Bug#990663: marked as done (unblock: libuv1/1.40.0-1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 04 Jul 2021 19:15:21 +0000
with message-id <E1m07aL-0005k1-3F@respighi.debian.org>
and subject line unblock libuv1
has caused the Debian Bug report #990663,
regarding unblock: libuv1/1.40.0-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
990663: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990663
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: libuv1/1.40.0-1
• From: Dominique Dumont <dod@debian.org>
• Date: Sun, 04 Jul 2021 10:20:45 +0200
• Message-id: <[🔎] 162538684548.247913.12994886582253329132.reportbug@ylum.maison>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package libuv1

[ Reason ]
libuv1 1.40.0-1 is affected by CVE-2021-22918
See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990561

In more details:

> Node.js (through libuv1) is vulnerable to out-of-bounds read in
> libuv's uv__idna_toascii() function which is used to convert strings
> to ASCII. This is called by Node's dns module's lookup() function and
> can lead to information disclosures or crashes.

See https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/

I've applied a patch prepared by upstream.
https://github.com/nodejs/node/commit/d33aead28bcec32a2a450f884907a6d971631829

Debdiff does not give much information besides the changelog.

The patch is:
https://salsa.debian.org/debian/libuv1/-/blob/debian/sid/debian/patches/fix-cve-2021-22918


[ Impact ] Without this patch, libuv1 (hence nodejs and may be raku)
are vulnerable to specially crafted host names encoded in punicode.

[ Tests ]
Upstream patch contains specific tests that check that the
vulnerability was fixed.

[ Risks ] Hmm. I guess risk is low as the patch is not so big. I also
trust the judgment of upstream.

[ Checklist ]
  [X ] all changes are documented in the d/changelog
  [X ] I reviewed all changes and I approve them
  [X ] attach debdiff against the package in testing


unblock libuv1/1.40.0-1

diff -Nru libuv1-1.40.0/debian/changelog libuv1-1.40.0/debian/changelog
--- libuv1-1.40.0/debian/changelog	2020-10-31 18:43:46.000000000 +0100
+++ libuv1-1.40.0/debian/changelog	2021-07-04 09:43:38.000000000 +0200
@@ -1,3 +1,9 @@
+libuv1 (1.40.0-2) unstable; urgency=medium
+
+  * add patch for CVE-2021-22918 (Closes: #990561)
+
+ -- Dominique Dumont <dod@debian.org>  Sun, 04 Jul 2021 09:43:38 +0200
+
 libuv1 (1.40.0-1) unstable; urgency=medium
 
   * new upstream version

--- End Message ---

--- Begin Message ---

• To: 990663-done@bugs.debian.org
• Subject: unblock libuv1
• From: Sebastian Ramacher <sramacher@respighi.debian.org>
• Date: Sun, 04 Jul 2021 19:15:21 +0000
• Message-id: <E1m07aL-0005k1-3F@respighi.debian.org>

Unblocked.

--- End Message ---