A vulnerability has been discovered in libuv, where hostname truncation can lead to attacker-controlled lookups.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202501-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libuv: Hostname Truncation Date: January 23, 2025 Bugs: #924127 ID: 202501-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been discovered in libuv, where hostname truncation can lead to attacker-controlled lookups. Background ========== libuv is a multi-platform support library with a focus on asynchronous I/O. Affected packages ================= Package Vulnerable Unaffected -------------- ------------ ------------ dev-libs/libuv < 1.48.0 > = 1.48.0 Description =========== Multiple vulnerabilities have been discovered in libuv. Please review the CVE identifiers referenced below for details. Impact ====== The uv_getaddrinfo function in src/unix/getaddrinfo.c truncates hostnames to 256 characters before calling getaddrinfo. This behavior can be exploited to create addresses like 0x00007f000001, which are considered valid by getaddrinfo and could allow an attacker to craft payloads that resolve to unintended IP addresses, bypassing developer checks. Workaround ========== There is no known workaround at this time. Resolution ========== All libuv users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =dev-libs/libuv-1.48.0" References ========== [ 1 ] CVE-2024-24806 https://nvd.nist.gov/vuln/detail/CVE-2024-24806 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202501-05 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
Get the latest Linux and open source security news straight to your inbox.