Ubuntu has issued an advisory on September 28: https://ubuntu.com/security/notices/USN-4548-1 The issue is fixed upstream in 1.39. Ubuntu patched the same version we have.
Fedora has issued an advisory for this on October 2: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GRACEATF77QULUT3WY4JG54X5ZI4OUWO/
Hi, thanks for reporting this bug. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it)
Keywords: (none) => TriagedAssignee: bugsquad => shlomif
Patched package uploaded by Shlomi for Mageia 7. Advisory: ======================== Updated libuv packages fix security vulnerability: The implementation of realpath in libuv before 1.39 incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes (CVE-2020-8252). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8252 https://ubuntu.com/security/notices/USN-4548-1 ======================== Updated packages in core/updates_testing: ======================== libuv1-1.34.2-1.1.mga7 libuv-devel-1.34.2-1.1.mga7 libuv-static-devel-1.34.2-1.1.mga7 from libuv-1.34.2-1.1.mga7.src.rpm
CC: (none) => shlomifAssignee: shlomif => qa-bugs
mga7, x86_64 CVE-2020-8252 https://hackerone.com/reports/965914 PoC before updating: $ LONG_PATH='/tmp/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/path/254B' $ SHORT_LINK='/tmp/short' $ mkdir -p "${LONG_PATH}" $ ln -s "${LONG_PATH}" "${SHORT_LINK}" $ node -e "fs.realpathSync.native('${SHORT_LINK}/file-not-exist')" bash: node: command not found <Installed nodejs at this point> $ node -e "fs.realpathSync.native('${SHORT_LINK}/file-not-exist')" fs.js:114 throw err; ^ Error: ENOENT: no such file or directory, realpath '/tmp/short/file-not-exist' at Function.realpathSync.native (fs.js:1521:3) at [eval]:1:17 at Script.runInThisContext (vm.js:122:20) at Object.runInThisContext (vm.js:329:38) at Object.<anonymous> ([eval]-wrapper:6:22) at Module._compile (internal/modules/cjs/loader.js:778:30) Carrying on with this tomorrow.
CC: (none) => tarazed25
Updated the packages. Removed /tmp/long and unlinked the now invalid short link /tmp/short@. Repeated the PoC which produced a slightly different result. $ node -e "fs.realpathSync.native('${SHORT_LINK}/file-not-exist')" fs.js:114 throw err; ^ Error: ENOENT: no such file or directory, realpath '/tmp/short/file-not-exist' at Function.realpathSync.native (fs.js:1521:3) at [eval]:1:17 at Script.runInThisContext (vm.js:122:20) at Object.runInThisContext (vm.js:329:38) at Object.<anonymous> ([eval]-wrapper:6:22) at Module._compile (internal/modules/cjs/loader.js:778:30) at evalScript (internal/bootstrap/node.js:590:27) at startup (internal/bootstrap/node.js:265:9) at bootstrapNodeJSCore (internal/bootstrap/node.js:623:3) This appears to be a tidy exit but the result needs to be judged by an expert. There is further testing discussion at https://github.com/bazelbuild/rules_nodejs/issues/1958. Context is Darwin/MacOS. Comments indicated that the relevant test was terminated by the OS, bypassing a stack dump. Might be the same for Linux. Using node.js to test libuv. Started a server at localhost:8081. $ strace -o node.trace node main.js Server running at http://127.0.0.1:8081/ That shows "Hello World" in a browser. $ cat demo.js console.log( "Testing libuv via node.js" ) console.log( "Hopefully...." ) Ran node in another terminal: $ node demo.js Testing libuv via node.js Hopefully.... $ killall node which terminated the server. $ grep uv node.trace openat(AT_FDCWD, "/lib64/libuv.so.1", O_RDONLY|O_CLOEXEC) = 3 Good enough but leaving the OK in case of comments regarding the PoC test.
Realized afterwards that the cli does not need a server so ran strace on the demo script. $ grep libuv standalone openat(AT_FDCWD, "/lib64/libuv.so.1", O_RDONLY|O_CLOEXEC) = 3 read(20, "console.log( \"Testing libuv via "..., 74) = 74 write(17, "Testing libuv via node.js\n", 26) = 26
This should probably be pushed.
Whiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 3.
Keywords: Triaged => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory pushed to SVN.
CC: (none) => ouaurelienKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0398.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED