File: fix-cve-2024-24806

package info (click to toggle)
nodejs 18.20.4%2Bdfsg-1~deb12u1
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 416,132 kB
  • sloc: perl: 1,766,352; cpp: 1,167,027; ansic: 634,245; asm: 576,575; javascript: 536,356; python: 76,986; sh: 8,334; makefile: 2,929; f90: 641; lisp: 480; xml: 36; awk: 18; ruby: 14; sed: 6
file content (38 lines) | stat: -rw-r--r-- 1,053 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
 
Description: Fix CVE-2024-24806
 From upstream change log:
    Merge pull request from GHSA-f74f-cvh7-c6q6
     * fix: always zero-terminate idna output
     * fix: reject zero-length idna inputs
     * test: empty strings are not valid IDNA
 .
 See also https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6
Bug: https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6
Bug-Debian: https://bugs.debian.org/1063484
Origin: https://github.com/libuv/libuv
 git diff v1.48.0~5..v1.48.0~2
Index: nodejs/deps/uv/src/idna.c
===================================================================
--- nodejs.orig/deps/uv/src/idna.c	2025-04-27 16:39:12.041809212 +0200
+++ nodejs/deps/uv/src/idna.c	2025-04-27 16:39:12.037809196 +0200
@@ -274,6 +274,9 @@
   char* ds;
   int rc;
 
+  if (s == se)
+    return UV_EINVAL;
+
   ds = d;
 
   si = s;
@@ -308,8 +311,9 @@
       return rc;
   }
 
-  if (d < de)
-    *d++ = '\0';
+  if (d >= de)
+    return UV_EINVAL;
 
+  *d++ = '\0';
   return d - ds;  /* Number of bytes written. */
 }