Bug 27403 - libuv new security issue CVE-2020-8252
Summary: libuv new security issue CVE-2020-8252
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords: Triaged
Depends on:
Blocks:
 
Reported: 2020-10-13 18:16 CEST by David Walser
Modified: 2020-10-14 21:24 CEST (History)
1 user (show)

See Also:
Source RPM: libuv-1.34.2-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-10-13 18:16:13 CEST
Ubuntu has issued an advisory on September 28:
https://ubuntu.com/security/notices/USN-4548-1

The issue is fixed upstream in 1.39.

Ubuntu patched the same version we have.
Comment 1 David Walser 2020-10-13 20:48:30 CEST
Fedora has issued an advisory for this on October 2:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GRACEATF77QULUT3WY4JG54X5ZI4OUWO/
Comment 2 Aurelien Oudelet 2020-10-14 18:39:24 CEST
Hi, thanks for reporting this bug.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

Assignee: bugsquad => shlomif
Keywords: (none) => Triaged

Comment 3 David Walser 2020-10-14 21:24:34 CEST
Patched package uploaded by Shlomi for Mageia 7.

Advisory:
========================

Updated libuv packages fix security vulnerability:

The implementation of realpath in libuv before 1.39 incorrectly determined the
buffer size which can result in a buffer overflow if the resolved path is
longer than 256 bytes (CVE-2020-8252).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8252
https://ubuntu.com/security/notices/USN-4548-1
========================

Updated packages in core/updates_testing:
========================
libuv1-1.34.2-1.1.mga7
libuv-devel-1.34.2-1.1.mga7
libuv-static-devel-1.34.2-1.1.mga7

from libuv-1.34.2-1.1.mga7.src.rpm

Assignee: shlomif => qa-bugs
CC: (none) => shlomif


Note You need to log in before you can comment on or make changes to this bug.