diff mbox series

[meta-OE,scarthgap,1/5] Nodejs 20.18.2: Fix CVE-2025-55132

Message ID 20260212052114.3215220-1-adongare@cisco.com
State New
Headers show
Series [meta-OE,scarthgap,1/5] Nodejs 20.18.2: Fix CVE-2025-55132 | expand

Commit Message

Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) Feb. 12, 2026, 5:21 a.m. UTC 
From: Anil Dongare <adongare@cisco.com>

Upstream Repository: https://github.com/nodejs/node.git

Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55132
Type: Security Fix
CVE: CVE-2025-55132
Score: 5.3
Patch: https://github.com/nodejs/node/commit/ebbf942a83bc

Signed-off-by: Anil Dongare <adongare@cisco.com>
---
 .../nodejs/nodejs/CVE-2025-55132.patch        | 178 ++++++++++++++++++
 .../recipes-devtools/nodejs/nodejs_20.18.2.bb |   1 +
 2 files changed, 179 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/CVE-2025-55132.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2025-55132.patch b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2025-55132.patch
new file mode 100644
index 0000000000..08c885473c
--- /dev/null
+++ b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2025-55132.patch
@@ -0,0 +1,178 @@ 
+From b89fc3633ec12b6d1da5b9978e6bb1c5fbacf021 Mon Sep 17 00:00:00 2001
+From: RafaelGSS <rafael.nunu@hotmail.com>
+Date: Tue, 21 Oct 2025 18:25:31 -0300
+Subject: [PATCH 1/5] lib: disable futimes when permission model is enabled
+
+Refs: https://hackerone.com/reports/3390084
+PR-URL: https://github.com/nodejs-private/node-private/pull/748
+Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
+Reviewed-By: Anna Henningsen <anna@addaleax.net>
+CVE-ID: CVE-2025-55132
+
+CVE: CVE-2025-55132
+Upstream-Status: Backport [https://github.com/nodejs/node/commit/ebbf942a83bc]
+
+(cherry picked from commit ebbf942a83bc70d90a3bcb6712c7b67bc479fdf5)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ lib/fs.js                                     | 24 ++++++++++
+ test/fixtures/permission/fs-write.js          | 47 ++++++++++++++++++-
+ test/parallel/test-permission-fs-supported.js | 17 ++++++-
+ 3 files changed, 86 insertions(+), 2 deletions(-)
+
+diff --git a/lib/fs.js b/lib/fs.js
+index 64f0b5e88ed..9206a18663c 100644
+--- a/lib/fs.js
++++ b/lib/fs.js
+@@ -1274,6 +1274,11 @@ function rmSync(path, options) {
+ function fdatasync(fd, callback) {
+   const req = new FSReqCallback();
+   req.oncomplete = makeCallback(callback);
++
++  if (permission.isEnabled()) {
++    callback(new ERR_ACCESS_DENIED('fdatasync API is disabled when Permission Model is enabled.'));
++    return;
++  }
+   binding.fdatasync(fd, req);
+ }
+
+@@ -1285,6 +1290,9 @@ function fdatasync(fd, callback) {
+  * @returns {void}
+  */
+ function fdatasyncSync(fd) {
++  if (permission.isEnabled()) {
++    throw new ERR_ACCESS_DENIED('fdatasync API is disabled when Permission Model is enabled.');
++  }
+   binding.fdatasync(fd);
+ }
+
+@@ -1298,6 +1306,10 @@ function fdatasyncSync(fd) {
+ function fsync(fd, callback) {
+   const req = new FSReqCallback();
+   req.oncomplete = makeCallback(callback);
++  if (permission.isEnabled()) {
++    callback(new ERR_ACCESS_DENIED('fsync API is disabled when Permission Model is enabled.'));
++    return;
++  }
+   binding.fsync(fd, req);
+ }
+
+@@ -1308,6 +1320,9 @@ function fsync(fd, callback) {
+  * @returns {void}
+  */
+ function fsyncSync(fd) {
++  if (permission.isEnabled()) {
++    throw new ERR_ACCESS_DENIED('fsync API is disabled when Permission Model is enabled.');
++  }
+   binding.fsync(fd);
+ }
+
+@@ -2164,6 +2179,11 @@ function futimes(fd, atime, mtime, callback) {
+   mtime = toUnixTimestamp(mtime, 'mtime');
+   callback = makeCallback(callback);
+
++  if (permission.isEnabled()) {
++    callback(new ERR_ACCESS_DENIED('futimes API is disabled when Permission Model is enabled.'));
++    return;
++  }
++
+   const req = new FSReqCallback();
+   req.oncomplete = callback;
+   binding.futimes(fd, atime, mtime, req);
+@@ -2179,6 +2199,10 @@ function futimes(fd, atime, mtime, callback) {
+  * @returns {void}
+  */
+ function futimesSync(fd, atime, mtime) {
++  if (permission.isEnabled()) {
++    throw new ERR_ACCESS_DENIED('futimes API is disabled when Permission Model is enabled.');
++  }
++
+   binding.futimes(
+     fd,
+     toUnixTimestamp(atime, 'atime'),
+diff --git a/test/fixtures/permission/fs-write.js b/test/fixtures/permission/fs-write.js
+index 31e96860972..4b98b6d2b78 100644
+--- a/test/fixtures/permission/fs-write.js
++++ b/test/fixtures/permission/fs-write.js
+@@ -490,4 +490,49 @@ const relativeProtectedFolder = process.env.RELATIVEBLOCKEDFOLDER;
+   }, {
+     code: 'ERR_ACCESS_DENIED',
+   });
+-}
+\ No newline at end of file
++}
++
++// fs.utimes with read-only fd
++{
++  assert.throws(() => {
++    // blocked file is allowed to read
++    const fd = fs.openSync(blockedFile, 'r');
++    const date = new Date();
++    date.setFullYear(2100,0,1);
++
++    fs.futimes(fd, date, date, common.expectsError({
++      code: 'ERR_ACCESS_DENIED',
++    }));
++    fs.futimesSync(fd, date, date);
++  }, {
++    code: 'ERR_ACCESS_DENIED',
++  });
++}
++
++// fs.fdatasync with read-only fd
++{
++  assert.throws(() => {
++    // blocked file is allowed to read
++    const fd = fs.openSync(blockedFile, 'r');
++    fs.fdatasync(fd, common.expectsError({
++      code: 'ERR_ACCESS_DENIED',
++    }));
++    fs.fdatasyncSync(fd);
++  }, {
++    code: 'ERR_ACCESS_DENIED',
++  });
++}
++
++// fs.fsync with read-only fd
++{
++  assert.throws(() => {
++    // blocked file is allowed to read
++    const fd = fs.openSync(blockedFile, 'r');
++    fs.fsync(fd, common.expectsError({
++      code: 'ERR_ACCESS_DENIED',
++    }));
++    fs.fsyncSync(fd);
++  }, {
++    code: 'ERR_ACCESS_DENIED',
++  });
++}
+diff --git a/test/parallel/test-permission-fs-supported.js b/test/parallel/test-permission-fs-supported.js
+index 1062117798b..805365f28b3 100644
+--- a/test/parallel/test-permission-fs-supported.js
++++ b/test/parallel/test-permission-fs-supported.js
+@@ -77,7 +77,22 @@ const ignoreList = [
+   'unwatchFile',
+   ...syncAndAsyncAPI('lstat'),
+   ...syncAndAsyncAPI('realpath'),
+-  // fd required methods
++  // File descriptor–based metadata operations
++  //
++  // The kernel does not allow opening a file descriptor for an inode
++  // with write access if the inode itself is read-only. However, it still
++  // permits modifying the inode’s metadata (e.g., permission bits, ownership,
++  // timestamps) because you own the file. These changes can be made either
++  // by referring to the file by name (e.g., chmod) or through any existing
++  // file descriptor that identifies the same inode (e.g., fchmod).
++  //
++  // If the kernel required write access to change metadata, it would be
++  // impossible to modify the permissions of a file once it was made read-only.
++  // For that reason, syscalls such as fchmod, fchown, and futimes bypass
++  // the file descriptor’s access mode. Even a read-only ('r') descriptor
++  // can still update metadata. To prevent unintended modifications,
++  // these APIs are therefore blocked by default when permission model is
++  // enabled.
+   ...syncAndAsyncAPI('close'),
+   ...syncAndAsyncAPI('fchown'),
+   ...syncAndAsyncAPI('fchmod'),
+--
+2.43.7
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_20.18.2.bb b/meta-oe/recipes-devtools/nodejs/nodejs_20.18.2.bb
index d757a7395c..67574a2ec1 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs_20.18.2.bb
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_20.18.2.bb
@@ -29,6 +29,7 @@  SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
            file://zlib-fix-pointer-alignment.patch \
            file://0001-src-fix-build-with-GCC-15.patch \
            file://run-ptest \
+           file://CVE-2025-55132.patch \
            "
 SRC_URI:append:class-target = " \
            file://0001-Using-native-binaries.patch \