--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package libuv1
[ Reason ]
libuv1 1.40.0-1 is affected by CVE-2021-22918
See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990561
In more details:
> Node.js (through libuv1) is vulnerable to out-of-bounds read in
> libuv's uv__idna_toascii() function which is used to convert strings
> to ASCII. This is called by Node's dns module's lookup() function and
> can lead to information disclosures or crashes.
See https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/
I've applied a patch prepared by upstream.
https://github.com/nodejs/node/commit/d33aead28bcec32a2a450f884907a6d971631829
Debdiff does not give much information besides the changelog.
The patch is:
https://salsa.debian.org/debian/libuv1/-/blob/debian/sid/debian/patches/fix-cve-2021-22918
[ Impact ] Without this patch, libuv1 (hence nodejs and may be raku)
are vulnerable to specially crafted host names encoded in punicode.
[ Tests ]
Upstream patch contains specific tests that check that the
vulnerability was fixed.
[ Risks ] Hmm. I guess risk is low as the patch is not so big. I also
trust the judgment of upstream.
[ Checklist ]
[X ] all changes are documented in the d/changelog
[X ] I reviewed all changes and I approve them
[X ] attach debdiff against the package in testing
unblock libuv1/1.40.0-1
diff -Nru libuv1-1.40.0/debian/changelog libuv1-1.40.0/debian/changelog
--- libuv1-1.40.0/debian/changelog 2020-10-31 18:43:46.000000000 +0100
+++ libuv1-1.40.0/debian/changelog 2021-07-04 09:43:38.000000000 +0200
@@ -1,3 +1,9 @@
+libuv1 (1.40.0-2) unstable; urgency=medium
+
+ * add patch for CVE-2021-22918 (Closes: #990561)
+
+ -- Dominique Dumont <dod@debian.org> Sun, 04 Jul 2021 09:43:38 +0200
+
libuv1 (1.40.0-1) unstable; urgency=medium
* new upstream version
--- End Message ---