CVE-2020-8252

NameCVE-2020-8252
DescriptionThe implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libuv1 (PTS)stretch1.9.1-3fixed
buster1.24.1-1vulnerable
bullseye, sid1.39.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libuv1sourcestretch(not affected)
libuv1source(unstable)1.39.0-1

Notes

[stretch] - libuv1 <not-affected> (Vulnerable code introduced later)
https://hackerone.com/reports/965914
https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/#fs-realpath-native-on-may-cause-buffer-overflow-medium-cve-2020-8252
Debian's version of nodejs uses the shared system library of libuv1 instead
of the bundled one.
https://github.com/libuv/libuv/issues/2965
Introduced by: https://github.com/libuv/libuv/commit/b56d279b172fbe78dee2fb1d29cae9c9c5c6d1c4 (v1.24.0)
Fixed by: https://github.com/libuv/libuv/commit/0e6e8620496dff0eb285589ef1e37a7f407f3ddd (v1.39.0)

Search for package or bug name: Reporting problems