From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id A329C1581F0 for ; Thu, 23 Jan 2025 06:21:29 +0000 (UTC) Received: from lists.gentoo.org (bobolink.gentoo.org [140.211.166.189]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) (Authenticated sender: relay-lists.gentoo.org@gentoo.org) by smtp.gentoo.org (Postfix) with ESMTPSA id 880F334334F for ; Thu, 23 Jan 2025 06:21:29 +0000 (UTC) Received: from bobolink.gentoo.org (localhost [127.0.0.1]) by bobolink.gentoo.org (Postfix) with ESMTP id E4E38110462; Thu, 23 Jan 2025 06:17:22 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by bobolink.gentoo.org (Postfix) with ESMTPS id 7613F11042D for ; Thu, 23 Jan 2025 06:17:03 +0000 (UTC) Received: from glsamakerdev.dev.gentoo.org (glsamakerdev.dev.gentoo.org [140.211.166.178]) by smtp.gentoo.org (Postfix) with ESMTP id 595BE343056 for ; Thu, 23 Jan 2025 06:17:03 +0000 (UTC) Received: from [172.18.0.3] (unknown [172.18.0.3]) by glsamakerdev.dev.gentoo.org (Postfix) with ESMTP id 2BC7BC7725 for ; Thu, 23 Jan 2025 06:17:03 +0000 (UTC) Subject: [gentoo-announce] [ GLSA 202501-05 ] libuv: Hostname Truncation Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="===============8768965788856563152==" From: glsamaker@gentoo.org To: gentoo-announce@lists.gentoo.org Reply-To: security@gentoo.org Date: Thu, 23 Jan 2025 06:17:02 -0000 Message-ID: <173761302317.7.4214306805984072185@3f85d36892cf> X-Archives-Salt: b407a97c-e22c-4d7a-8007-009a1db187d4 X-Archives-Hash: c5a0325aee1706baaf2493d7eb9fe9ac --===============8768965788856563152== Content-Type: text/plain; charset="utf-8" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202501-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libuv: Hostname Truncation Date: January 23, 2025 Bugs: #924127 ID: 202501-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been discovered in libuv, where hostname truncation can lead to attacker-controlled lookups. Background ========== libuv is a multi-platform support library with a focus on asynchronous I/O. Affected packages ================= Package Vulnerable Unaffected -------------- ------------ ------------ dev-libs/libuv < 1.48.0 >= 1.48.0 Description =========== Multiple vulnerabilities have been discovered in libuv. Please review the CVE identifiers referenced below for details. Impact ====== The uv_getaddrinfo function in src/unix/getaddrinfo.c truncates hostnames to 256 characters before calling getaddrinfo. This behavior can be exploited to create addresses like 0x00007f000001, which are considered valid by getaddrinfo and could allow an attacker to craft payloads that resolve to unintended IP addresses, bypassing developer checks. Workaround ========== There is no known workaround at this time. Resolution ========== All libuv users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/libuv-1.48.0" References ========== [ 1 ] CVE-2024-24806 https://nvd.nist.gov/vuln/detail/CVE-2024-24806 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202501-05 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2025 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 --===============8768965788856563152== Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmeR3t4ACgkQFMQkOaVy +9mc8Q//Ui7mTUtt5g9x5XAqwHQQUaGZmuRLgPCJAKtd+ND4rTwTy9y7jF5qqG6I ZN1zRFdQhhg9Ny7zh1AubBJiuKPJoOICZcsdqIEYMIhTySrnWNm/1WTLdOhbn5iN pbKuo7ZmAEoTSIrDkLWNjyyEWr1hjZoZ86NniomEj8RuAsaI9aNhMYtjrXk8k0YH r2S0V89Zrggh7Cgg/0f8JwD0oo/0NkFpRVQmQHwllyJmVk69O88T9XSea8W9WGJy nNqvUm/jRI2F1sdKf7K7NYBoblE36BneGZO3ik+Sb4lBkJ7ynCTQXUj7OWfujr0y vi3PeJYg6OdnxArjDT5AiJUS5OpL9hcUmiizrO9z8MaMOeT/onfzB1DSbKzMoRkD DIOjlDUJ5QZrkRlJ4OETAMgd9AzOSqjEuGW0Y/KSghzJF5DkstuhSLSpj20BLWmy dFIXTyHqBDBp8CGgVdWITeuMfUENc3VbKS1Ysk3k6L3KI3YbY5wgqowf3zU0rs/D Y1z42sBd0tzBhNAyZ0CVBANf+oXhoECM37XMHLJvzuDwp/iQIYcPpZiuztB+0jd+ kCjmODCHHHzKWhaFmxF6ozPC1q+2ihifJySJzqB+S411fpZ+hP6kTN4eY0Wc7S95 JWJVYuXHJsTUTwSvJ8CHHXE95FnWr0WI40eIE+jNBvfmqDs9K3I= =SZzp -----END PGP SIGNATURE----- --===============8768965788856563152==--