Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 800986 (CVE-2021-22918) - <dev-libs/libuv-1.41.1, <net-libs/nodejs-{12.22.2:0/12, 14.17.2:0/14, 16.4.1:0/16): out of bounds read
Summary: <dev-libs/libuv-1.41.1, <net-libs/nodejs-{12.22.2:0/12, 14.17.2:0/14, 16.4.1:...
Status: IN_PROGRESS
Alias: CVE-2021-22918
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://nodejs.org/en/blog/vulnerabil...
Whiteboard: B4 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-07-07 09:16 UTC by Marek Szuba
Modified: 2021-10-18 07:40 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marek Szuba archtester gentoo-dev 2021-07-07 09:16:37 UTC
net-libs/nodejs: in theory we should always link against dev-libs/libuv rather than the bundled version, that said we've had cases of other bundled deps ninja-linking against bundled libuv so let's include this package just in case. Upstream has released new versions and they are in the tree.

dev-libs/libuv: upstream has NOT made a new release yet so it looks like we'll have to fix it ourselves for now the same way Node did, see https://github.com/nodejs/node/commit/a7496aba0a .
Comment 1 NATTkA bot gentoo-dev 2021-07-07 09:20:21 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-07 09:24:22 UTC Comment hidden (obsolete)
Comment 3 John Helmert III gentoo-dev Security 2021-07-08 00:41:17 UTC
[ebuild/upstream] while fixed libuv isn't in tree yet

Thanks for reporting!
Comment 4 Larry the Git Cow gentoo-dev 2021-07-08 09:40:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cbf461cda5a5fce4452786006677af74194a8f66

commit cbf461cda5a5fce4452786006677af74194a8f66
Author:     Jakov Smolic <jakov.smolic@sartura.hr>
AuthorDate: 2021-07-08 08:30:02 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2021-07-08 09:40:13 +0000

    dev-libs/libuv: Bump to 1.41.1
    
    Bug: https://bugs.gentoo.org/800986
    Closes: https://github.com/gentoo/gentoo/pull/21565
    Signed-off-by: Jakov Smolic <jakov.smolic@sartura.hr>
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 dev-libs/libuv/Manifest            |  1 +
 dev-libs/libuv/libuv-1.41.1.ebuild | 58 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+)
Comment 5 Marek Szuba archtester gentoo-dev 2021-07-08 09:41:57 UTC
dev-libs/libuv updated, thanks Jakov. Arches, please stabilise.
Comment 6 Marek Szuba archtester gentoo-dev 2021-07-08 09:49:07 UTC
Tweaking the package list a bit to avoid confusion, since dev-libs/libuv is stable on more arches than net-libs/nodejs. Probably wouldn't matter given the latter isn't keyworded on hppa, ppc or sparc at all - but just in case.
Comment 7 NATTkA bot gentoo-dev 2021-07-16 14:04:23 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-16 14:08:24 UTC Comment hidden (obsolete)
Comment 9 Sam James archtester gentoo-dev Security 2021-07-17 04:59:27 UTC
arm done
Comment 10 Agostino Sarubbo gentoo-dev 2021-07-24 07:57:27 UTC
amd64 stable
Comment 11 Sam James archtester gentoo-dev Security 2021-07-30 23:51:12 UTC
arm64 done
Comment 12 Agostino Sarubbo gentoo-dev 2021-07-31 13:05:05 UTC
ppc64 stable
Comment 13 NATTkA bot gentoo-dev 2021-08-13 17:40:30 UTC Comment hidden (obsolete)
Comment 14 NATTkA bot gentoo-dev 2021-08-13 23:20:36 UTC Comment hidden (obsolete)
Comment 15 ernsteiswuerfel archtester 2021-08-15 22:32:04 UTC
Looking good on ppc.

 # cat libuv-800986.report 
USE tests started on So 15. Aug 23:57:30 CEST 2021

FEATURES=' test' USE='' succeeded for =dev-libs/libuv-1.41.1
USE='' succeeded for =dev-libs/libuv-1.41.1

revdep tests started on Mo 16. Aug 00:03:20 CEST 2021

FEATURES=' test' USE='' succeeded for net-dns/bind
FEATURES=' test' USE='' succeeded for dev-util/cmake
FEATURES=' test' USE='' succeeded for net-dns/bind-tools
FEATURES=' test' USE='' succeeded for dev-python/gevent
FEATURES=' test' USE='libuv' succeeded for net-libs/libwebsockets
Comment 16 Agostino Sarubbo gentoo-dev 2021-08-16 05:16:42 UTC
ppc stable
Comment 17 Agostino Sarubbo gentoo-dev 2021-08-17 05:37:48 UTC
sparc stable
Comment 18 Sam James archtester gentoo-dev Security 2021-08-19 01:07:34 UTC
x86 done
Comment 19 Rolf Eike Beer archtester 2021-08-19 11:36:28 UTC
hppa done
Comment 20 Larry the Git Cow gentoo-dev 2021-08-19 12:09:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bad4af375b4f4d9e4415a6093eff4cb99bbadb99

commit bad4af375b4f4d9e4415a6093eff4cb99bbadb99
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2021-08-19 12:08:16 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-08-19 12:08:56 +0000

    dev-libs/libuv: Cleanup vulnerable 1.41.0
    
    Bug: https://bugs.gentoo.org/800986
    Package-Manager: Portage-3.0.22, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-libs/libuv/Manifest            |  1 -
 dev-libs/libuv/libuv-1.41.0.ebuild | 58 --------------------------------------
 2 files changed, 59 deletions(-)
Comment 21 Andreas Sturmlechner gentoo-dev 2021-08-19 13:42:05 UTC
Cleanup done, kde out.
Comment 22 John Helmert III gentoo-dev Security 2021-08-19 17:48:47 UTC
Please cleanup.
Comment 23 Andreas Sturmlechner gentoo-dev 2021-08-21 13:28:32 UTC
ahem.

(In reply to Andreas Sturmlechner from comment #21)
> Cleanup done, kde out.
Comment 24 NATTkA bot gentoo-dev 2021-10-18 07:36:39 UTC Comment hidden (obsolete)
Comment 25 NATTkA bot gentoo-dev 2021-10-18 07:40:45 UTC
Resetting sanity check; package list is empty or all packages are done.