| Name | CVE-2020-8252 |
| Description | The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| libuv1 (PTS) | stretch | 1.9.1-3 | fixed |
| buster (security), buster, buster (lts) | 1.24.1-1+deb10u2 | vulnerable |
| bullseye (security), bullseye | 1.40.0-2+deb11u1 | fixed |
| bookworm (security), bookworm | 1.44.2-1+deb12u1 | fixed |
| sid, trixie | 1.48.0-7 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| libuv1 | source | stretch | (not affected) | | | |
| libuv1 | source | (unstable) | 1.39.0-1 | unimportant | | |
Notes
[stretch] - libuv1 <not-affected> (Vulnerable code introduced later)
https://hackerone.com/reports/965914
https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/#fs-realpath-native-on-may-cause-buffer-overflow-medium-cve-2020-8252
Debian's version of nodejs uses the shared system library of libuv1 instead
of the bundled one.
https://github.com/libuv/libuv/issues/2965
Introduced by: https://github.com/libuv/libuv/commit/b56d279b172fbe78dee2fb1d29cae9c9c5c6d1c4 (v1.24.0)
Fixed by: https://github.com/libuv/libuv/commit/0e6e8620496dff0eb285589ef1e37a7f407f3ddd (v1.39.0)
Broken path in uv__fs_realpath() only taken when libuv1 build in
pre-POSIX.2008 mode (defined(_POSIX_VERSION) && _POSIX_VERSION < 200809L).