924127 – (CVE-2024-24806) <dev-libs/libuv-1.48.0: hostname truncation in getaddrinfo allows attacker-controlled lookup results

Bug 924127 (CVE-2024-24806) - <dev-libs/libuv-1.48.0: hostname truncation in getaddrinfo allows attacker-controlled lookup results

Summary: <dev-libs/libuv-1.48.0: hostname truncation in getaddrinfo allows attacker-co...

Status:	IN_PROGRESS

Alias:	CVE-2024-24806

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://github.com/libuv/libuv/securi...
Whiteboard:	A3 [glsa?]
Keywords:	PullRequest

Depends on:	924653 924891
Blocks:
	Show dependency tree

Reported:	2024-02-08 22:30 UTC by Hank Leininger
Modified:	2024-05-09 05:01 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/35248
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hank Leininger 2024-02-08 22:30:48 UTC

From $URL:

  The uv_getaddrinfo function in src/unix/getaddrinfo.c (and its windows 
  counterpart src/win/getaddrinfo.c), truncates hostnames to 256 characters 
  before calling getaddrinfo. This behavior can be exploited to create addresses 
  like 0x00007f000001, which are considered valid by getaddrinfo and could allow 
  an attacker to craft payloads that resolve to unintended IP addresses, 
  bypassing developer checks.

The advisory has some credible scenarios/exploit cases for nodejs code, kubernetes request routing, web portals with vanity hostnames, etc. libuv is also used by bind-tools (dig, host, nslookup) so one can imagine scripts that can be tricked with interesting results.

libuv 1.48.0 fixes the issue.

Comment 1 Larry the Git Cow gentoo-dev

2024-02-10 01:06:09 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0bae683c34e84f5d252ce86b1fe844bd9445258

commit b0bae683c34e84f5d252ce86b1fe844bd9445258
Author:     Hank Leininger <hlein@korelogic.com>
AuthorDate: 2024-02-09 22:06:06 +0000
Commit:     Jakov Smolić <jsmolic@gentoo.org>
CommitDate: 2024-02-10 01:02:31 +0000

    dev-libs/libuv: add 1.48.0, update SRC_URI
    
    Bug: https://bugs.gentoo.org/924127
    Signed-off-by: Hank Leininger <hlein@korelogic.com>
    Signed-off-by: Jakov Smolić <jsmolic@gentoo.org>

 dev-libs/libuv/Manifest            |  1 +
 dev-libs/libuv/libuv-1.48.0.ebuild | 54 ++++++++++++++++++++++++++++++++++++++
 dev-libs/libuv/libuv-9999.ebuild   |  3 ++-
 3 files changed, 57 insertions(+), 1 deletion(-)

Comment 2 Larry the Git Cow gentoo-dev

2024-04-20 13:30:34 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4f2af276017530099965ad9a89cdf0341d0246d1

commit 4f2af276017530099965ad9a89cdf0341d0246d1
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2024-04-20 13:29:53 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2024-04-20 13:30:05 +0000

    dev-libs/libuv: drop 1.47.0-r1
    
    Bug: https://bugs.gentoo.org/924127
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-libs/libuv/Manifest                            |  1 -
 dev-libs/libuv/files/libuv-1.47.0-darwin17.patch   | 26 ----------
 .../libuv/files/libuv-1.47.0-hppa-kernel.patch     | 32 ------------
 dev-libs/libuv/files/libuv-1.47.0-ipv6-tests.patch | 54 --------------------
 dev-libs/libuv/libuv-1.47.0-r1.ebuild              | 59 ----------------------
 5 files changed, 172 deletions(-)

Comment 3 Andreas Sturmlechner gentoo-dev

2024-04-20 13:31:02 UTC

Cleanup done, kde proj out.