packages/libuv
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!9 fix CVE-2020-8252

Browse Source 
From: @wangxiao65
Reviewed-by: @jackie_wu123,@small_leek
Signed-off-by: @small_leek
This commit is contained in:
openeuler-ci-bot 2020-12-15 14:18:33 +08:00 committed by Gitee
commit c8ce79323f
2 changed files with 46 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
CVE-2020-8252.patch Normal file
View File

@ -0,0 +1,41 @@
From 0e6e8620496dff0eb285589ef1e37a7f407f3ddd Mon Sep 17 00:00:00 2001
From: Ben Noordhuis <info@bnoordhuis.nl>
Date: Mon, 24 Aug 2020 11:42:27 +0200
Subject: [PATCH] unix: don't use _POSIX_PATH_MAX
Libuv was using _POSIX_PATH_MAX wrong. Bug introduced in commit b56d279b
("unix: do not require PATH_MAX to be defined") from September 2018.
_POSIX_PATH_MAX is the minimum max path size guaranteed by POSIX, not
the actual max path size of the system libuv runs on. _POSIX_PATH_MAX
is always 256, the real max is often much bigger.
This commit fixes buffer overruns when processing very long paths in
uv_fs_readlink() and uv_fs_realpath() because libuv was not allocating
enough memory to store the result.
Fixes: https://github.com/libuv/libuv/issues/2965
PR-URL: https://github.com/libuv/libuv/pull/2966
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Jameson Nash <vtjnash@gmail.com>
---
src/unix/internal.h | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/src/unix/internal.h b/src/unix/internal.h
index 30711673e0..9d3c2297f8 100644
--- a/src/unix/internal.h
+++ b/src/unix/internal.h
@@ -62,9 +62,7 @@
# include <AvailabilityMacros.h>
#endif
-#if defined(_POSIX_PATH_MAX)
-# define UV__PATH_MAX _POSIX_PATH_MAX
-#elif defined(PATH_MAX)
+#if defined(PATH_MAX)
# define UV__PATH_MAX PATH_MAX
#else
# define UV__PATH_MAX 8192

6
libuv.spec
View File

@ -1,7 +1,7 @@
Name: libuv Name: libuv
Epoch: 1 Epoch: 1
Version: 1.38.1 Version: 1.38.1
Release: 1 Release: 2
Summary: A multi-platform support library with a focus on asynchronous I/O Summary: A multi-platform support library with a focus on asynchronous I/O
# the licensing breakdown is described in detail in the LICENSE file # the licensing breakdown is described in detail in the LICENSE file
@ -9,6 +9,7 @@ License: MIT and BSD and ISC
URL: http://libuv.org/ URL: http://libuv.org/
Source0: http://dist.libuv.org/dist/v%{version}/%{name}-v%{version}.tar.gz Source0: http://dist.libuv.org/dist/v%{version}/%{name}-v%{version}.tar.gz
Source2: %{name}.pc.in Source2: %{name}.pc.in
Patch0: CVE-2020-8252.patch
BuildRequires: autoconf automake libtool gcc BuildRequires: autoconf automake libtool gcc
@ -60,6 +61,9 @@ Development libraries for libuv
%doc ChangeLog %doc ChangeLog
%changelog %changelog
* Mon Dec 14 2020 wangxiao <wangxiao65@huawei.com> - 1.38.1-2
- fix CVE-2020-8252
* Mon Jul 27 2020wenzhanli<wenzhanli2@huawei.com> - 1.38.1-1 * Mon Jul 27 2020wenzhanli<wenzhanli2@huawei.com> - 1.38.1-1
- Type:bugfix - Type:bugfix
- ID:NA - ID:NA