1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202501-05 ] libuv: Hostname Truncation

    From glsamaker@gentoo.org@21:1/5 to All on Thu Jan 23 07:30:01 2025
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202501-05
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: Normal
    Title: libuv: Hostname Truncation
    Date: January 23, 2025
    Bugs: #924127
    ID: 202501-05

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A vulnerability has been discovered in libuv, where hostname truncation
    can lead to attacker-controlled lookups.

    Background
    ==========

    libuv is a multi-platform support library with a focus on asynchronous
    I/O.

    Affected packages
    =================

    Package Vulnerable Unaffected
    -------------- ------------ ------------
    dev-libs/libuv < 1.48.0 >= 1.48.0

    Description
    ===========

    Multiple vulnerabilities have been discovered in libuv. Please review
    the CVE identifiers referenced below for details.

    Impact
    ======

    The uv_getaddrinfo function in src/unix/getaddrinfo.c truncates
    hostnames to 256 characters before calling getaddrinfo. This behavior
    can be exploited to create addresses like 0x00007f000001, which are
    considered valid by getaddrinfo and could allow an attacker to craft
    payloads that resolve to unintended IP addresses, bypassing developer
    checks.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All libuv users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-libs/libuv-1.48.0"

    References
    ==========

    [ 1 ] CVE-2024-24806
    https://nvd.nist.gov/vuln/detail/CVE-2024-24806

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202501-05

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2025 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmeR3t4ACgkQFMQkOaVy +9mc8Q//Ui7mTUtt5g9x5XAqwHQQUaGZmuRLgPCJAKtd+ND4rTwTy9y7jF5qqG6I ZN1zRFdQhhg9Ny7zh1AubBJiuKPJoOICZcsdqIEYMIhTySrnWNm/1WTLdOhbn5iN pbKuo7ZmAEoTSIrDkLWNjyyEWr1hjZoZ86NniomEj8RuAsaI9aNhMYtjrXk8k0YH r2S0V89Zrggh7Cgg/0f8JwD0oo/0NkFpRVQmQHwllyJmVk69O88T9XSea8W9WGJy nNqvUm/jRI2F1sdKf7K7NYBoblE36BneGZO3ik+Sb4lBkJ7ynCTQXUj7OWfujr0y vi3PeJYg6OdnxArjDT5AiJUS5OpL9hcUmiizrO9z8MaMOeT/onfzB1DSbKzMoRkD DIOjlDUJ5QZrkRlJ4OETAMgd9AzOSqjEuGW0Y/KSghzJF5DkstuhSLSpj20BLWmy dFIXTyHqBDBp8CGgVdWITeuMfUENc3VbKS1Ysk3k6L3KI3YbY5wgqowf3zU0rs/D Y1z42sBd0tzBhNAyZ0CVBANf+oXhoECM37XMHLJvzuDwp/iQIYcPpZiuztB+0jd+ kCjmODCHHHzKWhaFmxF6ozPC1q+2ihifJySJzqB+S411fpZ+hP6kTN4eY0Wc7S95 JWJVYuXHJsTUTwSvJ8CHHXE95FnWr0WI40eIE+jNBvfmqDs9K3I=
    =SZzp
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)