From: Anil Dongare <[email protected]> Upstream Repository: https://github.com/nodejs/node.git
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55132 Type: Security Fix CVE: CVE-2025-55132 Score: 5.3 Patch: https://github.com/nodejs/node/commit/ebbf942a83bc Signed-off-by: Anil Dongare <[email protected]> --- .../nodejs/nodejs/CVE-2025-55132.patch | 178 ++++++++++++++++++ .../recipes-devtools/nodejs/nodejs_20.18.2.bb | 1 + 2 files changed, 179 insertions(+) create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/CVE-2025-55132.patch diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2025-55132.patch b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2025-55132.patch new file mode 100644 index 0000000000..08c885473c --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2025-55132.patch @@ -0,0 +1,178 @@ +From b89fc3633ec12b6d1da5b9978e6bb1c5fbacf021 Mon Sep 17 00:00:00 2001 +From: RafaelGSS <[email protected]> +Date: Tue, 21 Oct 2025 18:25:31 -0300 +Subject: [PATCH 1/5] lib: disable futimes when permission model is enabled + +Refs: https://hackerone.com/reports/3390084 +PR-URL: https://github.com/nodejs-private/node-private/pull/748 +Reviewed-By: Matteo Collina <[email protected]> +Reviewed-By: Anna Henningsen <[email protected]> +CVE-ID: CVE-2025-55132 + +CVE: CVE-2025-55132 +Upstream-Status: Backport [https://github.com/nodejs/node/commit/ebbf942a83bc] + +(cherry picked from commit ebbf942a83bc70d90a3bcb6712c7b67bc479fdf5) +Signed-off-by: Anil Dongare <[email protected]> +--- + lib/fs.js | 24 ++++++++++ + test/fixtures/permission/fs-write.js | 47 ++++++++++++++++++- + test/parallel/test-permission-fs-supported.js | 17 ++++++- + 3 files changed, 86 insertions(+), 2 deletions(-) + +diff --git a/lib/fs.js b/lib/fs.js +index 64f0b5e88ed..9206a18663c 100644 +--- a/lib/fs.js ++++ b/lib/fs.js +@@ -1274,6 +1274,11 @@ function rmSync(path, options) { + function fdatasync(fd, callback) { + const req = new FSReqCallback(); + req.oncomplete = makeCallback(callback); ++ ++ if (permission.isEnabled()) { ++ callback(new ERR_ACCESS_DENIED('fdatasync API is disabled when Permission Model is enabled.')); ++ return; ++ } + binding.fdatasync(fd, req); + } + +@@ -1285,6 +1290,9 @@ function fdatasync(fd, callback) { + * @returns {void} + */ + function fdatasyncSync(fd) { ++ if (permission.isEnabled()) { ++ throw new ERR_ACCESS_DENIED('fdatasync API is disabled when Permission Model is enabled.'); ++ } + binding.fdatasync(fd); + } + +@@ -1298,6 +1306,10 @@ function fdatasyncSync(fd) { + function fsync(fd, callback) { + const req = new FSReqCallback(); + req.oncomplete = makeCallback(callback); ++ if (permission.isEnabled()) { ++ callback(new ERR_ACCESS_DENIED('fsync API is disabled when Permission Model is enabled.')); ++ return; ++ } + binding.fsync(fd, req); + } + +@@ -1308,6 +1320,9 @@ function fsync(fd, callback) { + * @returns {void} + */ + function fsyncSync(fd) { ++ if (permission.isEnabled()) { ++ throw new ERR_ACCESS_DENIED('fsync API is disabled when Permission Model is enabled.'); ++ } + binding.fsync(fd); + } + +@@ -2164,6 +2179,11 @@ function futimes(fd, atime, mtime, callback) { + mtime = toUnixTimestamp(mtime, 'mtime'); + callback = makeCallback(callback); + ++ if (permission.isEnabled()) { ++ callback(new ERR_ACCESS_DENIED('futimes API is disabled when Permission Model is enabled.')); ++ return; ++ } ++ + const req = new FSReqCallback(); + req.oncomplete = callback; + binding.futimes(fd, atime, mtime, req); +@@ -2179,6 +2199,10 @@ function futimes(fd, atime, mtime, callback) { + * @returns {void} + */ + function futimesSync(fd, atime, mtime) { ++ if (permission.isEnabled()) { ++ throw new ERR_ACCESS_DENIED('futimes API is disabled when Permission Model is enabled.'); ++ } ++ + binding.futimes( + fd, + toUnixTimestamp(atime, 'atime'), +diff --git a/test/fixtures/permission/fs-write.js b/test/fixtures/permission/fs-write.js +index 31e96860972..4b98b6d2b78 100644 +--- a/test/fixtures/permission/fs-write.js ++++ b/test/fixtures/permission/fs-write.js +@@ -490,4 +490,49 @@ const relativeProtectedFolder = process.env.RELATIVEBLOCKEDFOLDER; + }, { + code: 'ERR_ACCESS_DENIED', + }); +-} +\ No newline at end of file ++} ++ ++// fs.utimes with read-only fd ++{ ++ assert.throws(() => { ++ // blocked file is allowed to read ++ const fd = fs.openSync(blockedFile, 'r'); ++ const date = new Date(); ++ date.setFullYear(2100,0,1); ++ ++ fs.futimes(fd, date, date, common.expectsError({ ++ code: 'ERR_ACCESS_DENIED', ++ })); ++ fs.futimesSync(fd, date, date); ++ }, { ++ code: 'ERR_ACCESS_DENIED', ++ }); ++} ++ ++// fs.fdatasync with read-only fd ++{ ++ assert.throws(() => { ++ // blocked file is allowed to read ++ const fd = fs.openSync(blockedFile, 'r'); ++ fs.fdatasync(fd, common.expectsError({ ++ code: 'ERR_ACCESS_DENIED', ++ })); ++ fs.fdatasyncSync(fd); ++ }, { ++ code: 'ERR_ACCESS_DENIED', ++ }); ++} ++ ++// fs.fsync with read-only fd ++{ ++ assert.throws(() => { ++ // blocked file is allowed to read ++ const fd = fs.openSync(blockedFile, 'r'); ++ fs.fsync(fd, common.expectsError({ ++ code: 'ERR_ACCESS_DENIED', ++ })); ++ fs.fsyncSync(fd); ++ }, { ++ code: 'ERR_ACCESS_DENIED', ++ }); ++} +diff --git a/test/parallel/test-permission-fs-supported.js b/test/parallel/test-permission-fs-supported.js +index 1062117798b..805365f28b3 100644 +--- a/test/parallel/test-permission-fs-supported.js ++++ b/test/parallel/test-permission-fs-supported.js +@@ -77,7 +77,22 @@ const ignoreList = [ + 'unwatchFile', + ...syncAndAsyncAPI('lstat'), + ...syncAndAsyncAPI('realpath'), +- // fd required methods ++ // File descriptor–based metadata operations ++ // ++ // The kernel does not allow opening a file descriptor for an inode ++ // with write access if the inode itself is read-only. However, it still ++ // permits modifying the inode’s metadata (e.g., permission bits, ownership, ++ // timestamps) because you own the file. These changes can be made either ++ // by referring to the file by name (e.g., chmod) or through any existing ++ // file descriptor that identifies the same inode (e.g., fchmod). ++ // ++ // If the kernel required write access to change metadata, it would be ++ // impossible to modify the permissions of a file once it was made read-only. ++ // For that reason, syscalls such as fchmod, fchown, and futimes bypass ++ // the file descriptor’s access mode. Even a read-only ('r') descriptor ++ // can still update metadata. To prevent unintended modifications, ++ // these APIs are therefore blocked by default when permission model is ++ // enabled. + ...syncAndAsyncAPI('close'), + ...syncAndAsyncAPI('fchown'), + ...syncAndAsyncAPI('fchmod'), +-- +2.43.7 diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_20.18.2.bb b/meta-oe/recipes-devtools/nodejs/nodejs_20.18.2.bb index d757a7395c..67574a2ec1 100644 --- a/meta-oe/recipes-devtools/nodejs/nodejs_20.18.2.bb +++ b/meta-oe/recipes-devtools/nodejs/nodejs_20.18.2.bb @@ -29,6 +29,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \ file://zlib-fix-pointer-alignment.patch \ file://0001-src-fix-build-with-GCC-15.patch \ file://run-ptest \ + file://CVE-2025-55132.patch \ " SRC_URI:append:class-target = " \ file://0001-Using-native-binaries.patch \ -- 2.44.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#124348): https://lists.openembedded.org/g/openembedded-devel/message/124348 Mute This Topic: https://lists.openembedded.org/mt/117772145/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
