A vulnerability has been discovered in libuv, where hostname truncation can lead to attacker-controlled lookups.
Package | dev-libs/libuv on all architectures |
---|---|
Affected versions | < 1.48.0 |
Unaffected versions | >= 1.48.0 |
libuv is a multi-platform support library with a focus on asynchronous I/O.
Multiple vulnerabilities have been discovered in libuv. Please review the CVE identifiers referenced below for details.
The uv_getaddrinfo function in src/unix/getaddrinfo.c truncates hostnames to 256 characters before calling getaddrinfo. This behavior can be exploited to create addresses like 0x00007f000001, which are considered valid by getaddrinfo and could allow an attacker to craft payloads that resolve to unintended IP addresses, bypassing developer checks.
There is no known workaround at this time.
All libuv users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/libuv-1.48.0"
Release date
January 23, 2025
Latest revision
January 23, 2025: 1
Severity
normal
Exploitable
remote
Bugzilla entries