Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 742890 (CVE-2020-8252)

Summary: <dev-libs/libuv-1.39.0: Possible buffer overruns when processing very long paths in uv_fs_readlink() and uv_fs_realpath() (CVE-2020-8252)
Product: Gentoo Security Reporter: Jeroen Roovers (RETIRED) <jer>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: kde
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/libuv/libuv/issues/2965
See Also: https://bugs.gentoo.org/show_bug.cgi?id=742893
Whiteboard: A3 [glsa+ cve]
Package list:
=dev-libs/libuv-1.39.0
Runtime testing required: ---

Description Jeroen Roovers (RETIRED) gentoo-dev 2020-09-16 07:15:31 UTC
This is *mentioned* in a nodejs security release but the vulnerability is in libuv, which has release notes that merely mention:


"
* unix: don't use _POSIX_PATH_MAX (Ben Noordhuis)
"[0]


whereas use of those functions in nodejs say:


"
Vulnerabilities fixed:

CVE-2020-8201: HTTP Request Smuggling due to CR-to-Hyphen conversion (High).
CVE-2020-8252: fs.realpath.native on may cause buffer overflow (Medium).
"[1]


With respect to nodejs, this bug was reported against libuv as "`uv_fs_realpath` causes `SIGABRT` on darwin when the realpath is really long"[2].

In order to make sure all users of libuv do not suffer the same vulnerability, 
please consider keeping CVE-2020-8252 separated from the nodejs vulnerability that is to follow this one and will DEPEND on this one.



[0] https://github.com/libuv/libuv/releases/tag/v1.39.0
[1] https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V12.md#12.18.4
[2] https://github.com/libuv/libuv/issues/2965
Comment 1 Sam James archtester gentoo-dev Security 2020-09-17 05:58:26 UTC
Thanks. Got to enjoy stuff like this hidden in the notes..
Comment 2 Sam James archtester gentoo-dev Security 2020-09-19 20:59:25 UTC
amd64 done
Comment 3 Sam James archtester gentoo-dev Security 2020-09-19 21:40:44 UTC
arm stable
Comment 4 Sam James archtester gentoo-dev Security 2020-09-19 21:45:15 UTC
arm64 done
Comment 5 Thomas Deutschmann gentoo-dev Security 2020-09-20 16:28:54 UTC
x86 stable
Comment 6 Rolf Eike Beer 2020-09-21 18:40:04 UTC
hppa/sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-09-23 10:25:14 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-09-23 10:29:45 UTC
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-09-23 10:31:20 UTC
s390 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 10 Larry the Git Cow gentoo-dev 2020-09-23 13:46:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=160764f1cfc225e3435dbd773f4f067413471d80

commit 160764f1cfc225e3435dbd773f4f067413471d80
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-09-23 13:45:43 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-09-23 13:46:07 +0000

    dev-libs/libuv: Old
    
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=742890
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 dev-libs/libuv/Manifest               |  4 ---
 dev-libs/libuv/libuv-1.35.0.ebuild    | 47 ---------------------------------
 dev-libs/libuv/libuv-1.37.0.ebuild    | 47 ---------------------------------
 dev-libs/libuv/libuv-1.38.0-r1.ebuild | 49 -----------------------------------
 dev-libs/libuv/libuv-1.38.1.ebuild    | 49 -----------------------------------
 5 files changed, 196 deletions(-)
Comment 11 Sam James archtester gentoo-dev Security 2020-09-23 13:48:59 UTC
Thanks!
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2020-09-29 18:12:55 UTC
This issue was resolved and addressed in
 GLSA 202009-15 at https://security.gentoo.org/glsa/202009-15
by GLSA coordinator Sam James (sam_c).