Backport fix for CVE-2024-24806

2024-06-05 13:56:21 +02:00 · 2024-06-05 13:56:21 +02:00 · 07592da011
commit 07592da011
parent 1e3c8c6f4e
2 changed files with 89 additions and 3 deletions
--- a/0001-Fix-CVE-2024-24806.patch
+++ b/0001-Fix-CVE-2024-24806.patch
@ -0,0 +1,82 @@
+From 4f0158bccc32c0050c6e6692d6eacd08d5f4f624 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 5 Jun 2024 13:40:17 +0200
+Subject: [PATCH] Fix CVE-2024-24806
+
+- fix: always zero-terminate idna output
+  Original-Commit: https://github.com/libuv/libuv/commit/0f2d7e784a256b54b2385043438848047bc2a629
+
+- fix: reject zero-length idna inputs
+  Original-Commit: https://github.com/libuv/libuv/commit/3530bcc30350d4a6ccf35d2f7b33e23292b9de70
+
+- test: empty strings are not valid IDNA
+  Original-Commit: https://github.com/libuv/libuv/commit/e0327e1d508b8207c9150b6e582f0adf26213c39
+
+Signed-off-by: Jan Staněk <jstanek@redhat.com>
+---
+ src/idna.c       | 8 ++++++--
+ test/test-idna.c | 7 ++++++-
+ 2 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/src/idna.c b/src/idna.c
+index b44cb16..abbfe87 100644
+--- a/src/idna.c
+++ b/src/idna.c
+@@ -273,6 +273,9 @@ long uv__idna_toascii(const char* s, const char* se, char* d, char* de) {
+   char* ds;
+   int rc;
+
+  if (s == se)
+    return UV_EINVAL;
+
+   ds = d;
+
+   si = s;
+@@ -307,8 +310,9 @@ long uv__idna_toascii(const char* s, const char* se, char* d, char* de) {
+       return rc;
+   }
+
+-  if (d < de)
+-    *d++ = '\0';
+  if (d >= de)
+    return UV_EINVAL;
+
+  *d++ = '\0';
+   return d - ds;  /* Number of bytes written. */
+ }
+diff --git a/test/test-idna.c b/test/test-idna.c
+index f4fad96..37da38d 100644
+--- a/test/test-idna.c
+++ b/test/test-idna.c
+@@ -99,6 +99,7 @@ TEST_IMPL(utf8_decode1) {
+ TEST_IMPL(utf8_decode1_overrun) {
+   const char* p;
+   char b[1];
+  char c[1];
+
+   /* Single byte. */
+   p = b;
+@@ -112,6 +113,10 @@ TEST_IMPL(utf8_decode1_overrun) {
+   ASSERT_EQ((unsigned) -1, uv__utf8_decode1(&p, b + 1));
+   ASSERT_EQ(p, b + 1);
+
+  b[0] = 0x7F;
+  ASSERT_EQ(UV_EINVAL, uv__idna_toascii(b, b + 0, c, c + 1));
+  ASSERT_EQ(UV_EINVAL, uv__idna_toascii(b, b + 1, c, c + 1));
+
+   return 0;
+ }
+
+@@ -145,8 +150,8 @@ TEST_IMPL(idna_toascii) {
+   /* Illegal inputs. */
+   F("\xC0\x80\xC1\x80", UV_EINVAL);  /* Overlong UTF-8 sequence. */
+   F("\xC0\x80\xC1\x80.com", UV_EINVAL);  /* Overlong UTF-8 sequence. */
+  F("", UV_EINVAL);
+   /* No conversion. */
+-  T("", "");
+   T(".", ".");
+   T(".com", ".com");
+   T("example", "example");
+--
+2.45.1
+
--- a/libuv.spec
+++ b/libuv.spec
@ -6,7 +6,7 @@
 Name:           libuv
 Epoch:          1
 Version:        1.42.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Platform layer for node.js

 # the licensing breakdown is described in detail in the LICENSE file
@ -17,10 +17,10 @@ Source2:        %{name}.pc.in
 Source3:        libuv.abignore

 BuildRequires:  autoconf automake libtool
-BuildRequires:  gcc
-BuildRequires: make
+BuildRequires:  gcc make

 # -- Patches -- #
+Patch0001:      0001-Fix-CVE-2024-24806.patch

 %description
 libuv is a new platform layer for Node. Its purpose is to abstract IOCP on
@ -81,6 +81,10 @@ install -Dm0644 -t %{buildroot}%{_libdir}/libuv/ %{SOURCE3}
 %{_libdir}/%{name}.a

 %changelog
+* Wed Jun 05 2024 Jan Staněk <jstanek@redhat.com> - 1:1.42.0-2
+- Backport fix for CVE-2024-24806
+  Resolves: RHEL-24791
+
 * Fri Sep 17 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:1.42.0-1
 - Rebased, resolves CVE-2021-22918
 - Resolves: RHBZ#2005319, RHBZ#1979928