| Summary: | libuv new security issue CVE-2020-8252 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, ouaurelien, shlomif, sysadmin-bugs, tarazed25 |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | libuv-1.34.2-1.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2020-10-13 18:16:13 CEST
Fedora has issued an advisory for this on October 2: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GRACEATF77QULUT3WY4JG54X5ZI4OUWO/ Hi, thanks for reporting this bug. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it) Keywords:
(none) =>
Triaged Patched package uploaded by Shlomi for Mageia 7. Advisory: ======================== Updated libuv packages fix security vulnerability: The implementation of realpath in libuv before 1.39 incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes (CVE-2020-8252). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8252 https://ubuntu.com/security/notices/USN-4548-1 ======================== Updated packages in core/updates_testing: ======================== libuv1-1.34.2-1.1.mga7 libuv-devel-1.34.2-1.1.mga7 libuv-static-devel-1.34.2-1.1.mga7 from libuv-1.34.2-1.1.mga7.src.rpm CC:
(none) =>
shlomif mga7, x86_64 CVE-2020-8252 https://hackerone.com/reports/965914 PoC before updating: $ LONG_PATH='/tmp/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/path/254B' $ SHORT_LINK='/tmp/short' $ mkdir -p "${LONG_PATH}" $ ln -s "${LONG_PATH}" "${SHORT_LINK}" $ node -e "fs.realpathSync.native('${SHORT_LINK}/file-not-exist')" bash: node: command not found <Installed nodejs at this point> $ node -e "fs.realpathSync.native('${SHORT_LINK}/file-not-exist')" fs.js:114 throw err; ^ Error: ENOENT: no such file or directory, realpath '/tmp/short/file-not-exist' at Function.realpathSync.native (fs.js:1521:3) at [eval]:1:17 at Script.runInThisContext (vm.js:122:20) at Object.runInThisContext (vm.js:329:38) at Object.<anonymous> ([eval]-wrapper:6:22) at Module._compile (internal/modules/cjs/loader.js:778:30) Carrying on with this tomorrow. CC:
(none) =>
tarazed25 mga7, x86_64 CVE-2020-8252 https://hackerone.com/reports/965914 PoC before updating: $ LONG_PATH='/tmp/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/path/254B' $ SHORT_LINK='/tmp/short' $ mkdir -p "${LONG_PATH}" $ ln -s "${LONG_PATH}" "${SHORT_LINK}" $ node -e "fs.realpathSync.native('${SHORT_LINK}/file-not-exist')" bash: node: command not found <Installed nodejs at this point> $ node -e "fs.realpathSync.native('${SHORT_LINK}/file-not-exist')" fs.js:114 throw err; ^ Error: ENOENT: no such file or directory, realpath '/tmp/short/file-not-exist' at Function.realpathSync.native (fs.js:1521:3) at [eval]:1:17 at Script.runInThisContext (vm.js:122:20) at Object.runInThisContext (vm.js:329:38) at Object.<anonymous> ([eval]-wrapper:6:22) at Module._compile (internal/modules/cjs/loader.js:778:30) Carrying on with this tomorrow. Updated the packages.
Removed /tmp/long and unlinked the now invalid short link /tmp/short@.
Repeated the PoC which produced a slightly different result.
$ node -e "fs.realpathSync.native('${SHORT_LINK}/file-not-exist')"
fs.js:114
throw err;
^
Error: ENOENT: no such file or directory, realpath '/tmp/short/file-not-exist'
at Function.realpathSync.native (fs.js:1521:3)
at [eval]:1:17
at Script.runInThisContext (vm.js:122:20)
at Object.runInThisContext (vm.js:329:38)
at Object.<anonymous> ([eval]-wrapper:6:22)
at Module._compile (internal/modules/cjs/loader.js:778:30)
at evalScript (internal/bootstrap/node.js:590:27)
at startup (internal/bootstrap/node.js:265:9)
at bootstrapNodeJSCore (internal/bootstrap/node.js:623:3)
This appears to be a tidy exit but the result needs to be judged by an expert.
There is further testing discussion at https://github.com/bazelbuild/rules_nodejs/issues/1958. Context is Darwin/MacOS. Comments indicated that the relevant test was terminated by the OS, bypassing a stack dump. Might be the same for Linux.
Using node.js to test libuv.
Started a server at localhost:8081.
$ strace -o node.trace node main.js
Server running at http://127.0.0.1:8081/
That shows "Hello World" in a browser.
$ cat demo.js
console.log( "Testing libuv via node.js" )
console.log( "Hopefully...." )
Ran node in another terminal:
$ node demo.js
Testing libuv via node.js
Hopefully....
$ killall node
which terminated the server.
$ grep uv node.trace
openat(AT_FDCWD, "/lib64/libuv.so.1", O_RDONLY|O_CLOEXEC) = 3
Good enough but leaving the OK in case of comments regarding the PoC test.
Realized afterwards that the cli does not need a server so ran strace on the demo script. $ grep libuv standalone openat(AT_FDCWD, "/lib64/libuv.so.1", O_RDONLY|O_CLOEXEC) = 3 read(20, "console.log( \"Testing libuv via "..., 74) = 74 write(17, "Testing libuv via node.js\n", 26) = 26 This should probably be pushed. Whiteboard:
(none) =>
MGA7-64-OK Validating. Advisory in Comment 3. Keywords:
Triaged =>
validated_update Advisory pushed to SVN. CC:
(none) =>
ouaurelien An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0398.html Resolution:
(none) =>
FIXED |