| Summary: | libuv new security issue CVE-2021-22918 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, ouaurelien, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: | https://bugs.mageia.org/show_bug.cgi?id=29028 | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | libuv-1.40.0-1.mga8.src.rpm | CVE: | CVE-2021-22918 |
| Status comment: | |||
|
Description
David Walser
2021-07-06 16:31:43 CEST
David Walser
2021-07-06 16:32:01 CEST
See Also:
(none) =>
https://bugs.mageia.org/show_bug.cgi?id=29028 Assigning to Stig for this SRPM. Assignee:
bugsquad =>
smelror Ubuntu has issued an advisory for this today (July 7): https://ubuntu.com/security/notices/USN-5007-1 Cauldron updated to 1.41.1 Version:
Cauldron =>
8 Advisory ======== libuv has been updated to fix an OOB in the punycode decoder. References ========== https://ubuntu.com/security/CVE-2021-22918 Files ===== Uploaded to core/updates_testing lib64uv-devel-1.40.0-1.1.mga8 lib64uv1-1.40.0-1.1.mga8 lib64uv-static-devel-1.40.0-1.1.mga8 from libuv-1.40.0-1.1.mga8.src.rpm Source RPM:
libuv-1.41.0-1.mga9.src.rpm =>
libuv-1.40.0-1.mga8.src.rpm mga8, x64 CVE-2021-22918 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22921 Out of bounds read in uv__idna_toascii() function affects node.js. https://hackerone.com/reports/1209681 Hackerone provides test materials which may not be usable by QA so we shall skip any attempt to reproduce the issue. Updated the three packages. $ urpmq --whatrequires lib64uv1 cmake cmake-qtgui lib64luv1 lib64radare2_4.5.1 lib64storj0 lib64websockets-devel libstorj neovim perl-UV $ urpmq --requires-recursive nodejs | grep libuv $ This is strange. node.js no longer uses libuv apparently. The tests copied from bug 27403 now bear this out. neovim requires libluv1 which needs libuv1. Had to visit https://neovim.io/doc/user/vim_diff.html#nvim-features to confirm that nvim and neovim are the same. nvim is the command. $ strace -o neovim.trace nvim hello $ grep uv neovim.trace openat(AT_FDCWD, "/lib64/libluv.so.1", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib64/libuv.so.1", O_RDONLY|O_CLOEXEC) = 3 The editing session worked just like vim - familiar commands and mode changes were unchanged. This all looks OK for mga8. Whiteboard:
(none) =>
MGA8-64-OK Validating. Advisory in Comment 4. CC:
(none) =>
andrewsfarm, sysadmin-bugs type: security
subject: Updated libuv packages fix security vulnerability
CVE:
- CVE-2021-22918
src:
8:
core:
- libuv-1.40.0-1.1.mga8
description: |
Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds
read when uv__idna_toascii() is used to convert strings to ASCII. The pointer
p is read and increased without checking whether it is beyond pe, with the
latter holding a pointer to the end of the buffer. This can lead to
information disclosures or crashes. This function can be triggered via
uv_getaddrinfo(). (CVE-2021-22918).
references:
- https://bugs.mageia.org/show_bug.cgi?id=29231
- https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/
- https://www.debian.org/security/2021/dsa-4936
- https://ubuntu.com/security/notices/USN-5007-1CC:
(none) =>
ouaurelien An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0360.html Resolution:
(none) =>
FIXED |