1.38.0-r1.ebuild | 49 -----------------------------------
 dev-libs/libuv/libuv-1.38.1.ebuild    | 49 -----------------------------------
 5 files changed, 196 deletions(-)

Comment 11 Sam James archtester

2020-09-23 13:48:59 UTC

Thanks!

Comment 12 GLSAMaker/CVETool Bot gentoo-dev

2020-09-29 18:12:55 UTC

This issue was resolved and addressed in
 GLSA 202009-15 at https://security.gentoo.org/glsa/202009-15
by GLSA coordinator Sam James (sam_c).