It was found [1] that libuv does not call setgroups before calling setuid/setgid. This may potentially allow an attacker to gain elevated privileges. Upstream fix for 0.10: https://github.com/libuv/libuv/pull/215 [1]: https://github.com/libuv/libuv/commit/66ab38918c911bcff025562cf06237d7fedaba0c
Created libuv tracking bugs for this issue: Affects: fedora-all [bug 1194653] Affects: epel-all [bug 1194654]
Upstream announcement: https://groups.google.com/d/msg/libuv/0JZxwLMtsMI/jraczskYWWQJ Red Hat assigned CVE-2015-0278 to this issue.
v8-3.14.5.10-17.fc21, nodejs-0.10.36-3.fc21, libuv-0.10.34-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
v8-3.14.5.10-17.fc20, nodejs-0.10.36-3.fc20, libuv-0.10.34-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
compat-libuv010-0.10.34-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Analysis ======== In code of nodejs010-libuv in function static void uv__process_child_init() in the following code it call setgid() and setuid() ... if ((options.flags & UV_PROCESS_SETGID) && setgid(options.gid)) { uv__write_int(error_fd, errno); perror("setgid()"); _exit(127); } if ((options.flags & UV_PROCESS_SETUID) && setuid(options.uid)) { uv__write_int(error_fd, errno); perror("setuid()"); _exit(127); } ... before calling setgid() and setuid() It does not call setgroups() while dropping privileges. There are ancillary groups associated with process which are inherited from the parent process which can only be altered by superuser. If some process runs with root or equivalent privileges it should call setgroups() before dropping root privileges.
On further analyzing about this flaw present in libuv as shipped with the nodejs10-libuv package present in Red Hat Software Collections, it seems impact of this flaw is low, as it depends on whether nodejs application is running under root privileges or not, so looking at the use cases of libuv with nodejs, nodejs applications would be running with privileges as they are expected to be running and not dropping them later on. As for the other applications using libuv running under superuser/root privileges impact of this flaw would be moderate.
v8-3.14.5.10-17.el6, nodejs-0.10.36-3.el6, libuv-0.10.34-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
v8-3.14.5.10-17.el7, nodejs-0.10.36-3.el7, libuv-0.10.34-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Statement: (none)