setuid() does not drop all privileges due to io_uring (CVE-2024-22017)

[felixonmars]

• Version: 1.48.0
• Platform: Linux build.archlinux.org 6.9.1-arch1-1 #1 SMP PREEMPT_DYNAMIC Fri, 17 May 2024 16:56:38 +0000 x86_64 GNU/Linux

Node.js is currently patching libuv to get rid of io_uring due to this, and I find it strange that it was never mentioned here: nodejs/node@42e659c

As an Arch Linux packager of both libuv and node.js, I would like to find a way forward without having to use a patched libuv for node.js. I am not familiar with this specific problem, but I could imagine options like a runtime switch for io_uring, or maybe if the underlying issue could be addressed.

[felixonmars]

Found some (maybe useful) thoughts from the node.js community: nodejs/node#52156 (comment)

[sarandha-com]

After upgrading node-gyp to 10.1.0-3 I no longer need use export UV_USE_IO_URING=0 before using yarn install or yarn build.
This was an issue yesterday where I always needed to use export UV_USE_IO_URING=0 for working with vite scripts through yarn, otherwise it would give me Text file Busy error but looks like it's fixed now?

[saghul]

For context, the original issue is being addressed here: #4421

[bnoordhuis]

@santigimeno this was fixed by #4492, right? Node.js can drop the patch (and optionally switch to uv_loop_configure) once we release a new version.

[santigimeno]

Sorry I missed this.

@santigimeno this was fixed by #4492, right? Node.js can drop the patch (and optionally switch to uv_loop_configure) once we release a new version.

Yes, you're right