Node.js and Libuv Out-of-Bounds Access Vulnerability on 32-Bit Systems

A vulnerability has been identified in certain build processes of Node.js and its dependency Libuv for 32-bit systems, specifically in the Node.js binary package version 20.19.0+dfsg-2 for Debian GNU/Linux. The issue arises from an inconsistent off_t size, where Libuv is built with _FILE_OFFSET_BITS=64, but Node.js defaults to 32. This mismatch leads to out-of-bounds access, causing a segmentation fault. The problem is not present in the Node.js version 20.19.0 when it is built with the upstream-bundled Libuv 1.46.0.

Impact

The vulnerability causes a segmentation fault, which is a type of memory access violation. This indicates that the program tried to read or write an area of memory that it is not allowed to, which can lead to crashes or potentially be exploited to execute arbitrary code.

Reproduction

The vulnerability can be reproduced by building Node.js version 20.19.0+dfsg-2 for i386 architecture with the shared Libuv 1.46.0. This can be done by downloading the Node.js source, applying the necessary build flags to ensure the correct off_t size, and then compiling it with the shared Libuv. The issue manifests when running a browserify script that requires the 'uniq' module, which triggers the out-of-bounds access and results in a segmentation fault.

Remediation

The vulnerability has been fixed in Node.js version 20.19.0+dfsg1-1, which is available in the Debian unstable repository. Users can upgrade to this version to address the vulnerability.