-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
setuid() does not drop all privileges due to io_uring (CVE-2024-22017) #4416
Comments
Found some (maybe useful) thoughts from the node.js community: nodejs/node#52156 (comment) |
After upgrading |
For context, the original issue is being addressed here: #4421 |
@santigimeno this was fixed by #4492, right? Node.js can drop the patch (and optionally switch to uv_loop_configure) once we release a new version. |
Sorry I missed this.
Yes, you're right |
Linux build.archlinux.org 6.9.1-arch1-1 #1 SMP PREEMPT_DYNAMIC Fri, 17 May 2024 16:56:38 +0000 x86_64 GNU/Linux
Node.js is currently patching libuv to get rid of io_uring due to this, and I find it strange that it was never mentioned here: nodejs/node@42e659c
As an Arch Linux packager of both libuv and node.js, I would like to find a way forward without having to use a patched libuv for node.js. I am not familiar with this specific problem, but I could imagine options like a runtime switch for io_uring, or maybe if the underlying issue could be addressed.
The text was updated successfully, but these errors were encountered: