Source: libuv1
Version: 1.46.0-3
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for libuv1.

CVE-2024-24806[0]:
| libuv is a multi-platform support library with a focus on
| asynchronous I/O. The `uv_getaddrinfo` function in
| `src/unix/getaddrinfo.c` (and its windows counterpart
| `src/win/getaddrinfo.c`), truncates hostnames to 256 characters
| before calling `getaddrinfo`. This behavior can be exploited to
| create addresses like `0x00007f000001`, which are considered valid
| by `getaddrinfo` and could allow an attacker to craft payloads that
| resolve to unintended IP addresses, bypassing developer checks. The
| vulnerability arises due to how the `hostname_ascii` variable (with
| a length of 256 bytes) is handled in `uv_getaddrinfo` and
| subsequently in `uv__idna_toascii`. When the hostname exceeds 256
| characters, it gets truncated without a terminating null byte. As a
| result attackers may be able to access internal APIs or for websites
| (similar to MySpace) that allows users to have
| `username.example.com` pages. Internal services that crawl or cache
| these user pages can be exposed to SSRF attacks if a malicious user
| chooses a long vulnerable username. This issue has been addressed in
| release version 1.48.0. Users are advised to upgrade. There are no
| known workarounds for this vulnerability.

Note, that the advisory at [1] mentions that affected versions are
only > 1.45.x. Looking at the git changes, is it not introduced after 6dd44caa35b4 ("unix,win: support IDNA 2008 in uv_getaddrinfo()") in
v1.24.0?

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-24806
https://www.cve.org/CVERecord?id=CVE-2024-24806
[1] https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 08 Feb 2024 20:51:30 +0100 Salvatore Bonaccorso <carnil@debian.org> wrote:

Note, that the advisory at [1] mentions that affected versions are
only > 1.45.x. Looking at the git changes, is it not introduced after 6dd44caa35b4 ("unix,win: support IDNA 2008 in uv_getaddrinfo()") in
v1.24.0?

The advisory has been changed and list v1.24.0 as affected version.

I'm going to pacakge v1.48 to fix this issue in unstable.

I'm still pondering what should be done for stable which ships a libuv 1.44.2

All the best

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is a multi-part message in MIME format...

Your message dated Mon, 19 Feb 2024 07:49:25 +0000
with message-id <E1rbyOz-00BoUC-C6@fasolo.debian.org>
and subject line Bug#1063484: fixed in libuv1 1.48.0-1
has caused the Debian Bug report #1063484,
regarding libuv1: CVE-2024-24806
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


--
1063484: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063484
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

Received: (at submit) by bugs.debian.org; 8 Feb 2024 19:51:33 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
(2021-04-09) on buxtehude.debian.org
X-Spam-Level:
X-Spam-Status: No, score=-8.9 required=4.0 tests=BAYES_00,FOURLA,FROMDEVELOPER,
KHOP_HELO_FCRDNS,RDNS_DYNAMIC,SPF_HELO_NONE,SPF_NONE,
T_SCC_BODY_TEXT_LINE,XMAILER_REPORTBUG autolearn=ham
autolearn_force=no version=3.4.6-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 35; hammy, 150; neutral, 116; spammy,
0. spammytokens: hammytokens:0.000-+--H*F:U*carnil,
0.000-+--X-Debbugs-Cc, 0.000-+--XDebbugsCc, 0.000-+--H*M:reportbug,
0.000-+--H*MI:reportbug
Return-path: <carnil@debian.org>
Received: from c-82-192-242-114.customer.ggaweb.ch ([82.192.242.114]:37308 helo=eldamar.lan)
by buxtehude.debian.org with esmtp (Exim 4.94.2)
(envelope-from <car

This is a multi-part message in MIME format.

Hi

On Wed, 14 Feb 2024 12:57:52 +0100 Dominique Dumont <dod@debian.org> wrote:

I'm still pondering what should be done for stable which ships a libuv

1.44.2

I've prepared a fix for bookworm. You'll find the debdiff in attachment.

Please tell me if I can upload this package to bookworm-security.

All the best
diff -Nru libuv1-1.44.2/debian/changelog libuv1-1.44.2/debian/changelog
--- libuv1-1.44.2/debian/changelog 2022-07-28 18:35:31.000000000 +0200
+++ libuv1-1.44.2/debian/changelog 2024-02-20 18:28:54.000000000 +0100
@@ -1,3 +1,9 @@
+libuv1 (1.44.2-1+deb12u1) bookworm-security; urgency=medium
+
+ * add patch to fix CVE-2024-24806 (Closes: 1063484)
+
+ -- Dominique Dumont <dod@debian.org> Tue, 20 Feb 2024 18:28:54 +0100
+
libuv1 (1.44.2-1) unstable; urgency=medium

* new upstream version
diff -Nru libuv1-1.44.2/debian/patches/fix-cve-2024-24806 libuv1-1.44.2/debian/patches/fix-cve-2024-24806
--- libuv1-1.44.2/debian/patches/fix-cve-2024-24806 1970-01-01 01:00:00.000000000 +0100
+++ libuv1-1.44.2/debian/patches/fix-cve-2024-24806 2024-02-20 18:28:54.000000000 +0100
@@ -0,0 +1,67 @@
+Description: Fix CVE-2024-24806
+ From upstream change log:
+ Merge pull request from GHSA-f74f-cvh7-c6q6
+ * fix: always zero-terminate idna output
+ * fix: reject zero-length idna inputs
+ * test: empty strings are not valid IDNA
+ .
+ See also https://github.c

Hi Dominique,

[Adding CC to team@s.d.o]

On Tue, Feb 20, 2024 at 07:08:48PM +0100, Dominique Dumont wrote:

Hi

On Wed, 14 Feb 2024 12:57:52 +0100 Dominique Dumont <dod@debian.org> wrote:

I'm still pondering what should be done for stable which ships a libuv

1.44.2

I've prepared a fix for bookworm. You'll find the debdiff in attachment.

Please tell me if I can upload this package to bookworm-security.

Thanks for preparing the update, I will try to have a look at the
debdiff in the next days.

libuv1 is as well affected in bullseye and it's still supported. Can
you have a look as well at this version?

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi

On Wed, Mar 06, 2024 at 07:06:55PM +0100, Dominique Dumont wrote:

On Tuesday, 5 March 2024 22:15:50 CET Salvatore Bonaccorso wrote:

The debdiff for bookworm-security looks good to me. Please do upload
to security-master (and make sure to build with -sa as the orig
tarball is not yet on security-master for 1.44.2).

Done.

Thank you, builds arrived.

So we just need as well the bullseye-security one, as per above, can
you prepare this one as well.

Done. Here's the debdiff in attachment

Thank you very much. Looks good to me, feel free to upload as well to security-master (and build as well with -sa).

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Dominique,

On Thu, Mar 07, 2024 at 08:58:11AM +0100, Dominique Dumont wrote:

On Wednesday, 6 March 2024 21:07:56 CET Salvatore Bonaccorso wrote:

Thank you very much. Looks good to me, feel free to upload as well to security-master (and build as well with -sa).

Done.

DSA 5638-1 has been released today. Thanks a lot for your
contribution!

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is a multi-part message in MIME format...

Your message dated Sun, 17 Mar 2024 17:02:40 +0000
with message-id <E1rltuC-00AgdI-Il@fasolo.debian.org>
and subject line Bug#1063484: fixed in libuv1 1.44.2-1+deb12u1
has caused the Debian Bug report #1063484,
regarding libuv1: CVE-2024-24806
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


--
1063484: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063484
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

Received: (at submit) by bugs.debian.org; 8 Feb 2024 19:51:33 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
(2021-04-09) on buxtehude.debian.org
X-Spam-Level:
X-Spam-Status: No, score=-8.9 required=4.0 tests=BAYES_00,FOURLA,FROMDEVELOPER,
KHOP_HELO_FCRDNS,RDNS_DYNAMIC,SPF_HELO_NONE,SPF_NONE,
T_SCC_BODY_TEXT_LINE,XMAILER_REPORTBUG autolearn=ham
autolearn_force=no version=3.4.6-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 35; hammy, 150; neutral, 116; spammy,
0. spammytokens: hammytokens:0.000-+--H*F:U*carnil,
0.000-+--X-Debbugs-Cc, 0.000-+--XDebbugsCc, 0.000-+--H*M:reportbug,
0.000-+--H*MI:reportbug
Return-path: <carnil@debian.org>
Received: from c-82-192-242-114.customer.ggaweb.ch ([82.192.242.114]:37308 helo=eldamar.lan)
by buxtehude.debian.org with esmtp (Exim 4.94.2)
(envelope-from <car

This is a multi-part message in MIME format...

Your message dated Mon, 18 Mar 2024 22:02:34 +0000
with message-id <E1rmL3y-00Gr9e-Fe@fasolo.debian.org>
and subject line Bug#1063484: fixed in libuv1 1.40.0-2+deb11u1
has caused the Debian Bug report #1063484,
regarding libuv1: CVE-2024-24806
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


--
1063484: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063484
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

Received: (at submit) by bugs.debian.org; 8 Feb 2024 19:51:33 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
(2021-04-09) on buxtehude.debian.org
X-Spam-Level:
X-Spam-Status: No, score=-8.9 required=4.0 tests=BAYES_00,FOURLA,FROMDEVELOPER,
KHOP_HELO_FCRDNS,RDNS_DYNAMIC,SPF_HELO_NONE,SPF_NONE,
T_SCC_BODY_TEXT_LINE,XMAILER_REPORTBUG autolearn=ham
autolearn_force=no version=3.4.6-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 35; hammy, 150; neutral, 116; spammy,
0. spammytokens: hammytokens:0.000-+--H*F:U*carnil,
0.000-+--X-Debbugs-Cc, 0.000-+--XDebbugsCc, 0.000-+--H*M:reportbug,
0.000-+--H*MI:reportbug
Return-path: <carnil@debian.org>
Received: from c-82-192-242-114.customer.ggaweb.ch ([82.192.242.114]:37308 helo=eldamar.lan)
by buxtehude.debian.org with esmtp (Exim 4.94.2)
(envelope-from <car