Bug 1979338 (CVE-2021-22918)
| Summary: | CVE-2021-22918 libuv: out-of-bounds read in uv__idna_toascii() can lead to information disclosures or crashes | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | aarif, bdettelb, caswilli, cbuissar, chazlett, dbecker, fjansen, hhorak, igor.raits, jjoyce, jnakfour, jochrist, jorton, jross, jschluet, jwon, kaycoth, lhh, lpeer, mburns, mcressma, mrunge, nodejs-maint, nodejs-sig, sclewis, sgallagh, slinaber, tchollingsworth, thrcka, tomckay, zsvetlik |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | node 16.4.1, node 14.17.2, node 12.22.2, libuv 1.41.1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw has been found in libuv. Node.js is vulnerable to out-of-bounds read in libuv's uv__idna_toascii() function which is used to convert strings to ASCII which is called by Node's DNS module's lookup() function and can lead to information disclosures or crashes. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-07-28 13:07:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1979925, 1980294, 1979591, 1979592, 1979593, 1979595, 1979596, 1979597, 1979598, 1979599, 1979843, 1979844, 1979845, 1979846, 1979847, 1979924, 1979926, 1979927, 1979928, 1980031, 1980032, 1980033, 1980076, 1980291, 1980292, 1980293, 1980295, 1980321, 1980322, 1994462, 1994464 | ||
| Bug Blocks: | 1979347 | ||
|
Description
Guilherme de Almeida Suckevicz
2021-07-05 16:39:51 UTC
Created libuv tracking bugs for this issue: Affects: epel-7 [bug 1979345] Affects: fedora-all [bug 1979339] Affects: openstack-rdo [bug 1979346] Created nodejs:10/libuv tracking bugs for this issue: Affects: fedora-all [bug 1979340] Created nodejs:12/libuv tracking bugs for this issue: Affects: fedora-all [bug 1979341] Created nodejs:14/libuv tracking bugs for this issue: Affects: fedora-all [bug 1979342] Created nodejs:15/libuv tracking bugs for this issue: Affects: fedora-all [bug 1979343] Created nodejs:16/libuv tracking bugs for this issue: Affects: fedora-all [bug 1979344] Created nodejs tracking bugs for this issue: Affects: epel-7 [bug 1979598] Affects: fedora-all [bug 1979591] Created nodejs:10/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1979592] Created nodejs:12/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1979593] Created nodejs:13/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1979599] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1979595] Created nodejs:15/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1979596] Created nodejs:16/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1979597] Hacker one reference (public) : https://hackerone.com/reports/1209681 Upstream fix commit in nodejs 16 : https://github.com/nodejs/node/commit/d33aead28bcec32a2a450f884907a6d971631829 Upstream fix commit in libuv : https://github.com/libuv/libuv/commit/b7466e31e4bee160d82a68fca11b1f61d46debae Created libuv tracking bugs for this issue: Affects: epel-7 [bug 1979925] Affects: fedora-all [bug 1979924] libuv versions >= 1.24.0 are vulnerable (the first vulnerable commit appears to be https://github.com/libuv/libuv/commit/6dd44caa) Created libuv tracking bugs for this issue: Affects: openstack-rdo [bug 1980076] Note : As distributed by Red Hat, a maximum of 3 bytes out of bound can be read. This would not be sufficient to crash nodejs or other applications using libuv, unless it was recompiled using an address sanitizer. The memory disclosure is also very limited. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:2931 https://access.redhat.com/errata/RHSA-2021:2931 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:2932 https://access.redhat.com/errata/RHSA-2021:2932 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22918 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22918 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3073 https://access.redhat.com/errata/RHSA-2021:3073 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3074 https://access.redhat.com/errata/RHSA-2021:3074 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3075 https://access.redhat.com/errata/RHSA-2021:3075 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:3639 https://access.redhat.com/errata/RHSA-2021:3639 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3638 https://access.redhat.com/errata/RHSA-2021:3638 |