Bug 1979338 (CVE-2021-22918) - CVE-2021-22918 libuv: out-of-bounds read in uv__idna_toascii() can lead to information disclosures or crashes
Summary: CVE-2021-22918 libuv: out-of-bounds read in uv__idna_toascii() can lead to in...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-22918
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1979591 1979592 1979593 1979595 1979597 1979598 1979599 1979845 1979846 1979924 1979925 1979926 1979928 1980076 1980291 1980292 1980293 1980294 1979596 1979843 1979844 1979847 1979927 1980031 1980032 1980033 1980295 1980321 1980322 1994462 1994464
Blocks: 1979347
TreeView+ depends on / blocked
 
Reported: 2021-07-05 16:39 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-11-15 08:05 UTC (History)
31 users (show)

Fixed In Version: node 16.4.1, node 14.17.2, node 12.22.2, libuv 1.41.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw has been found in libuv. Node.js is vulnerable to out-of-bounds read in libuv's uv__idna_toascii() function which is used to convert strings to ASCII which is called by Node's DNS module's lookup() function and can lead to information disclosures or crashes. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2021-07-28 13:07:21 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2931 0 None None None 2021-07-28 08:33:25 UTC
Red Hat Product Errata RHSA-2021:2932 0 None None None 2021-07-28 08:36:16 UTC
Red Hat Product Errata RHSA-2021:3073 0 None None None 2021-08-10 13:56:44 UTC
Red Hat Product Errata RHSA-2021:3074 0 None None None 2021-08-10 13:57:13 UTC
Red Hat Product Errata RHSA-2021:3075 0 None None None 2021-08-10 13:57:32 UTC
Red Hat Product Errata RHSA-2021:3638 0 None None None 2021-09-22 09:00:48 UTC
Red Hat Product Errata RHSA-2021:3639 0 None None None 2021-09-22 08:51:27 UTC

Description Guilherme de Almeida Suckevicz 2021-07-05 16:39:51 UTC
Node.js is vulnerable to out-of-bounds read in libuv's uv__idna_toascii() function which is used to convert strings to ASCII. This is called by Node's dns module's lookup() function and can lead to information disclosures or crashes.

Reference:
https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/

Comment 1 Guilherme de Almeida Suckevicz 2021-07-05 16:41:18 UTC
Created libuv tracking bugs for this issue:

Affects: epel-7 [bug 1979345]
Affects: fedora-all [bug 1979339]
Affects: openstack-rdo [bug 1979346]


Created nodejs:10/libuv tracking bugs for this issue:

Affects: fedora-all [bug 1979340]


Created nodejs:12/libuv tracking bugs for this issue:

Affects: fedora-all [bug 1979341]


Created nodejs:14/libuv tracking bugs for this issue:

Affects: fedora-all [bug 1979342]


Created nodejs:15/libuv tracking bugs for this issue:

Affects: fedora-all [bug 1979343]


Created nodejs:16/libuv tracking bugs for this issue:

Affects: fedora-all [bug 1979344]

Comment 2 Riccardo Schirone 2021-07-06 08:10:23 UTC
Upstream patch:
https://github.com/libuv/libuv/commit/b7466e31e4bee160d82a68fca11b1f61d46debae

Comment 3 Guilherme de Almeida Suckevicz 2021-07-06 13:36:17 UTC
Created nodejs tracking bugs for this issue:

Affects: epel-7 [bug 1979598]
Affects: fedora-all [bug 1979591]


Created nodejs:10/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1979592]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1979593]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1979599]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1979595]


Created nodejs:15/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1979596]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1979597]

Comment 4 Cedric Buissart 2021-07-07 08:35:00 UTC
Hacker one reference (public) : https://hackerone.com/reports/1209681

Comment 6 Cedric Buissart 2021-07-07 08:49:56 UTC
Upstream fix commit in nodejs 16 :
https://github.com/nodejs/node/commit/d33aead28bcec32a2a450f884907a6d971631829

Comment 7 Cedric Buissart 2021-07-07 08:53:15 UTC
Upstream fix commit in libuv :
https://github.com/libuv/libuv/commit/b7466e31e4bee160d82a68fca11b1f61d46debae

Comment 8 Cedric Buissart 2021-07-07 12:33:55 UTC
Created libuv tracking bugs for this issue:

Affects: epel-7 [bug 1979925]
Affects: fedora-all [bug 1979924]

Comment 10 Cedric Buissart 2021-07-07 13:34:11 UTC
libuv versions >= 1.24.0 are vulnerable (the first vulnerable commit appears to be https://github.com/libuv/libuv/commit/6dd44caa)

Comment 11 Guilherme de Almeida Suckevicz 2021-07-07 17:23:18 UTC
Created libuv tracking bugs for this issue:

Affects: openstack-rdo [bug 1980076]

Comment 15 Cedric Buissart 2021-07-12 11:58:09 UTC
Note :
As distributed by Red Hat, a maximum of 3 bytes out of bound can be read. This would not be sufficient to crash nodejs or other applications using libuv, unless it was recompiled using an address sanitizer.
The memory disclosure is also very limited.

Comment 17 errata-xmlrpc 2021-07-28 08:33:05 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:2931 https://access.redhat.com/errata/RHSA-2021:2931

Comment 18 errata-xmlrpc 2021-07-28 08:36:12 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:2932 https://access.redhat.com/errata/RHSA-2021:2932

Comment 19 Product Security DevOps Team 2021-07-28 13:07:21 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22918

Comment 20 Product Security DevOps Team 2021-07-28 19:06:58 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22918

Comment 21 errata-xmlrpc 2021-08-10 13:56:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3073 https://access.redhat.com/errata/RHSA-2021:3073

Comment 22 errata-xmlrpc 2021-08-10 13:57:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3074 https://access.redhat.com/errata/RHSA-2021:3074

Comment 23 errata-xmlrpc 2021-08-10 13:57:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3075 https://access.redhat.com/errata/RHSA-2021:3075

Comment 24 errata-xmlrpc 2021-09-22 08:51:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:3639 https://access.redhat.com/errata/RHSA-2021:3639

Comment 25 errata-xmlrpc 2021-09-22 09:00:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3638 https://access.redhat.com/errata/RHSA-2021:3638


Note You need to log in before you can comment on or make changes to this bug.