CVE-2020-8252

NameCVE-2020-8252
DescriptionThe implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libuv1 (PTS)stretch1.9.1-3fixed
buster1.24.1-1+deb10u1vulnerable
buster (security)1.24.1-1+deb10u2vulnerable
bullseye1.40.0-2fixed
bullseye (security)1.40.0-2+deb11u1fixed
bookworm1.44.2-1fixed
bookworm (security)1.44.2-1+deb12u1fixed
trixie1.48.0-1fixed
sid1.48.0-1.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libuv1sourcestretch(not affected)
libuv1source(unstable)1.39.0-1unimportant

Notes

[stretch] - libuv1 <not-affected> (Vulnerable code introduced later)
https://hackerone.com/reports/965914
https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/#fs-realpath-native-on-may-cause-buffer-overflow-medium-cve-2020-8252
Debian's version of nodejs uses the shared system library of libuv1 instead
of the bundled one.
https://github.com/libuv/libuv/issues/2965
Introduced by: https://github.com/libuv/libuv/commit/b56d279b172fbe78dee2fb1d29cae9c9c5c6d1c4 (v1.24.0)
Fixed by: https://github.com/libuv/libuv/commit/0e6e8620496dff0eb285589ef1e37a7f407f3ddd (v1.39.0)
Broken path in uv__fs_realpath() only taken when libuv1 build in
pre-POSIX.2008 mode (defined(_POSIX_VERSION) && _POSIX_VERSION < 200809L).

Search for package or bug name: Reporting problems