Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 924127 (CVE-2024-24806) - <dev-libs/libuv-1.48.0: hostname truncation in getaddrinfo allows attacker-controlled lookup results
Summary: <dev-libs/libuv-1.48.0: hostname truncation in getaddrinfo allows attacker-co...
Status: IN_PROGRESS
Alias: CVE-2024-24806
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/libuv/libuv/securi...
Whiteboard: A3 [glsa? cleanup]
Keywords: PullRequest
Depends on: 924653 924891
Blocks:
  Show dependency tree
 
Reported: 2024-02-08 22:30 UTC by Hank Leininger
Modified: 2024-04-20 13:31 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hank Leininger 2024-02-08 22:30:48 UTC
From $URL:

  The uv_getaddrinfo function in src/unix/getaddrinfo.c (and its windows 
  counterpart src/win/getaddrinfo.c), truncates hostnames to 256 characters 
  before calling getaddrinfo. This behavior can be exploited to create addresses 
  like 0x00007f000001, which are considered valid by getaddrinfo and could allow 
  an attacker to craft payloads that resolve to unintended IP addresses, 
  bypassing developer checks.

The advisory has some credible scenarios/exploit cases for nodejs code, kubernetes request routing, web portals with vanity hostnames, etc. libuv is also used by bind-tools (dig, host, nslookup) so one can imagine scripts that can be tricked with interesting results.

libuv 1.48.0 fixes the issue.
Comment 1 Larry the Git Cow gentoo-dev 2024-02-10 01:06:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0bae683c34e84f5d252ce86b1fe844bd9445258

commit b0bae683c34e84f5d252ce86b1fe844bd9445258
Author:     Hank Leininger <hlein@korelogic.com>
AuthorDate: 2024-02-09 22:06:06 +0000
Commit:     Jakov Smolić <jsmolic@gentoo.org>
CommitDate: 2024-02-10 01:02:31 +0000

    dev-libs/libuv: add 1.48.0, update SRC_URI
    
    Bug: https://bugs.gentoo.org/924127
    Signed-off-by: Hank Leininger <hlein@korelogic.com>
    Signed-off-by: Jakov Smolić <jsmolic@gentoo.org>

 dev-libs/libuv/Manifest            |  1 +
 dev-libs/libuv/libuv-1.48.0.ebuild | 54 ++++++++++++++++++++++++++++++++++++++
 dev-libs/libuv/libuv-9999.ebuild   |  3 ++-
 3 files changed, 57 insertions(+), 1 deletion(-)
Comment 2 Larry the Git Cow gentoo-dev 2024-04-20 13:30:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4f2af276017530099965ad9a89cdf0341d0246d1

commit 4f2af276017530099965ad9a89cdf0341d0246d1
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2024-04-20 13:29:53 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2024-04-20 13:30:05 +0000

    dev-libs/libuv: drop 1.47.0-r1
    
    Bug: https://bugs.gentoo.org/924127
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-libs/libuv/Manifest                            |  1 -
 dev-libs/libuv/files/libuv-1.47.0-darwin17.patch   | 26 ----------
 .../libuv/files/libuv-1.47.0-hppa-kernel.patch     | 32 ------------
 dev-libs/libuv/files/libuv-1.47.0-ipv6-tests.patch | 54 --------------------
 dev-libs/libuv/libuv-1.47.0-r1.ebuild              | 59 ----------------------
 5 files changed, 172 deletions(-)
Comment 3 Andreas Sturmlechner gentoo-dev 2024-04-20 13:31:02 UTC
Cleanup done, kde proj out.