Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 800986 (CVE-2021-22918)

Summary: <dev-libs/libuv-1.41.1, <net-libs/nodejs-{12.22.2:0/12, 14.17.2:0/14, 16.4.1:0/16): out of bounds read
Product: Gentoo Security Reporter: Marek Szuba <marecki>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: ajak, jsmolic, sam, williamh
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/
See Also: https://bugs.gentoo.org/show_bug.cgi?id=797514
https://github.com/gentoo/gentoo/pull/21565
Whiteboard: B4 [glsa+]
Package list:
Runtime testing required: ---

Description Marek Szuba archtester gentoo-dev 2021-07-07 09:16:37 UTC
net-libs/nodejs: in theory we should always link against dev-libs/libuv rather than the bundled version, that said we've had cases of other bundled deps ninja-linking against bundled libuv so let's include this package just in case. Upstream has released new versions and they are in the tree.

dev-libs/libuv: upstream has NOT made a new release yet so it looks like we'll have to fix it ourselves for now the same way Node did, see https://github.com/nodejs/node/commit/a7496aba0a .
Comment 1 NATTkA bot gentoo-dev 2021-07-07 09:20:21 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-07 09:24:22 UTC Comment hidden (obsolete)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-08 00:41:17 UTC
[ebuild/upstream] while fixed libuv isn't in tree yet

Thanks for reporting!
Comment 4 Larry the Git Cow gentoo-dev 2021-07-08 09:40:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cbf461cda5a5fce4452786006677af74194a8f66

commit cbf461cda5a5fce4452786006677af74194a8f66
Author:     Jakov Smolic <jakov.smolic@sartura.hr>
AuthorDate: 2021-07-08 08:30:02 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2021-07-08 09:40:13 +0000

    dev-libs/libuv: Bump to 1.41.1
    
    Bug: https://bugs.gentoo.org/800986
    Closes: https://github.com/gentoo/gentoo/pull/21565
    Signed-off-by: Jakov Smolic <jakov.smolic@sartura.hr>
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 dev-libs/libuv/Manifest            |  1 +
 dev-libs/libuv/libuv-1.41.1.ebuild | 58 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+)
Comment 5 Marek Szuba archtester gentoo-dev 2021-07-08 09:41:57 UTC
dev-libs/libuv updated, thanks Jakov. Arches, please stabilise.
Comment 6 Marek Szuba archtester gentoo-dev 2021-07-08 09:49:07 UTC
Tweaking the package list a bit to avoid confusion, since dev-libs/libuv is stable on more arches than net-libs/nodejs. Probably wouldn't matter given the latter isn't keyworded on hppa, ppc or sparc at all - but just in case.
Comment 7 NATTkA bot gentoo-dev 2021-07-16 14:04:23 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-16 14:08:24 UTC Comment hidden (obsolete)
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-17 04:59:27 UTC
arm done
Comment 10 Agostino Sarubbo gentoo-dev 2021-07-24 07:57:27 UTC
amd64 stable
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-30 23:51:12 UTC
arm64 done
Comment 12 Agostino Sarubbo gentoo-dev 2021-07-31 13:05:05 UTC
ppc64 stable
Comment 13 NATTkA bot gentoo-dev 2021-08-13 17:40:30 UTC Comment hidden (obsolete)
Comment 14 NATTkA bot gentoo-dev 2021-08-13 23:20:36 UTC Comment hidden (obsolete)
Comment 15 ernsteiswuerfel archtester 2021-08-15 22:32:04 UTC
Looking good on ppc.

 # cat libuv-800986.report 
USE tests started on So 15. Aug 23:57:30 CEST 2021

FEATURES=' test' USE='' succeeded for =dev-libs/libuv-1.41.1
USE='' succeeded for =dev-libs/libuv-1.41.1

revdep tests started on Mo 16. Aug 00:03:20 CEST 2021

FEATURES=' test' USE='' succeeded for net-dns/bind
FEATURES=' test' USE='' succeeded for dev-util/cmake
FEATURES=' test' USE='' succeeded for net-dns/bind-tools
FEATURES=' test' USE='' succeeded for dev-python/gevent
FEATURES=' test' USE='libuv' succeeded for net-libs/libwebsockets
Comment 16 Agostino Sarubbo gentoo-dev 2021-08-16 05:16:42 UTC
ppc stable
Comment 17 Agostino Sarubbo gentoo-dev 2021-08-17 05:37:48 UTC
sparc stable
Comment 18 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-19 01:07:34 UTC
x86 done
Comment 19 Rolf Eike Beer archtester 2021-08-19 11:36:28 UTC
hppa done
Comment 20 Larry the Git Cow gentoo-dev 2021-08-19 12:09:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bad4af375b4f4d9e4415a6093eff4cb99bbadb99

commit bad4af375b4f4d9e4415a6093eff4cb99bbadb99
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2021-08-19 12:08:16 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-08-19 12:08:56 +0000

    dev-libs/libuv: Cleanup vulnerable 1.41.0
    
    Bug: https://bugs.gentoo.org/800986
    Package-Manager: Portage-3.0.22, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-libs/libuv/Manifest            |  1 -
 dev-libs/libuv/libuv-1.41.0.ebuild | 58 --------------------------------------
 2 files changed, 59 deletions(-)
Comment 21 Andreas Sturmlechner gentoo-dev 2021-08-19 13:42:05 UTC
Cleanup done, kde out.
Comment 22 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-19 17:48:47 UTC
Please cleanup.
Comment 23 Andreas Sturmlechner gentoo-dev 2021-08-21 13:28:32 UTC
ahem.

(In reply to Andreas Sturmlechner from comment #21)
> Cleanup done, kde out.
Comment 24 NATTkA bot gentoo-dev 2021-10-18 07:36:39 UTC Comment hidden (obsolete)
Comment 25 NATTkA bot gentoo-dev 2021-10-18 07:40:45 UTC
Resetting sanity check; package list is empty or all packages are done.
Comment 26 Larry the Git Cow gentoo-dev 2024-01-16 12:19:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=f4efe2da5c43eeadc34aa6a2041c2fa963e1d7a6

commit f4efe2da5c43eeadc34aa6a2041c2fa963e1d7a6
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-16 12:19:14 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-01-16 12:19:45 +0000

    [ GLSA 202401-23 ] libuv: Buffer Overread
    
    Bug: https://bugs.gentoo.org/800986
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202401-23.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)