libuv: Privilege escalation — GLSA 201611-10

A vulnerability in libuv could lead to privilege escalation.

Affected Packages

dev-libs/libuv on all architectures
Affected versions < 1.4.2
Unaffected versions >= 1.4.2

Background

libuv is a multi-platform support library with a focus on asynchronous I/O.

Description

It was discovered that libuv does not call setgroups before calling setuid/setgid. If this is not called, then even though the uid has been dropped, there may still be groups associated that permit superuser privileges.

Impact

Context-dependent attackers could escalate privileges via unspecified vectors.

Workaround

There is no known workaround at this time.

Resolution

All libuv users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --verbose --oneshot ">=dev-libs/libuv-1.4.2"
 

References

Release Date
November 17, 2016

Latest Revision
November 17, 2016: 1

Severity
normal

Exploitable
local, remote

Bugzilla entries