Re: [oe] [meta-OE] [scarthgap] [PATCH 1/5] Nodejs 20.18.2: Fix CVE-2025-55132

Mon, 16 Feb 2026 03:03:45 -0800 

Can you please check if these are still needed after the changes in:

https://git.openembedded.org/meta-openembedded-contrib/log/?h=anujm/scarthgap

On Thu, Feb 12, 2026 at 6:32 PM Anil Dongare -X (adongare - E
INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
<[email protected]> wrote:
>
> From: Anil Dongare <[email protected]>
>
> Upstream Repository: https://github.com/nodejs/node.git
>
> Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55132
> Type: Security Fix
> CVE: CVE-2025-55132
> Score: 5.3
> Patch: https://github.com/nodejs/node/commit/ebbf942a83bc
>
> Signed-off-by: Anil Dongare <[email protected]>
> ---
>  .../nodejs/nodejs/CVE-2025-55132.patch        | 178 ++++++++++++++++++
>  .../recipes-devtools/nodejs/nodejs_20.18.2.bb |   1 +
>  2 files changed, 179 insertions(+)
>  create mode 100644 
> meta-oe/recipes-devtools/nodejs/nodejs/CVE-2025-55132.patch
>
> diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2025-55132.patch 
> b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2025-55132.patch
> new file mode 100644
> index 0000000000..08c885473c
> --- /dev/null
> +++ b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2025-55132.patch
> @@ -0,0 +1,178 @@
> +From b89fc3633ec12b6d1da5b9978e6bb1c5fbacf021 Mon Sep 17 00:00:00 2001
> +From: RafaelGSS <[email protected]>
> +Date: Tue, 21 Oct 2025 18:25:31 -0300
> +Subject: [PATCH 1/5] lib: disable futimes when permission model is enabled
> +
> +Refs: https://hackerone.com/reports/3390084
> +PR-URL: https://github.com/nodejs-private/node-private/pull/748
> +Reviewed-By: Matteo Collina <[email protected]>
> +Reviewed-By: Anna Henningsen <[email protected]>
> +CVE-ID: CVE-2025-55132
> +
> +CVE: CVE-2025-55132
> +Upstream-Status: Backport 
> [https://github.com/nodejs/node/commit/ebbf942a83bc]
> +
> +(cherry picked from commit ebbf942a83bc70d90a3bcb6712c7b67bc479fdf5)
> +Signed-off-by: Anil Dongare <[email protected]>
> +---
> + lib/fs.js                                     | 24 ++++++++++
> + test/fixtures/permission/fs-write.js          | 47 ++++++++++++++++++-
> + test/parallel/test-permission-fs-supported.js | 17 ++++++-
> + 3 files changed, 86 insertions(+), 2 deletions(-)
> +
> +diff --git a/lib/fs.js b/lib/fs.js
> +index 64f0b5e88ed..9206a18663c 100644
> +--- a/lib/fs.js
> ++++ b/lib/fs.js
> +@@ -1274,6 +1274,11 @@ function rmSync(path, options) {
> + function fdatasync(fd, callback) {
> +   const req = new FSReqCallback();
> +   req.oncomplete = makeCallback(callback);
> ++
> ++  if (permission.isEnabled()) {
> ++    callback(new ERR_ACCESS_DENIED('fdatasync API is disabled when 
> Permission Model is enabled.'));
> ++    return;
> ++  }
> +   binding.fdatasync(fd, req);
> + }
> +
> +@@ -1285,6 +1290,9 @@ function fdatasync(fd, callback) {
> +  * @returns {void}
> +  */
> + function fdatasyncSync(fd) {
> ++  if (permission.isEnabled()) {
> ++    throw new ERR_ACCESS_DENIED('fdatasync API is disabled when Permission 
> Model is enabled.');
> ++  }
> +   binding.fdatasync(fd);
> + }
> +
> +@@ -1298,6 +1306,10 @@ function fdatasyncSync(fd) {
> + function fsync(fd, callback) {
> +   const req = new FSReqCallback();
> +   req.oncomplete = makeCallback(callback);
> ++  if (permission.isEnabled()) {
> ++    callback(new ERR_ACCESS_DENIED('fsync API is disabled when Permission 
> Model is enabled.'));
> ++    return;
> ++  }
> +   binding.fsync(fd, req);
> + }
> +
> +@@ -1308,6 +1320,9 @@ function fsync(fd, callback) {
> +  * @returns {void}
> +  */
> + function fsyncSync(fd) {
> ++  if (permission.isEnabled()) {
> ++    throw new ERR_ACCESS_DENIED('fsync API is disabled when Permission 
> Model is enabled.');
> ++  }
> +   binding.fsync(fd);
> + }
> +
> +@@ -2164,6 +2179,11 @@ function futimes(fd, atime, mtime, callback) {
> +   mtime = toUnixTimestamp(mtime, 'mtime');
> +   callback = makeCallback(callback);
> +
> ++  if (permission.isEnabled()) {
> ++    callback(new ERR_ACCESS_DENIED('futimes API is disabled when Permission 
> Model is enabled.'));
> ++    return;
> ++  }
> ++
> +   const req = new FSReqCallback();
> +   req.oncomplete = callback;
> +   binding.futimes(fd, atime, mtime, req);
> +@@ -2179,6 +2199,10 @@ function futimes(fd, atime, mtime, callback) {
> +  * @returns {void}
> +  */
> + function futimesSync(fd, atime, mtime) {
> ++  if (permission.isEnabled()) {
> ++    throw new ERR_ACCESS_DENIED('futimes API is disabled when Permission 
> Model is enabled.');
> ++  }
> ++
> +   binding.futimes(
> +     fd,
> +     toUnixTimestamp(atime, 'atime'),
> +diff --git a/test/fixtures/permission/fs-write.js 
> b/test/fixtures/permission/fs-write.js
> +index 31e96860972..4b98b6d2b78 100644
> +--- a/test/fixtures/permission/fs-write.js
> ++++ b/test/fixtures/permission/fs-write.js
> +@@ -490,4 +490,49 @@ const relativeProtectedFolder = 
> process.env.RELATIVEBLOCKEDFOLDER;
> +   }, {
> +     code: 'ERR_ACCESS_DENIED',
> +   });
> +-}
> +\ No newline at end of file
> ++}
> ++
> ++// fs.utimes with read-only fd
> ++{
> ++  assert.throws(() => {
> ++    // blocked file is allowed to read
> ++    const fd = fs.openSync(blockedFile, 'r');
> ++    const date = new Date();
> ++    date.setFullYear(2100,0,1);
> ++
> ++    fs.futimes(fd, date, date, common.expectsError({
> ++      code: 'ERR_ACCESS_DENIED',
> ++    }));
> ++    fs.futimesSync(fd, date, date);
> ++  }, {
> ++    code: 'ERR_ACCESS_DENIED',
> ++  });
> ++}
> ++
> ++// fs.fdatasync with read-only fd
> ++{
> ++  assert.throws(() => {
> ++    // blocked file is allowed to read
> ++    const fd = fs.openSync(blockedFile, 'r');
> ++    fs.fdatasync(fd, common.expectsError({
> ++      code: 'ERR_ACCESS_DENIED',
> ++    }));
> ++    fs.fdatasyncSync(fd);
> ++  }, {
> ++    code: 'ERR_ACCESS_DENIED',
> ++  });
> ++}
> ++
> ++// fs.fsync with read-only fd
> ++{
> ++  assert.throws(() => {
> ++    // blocked file is allowed to read
> ++    const fd = fs.openSync(blockedFile, 'r');
> ++    fs.fsync(fd, common.expectsError({
> ++      code: 'ERR_ACCESS_DENIED',
> ++    }));
> ++    fs.fsyncSync(fd);
> ++  }, {
> ++    code: 'ERR_ACCESS_DENIED',
> ++  });
> ++}
> +diff --git a/test/parallel/test-permission-fs-supported.js 
> b/test/parallel/test-permission-fs-supported.js
> +index 1062117798b..805365f28b3 100644
> +--- a/test/parallel/test-permission-fs-supported.js
> ++++ b/test/parallel/test-permission-fs-supported.js
> +@@ -77,7 +77,22 @@ const ignoreList = [
> +   'unwatchFile',
> +   ...syncAndAsyncAPI('lstat'),
> +   ...syncAndAsyncAPI('realpath'),
> +-  // fd required methods
> ++  // File descriptor–based metadata operations
> ++  //
> ++  // The kernel does not allow opening a file descriptor for an inode
> ++  // with write access if the inode itself is read-only. However, it still
> ++  // permits modifying the inode’s metadata (e.g., permission bits, 
> ownership,
> ++  // timestamps) because you own the file. These changes can be made either
> ++  // by referring to the file by name (e.g., chmod) or through any existing
> ++  // file descriptor that identifies the same inode (e.g., fchmod).
> ++  //
> ++  // If the kernel required write access to change metadata, it would be
> ++  // impossible to modify the permissions of a file once it was made 
> read-only.
> ++  // For that reason, syscalls such as fchmod, fchown, and futimes bypass
> ++  // the file descriptor’s access mode. Even a read-only ('r') descriptor
> ++  // can still update metadata. To prevent unintended modifications,
> ++  // these APIs are therefore blocked by default when permission model is
> ++  // enabled.
> +   ...syncAndAsyncAPI('close'),
> +   ...syncAndAsyncAPI('fchown'),
> +   ...syncAndAsyncAPI('fchmod'),
> +--
> +2.43.7
> diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_20.18.2.bb 
> b/meta-oe/recipes-devtools/nodejs/nodejs_20.18.2.bb
> index d757a7395c..67574a2ec1 100644
> --- a/meta-oe/recipes-devtools/nodejs/nodejs_20.18.2.bb
> +++ b/meta-oe/recipes-devtools/nodejs/nodejs_20.18.2.bb
> @@ -29,6 +29,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz 
> \
>             file://zlib-fix-pointer-alignment.patch \
>             file://0001-src-fix-build-with-GCC-15.patch \
>             file://run-ptest \
> +           file://CVE-2025-55132.patch \
>             "
>  SRC_URI:append:class-target = " \
>             file://0001-Using-native-binaries.patch \
> --
> 2.44.1
>
>
> 
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#124414): 
https://lists.openembedded.org/g/openembedded-devel/message/124414
Mute This Topic: https://lists.openembedded.org/mt/117772145/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
  • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Anuj Mittal via lists.openembedded.org
      • ... Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org

Reply via email to