From $URL: The uv_getaddrinfo function in src/unix/getaddrinfo.c (and its windows counterpart src/win/getaddrinfo.c), truncates hostnames to 256 characters before calling getaddrinfo. This behavior can be exploited to create addresses like 0x00007f000001, which are considered valid by getaddrinfo and could allow an attacker to craft payloads that resolve to unintended IP addresses, bypassing developer checks. The advisory has some credible scenarios/exploit cases for nodejs code, kubernetes request routing, web portals with vanity hostnames, etc. libuv is also used by bind-tools (dig, host, nslookup) so one can imagine scripts that can be tricked with interesting results. libuv 1.48.0 fixes the issue.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0bae683c34e84f5d252ce86b1fe844bd9445258 commit b0bae683c34e84f5d252ce86b1fe844bd9445258 Author: Hank Leininger <hlein@korelogic.com> AuthorDate: 2024-02-09 22:06:06 +0000 Commit: Jakov Smolić <jsmolic@gentoo.org> CommitDate: 2024-02-10 01:02:31 +0000 dev-libs/libuv: add 1.48.0, update SRC_URI Bug: https://bugs.gentoo.org/924127 Signed-off-by: Hank Leininger <hlein@korelogic.com> Signed-off-by: Jakov Smolić <jsmolic@gentoo.org> dev-libs/libuv/Manifest | 1 + dev-libs/libuv/libuv-1.48.0.ebuild | 54 ++++++++++++++++++++++++++++++++++++++ dev-libs/libuv/libuv-9999.ebuild | 3 ++- 3 files changed, 57 insertions(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4f2af276017530099965ad9a89cdf0341d0246d1 commit 4f2af276017530099965ad9a89cdf0341d0246d1 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2024-04-20 13:29:53 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2024-04-20 13:30:05 +0000 dev-libs/libuv: drop 1.47.0-r1 Bug: https://bugs.gentoo.org/924127 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> dev-libs/libuv/Manifest | 1 - dev-libs/libuv/files/libuv-1.47.0-darwin17.patch | 26 ---------- .../libuv/files/libuv-1.47.0-hppa-kernel.patch | 32 ------------ dev-libs/libuv/files/libuv-1.47.0-ipv6-tests.patch | 54 -------------------- dev-libs/libuv/libuv-1.47.0-r1.ebuild | 59 ---------------------- 5 files changed, 172 deletions(-)
Cleanup done, kde proj out.