Summary: | <dev-libs/libuv-1.41.1, <net-libs/nodejs-{12.22.2:0/12, 14.17.2:0/14, 16.4.1:0/16): out of bounds read | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Marek Szuba <marecki> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | minor | CC: | ajak, jsmolic, sam, williamh |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/ | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=797514 https://github.com/gentoo/gentoo/pull/21565 |
||
Whiteboard: | B4 [glsa+] | ||
Package list: | Runtime testing required: | --- |
Description
Marek Szuba
2021-07-07 09:16:37 UTC
Unable to check for sanity:
> no match for package: =net-libs/nodejs-14.17.3
All sanity-check issues have been resolved [ebuild/upstream] while fixed libuv isn't in tree yet Thanks for reporting! The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cbf461cda5a5fce4452786006677af74194a8f66 commit cbf461cda5a5fce4452786006677af74194a8f66 Author: Jakov Smolic <jakov.smolic@sartura.hr> AuthorDate: 2021-07-08 08:30:02 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2021-07-08 09:40:13 +0000 dev-libs/libuv: Bump to 1.41.1 Bug: https://bugs.gentoo.org/800986 Closes: https://github.com/gentoo/gentoo/pull/21565 Signed-off-by: Jakov Smolic <jakov.smolic@sartura.hr> Signed-off-by: Marek Szuba <marecki@gentoo.org> dev-libs/libuv/Manifest | 1 + dev-libs/libuv/libuv-1.41.1.ebuild | 58 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 59 insertions(+) dev-libs/libuv updated, thanks Jakov. Arches, please stabilise. Tweaking the package list a bit to avoid confusion, since dev-libs/libuv is stable on more arches than net-libs/nodejs. Probably wouldn't matter given the latter isn't keyworded on hppa, ppc or sparc at all - but just in case. Unable to check for sanity:
> no match for package: =net-libs/nodejs-12.22.2
All sanity-check issues have been resolved arm done amd64 stable arm64 done ppc64 stable Unable to check for sanity:
> dependent bug #805053 has errors
All sanity-check issues have been resolved Looking good on ppc. # cat libuv-800986.report USE tests started on So 15. Aug 23:57:30 CEST 2021 FEATURES=' test' USE='' succeeded for =dev-libs/libuv-1.41.1 USE='' succeeded for =dev-libs/libuv-1.41.1 revdep tests started on Mo 16. Aug 00:03:20 CEST 2021 FEATURES=' test' USE='' succeeded for net-dns/bind FEATURES=' test' USE='' succeeded for dev-util/cmake FEATURES=' test' USE='' succeeded for net-dns/bind-tools FEATURES=' test' USE='' succeeded for dev-python/gevent FEATURES=' test' USE='libuv' succeeded for net-libs/libwebsockets ppc stable sparc stable x86 done hppa done The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bad4af375b4f4d9e4415a6093eff4cb99bbadb99 commit bad4af375b4f4d9e4415a6093eff4cb99bbadb99 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2021-08-19 12:08:16 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2021-08-19 12:08:56 +0000 dev-libs/libuv: Cleanup vulnerable 1.41.0 Bug: https://bugs.gentoo.org/800986 Package-Manager: Portage-3.0.22, Repoman-3.0.3 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> dev-libs/libuv/Manifest | 1 - dev-libs/libuv/libuv-1.41.0.ebuild | 58 -------------------------------------- 2 files changed, 59 deletions(-) Cleanup done, kde out. Please cleanup. ahem. (In reply to Andreas Sturmlechner from comment #21) > Cleanup done, kde out. Unable to check for sanity:
> no match for package: =dev-libs/libuv-1.41.1
Resetting sanity check; package list is empty or all packages are done. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=f4efe2da5c43eeadc34aa6a2041c2fa963e1d7a6 commit f4efe2da5c43eeadc34aa6a2041c2fa963e1d7a6 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-01-16 12:19:14 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-01-16 12:19:45 +0000 [ GLSA 202401-23 ] libuv: Buffer Overread Bug: https://bugs.gentoo.org/800986 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202401-23.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) |