Bug 32822 - libuv new security issue CVE-2024-24806
Summary: libuv new security issue CVE-2024-24806
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-02-09 09:18 CET by Nicolas Salguero
Modified: 2024-03-22 01:21 CET (History)
2 users (show)

See Also:
Source RPM: libuv-1.44.2-2.mga9.src.rpm
CVE: CVE-2024-24806
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Nicolas Salguero 2024-02-09 09:19:45 CET

Status comment: (none) => Patches available from upstream and fixed upstream in 1.48.0
CVE: (none) => CVE-2024-24806
Source RPM: (none) => libuv-1.47.0-1.mga10.src.rpm
Whiteboard: (none) => MGA9TOO

Comment 1 Lewis Smith 2024-02-09 20:54:37 CET 
Stig currently does version upgrades for this, so assigning to you.

I am unsure of the significance of "fixed in version 1.48.0 and with the following commits": does one need both?  or is it a choice between the two? If the latter, the new version alone is the answer; otherwise new version + patches.

Nicolas: can you clarify?

Assignee: bugsquad => smelror

Comment 2 Nicolas Salguero 2024-02-12 09:58:29 CET 
(In reply to Lewis Smith from comment #1)
> I am unsure of the significance of "fixed in version 1.48.0 and with the
> following commits": does one need both?  or is it a choice between the two?
> If the latter, the new version alone is the answer; otherwise new version +
> patches.

Sorry for not being clear.  I meant: "version 1.48.0 fixed the issue by including the listed commits".  So, for Cauldron, we need to update to version 1.48.0 and, for Mageia 9, if we do not want to update to version 1.48.0, we need to add (maybe backport) the patches given by the commits.
Comment 3 Nicolas Salguero 2024-03-19 14:09:29 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

It was discovered that the uv_getaddrinfo() function in libuv, an asynchronous event notification library, incorrectly truncated certain hostnames, which may result in bypass of security measures on internal APIs or SSRF attacks. (CVE-2024-24806)

References:
https://www.openwall.com/lists/oss-security/2024/02/08/2
https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6
https://lists.debian.org/debian-security-announce/2024/msg00044.html
========================

Updated packages in core/updates_testing:
========================
lib64uv1-1.44.2-2.1.mga9
lib64uv-devel-1.44.2-2.1.mga9
lib64uv-static-devel-1.44.2-2.1.mga9

from SRPM:
libuv-1.44.2-2.1.mga9.src.rpm

Assignee: smelror => qa-bugs
Version: Cauldron => 9
Source RPM: libuv-1.47.0-1.mga10.src.rpm => libuv-1.44.2-2.mga9.src.rpm
Status comment: Patches available from upstream and fixed upstream in 1.48.0 => (none)
Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED

katnatek 2024-03-19 20:06:15 CET

Keywords: (none) => advisory

Comment 4 Thomas Andrews 2024-03-21 18:41:06 CET 
MGA9-64 Plasma. No installation issues.

Stumbled through testing as in Bug #29231, by using strace and neovim. Not knowing the commands at all, I made a mess of things of an old text file that fortunately no longer has relevance. Eventually I closed the window and searched the resulting strace file, finding one instance of opening libuv1.so.1

That was good enough for an OK then, so it's good enough now.

Validating.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2024-03-22 01:21:11 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0079.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.