https://lists.debian.org/debian-lts-announce/2025/05/msg00003.html announces:
Node.js a popular server side javascript engine was affected by
a vulnerability on 32bits architecture.
Build processes for libuv and Node.js for 32-bit systems,
have an inconsistent off_t size (e.g., building on i386 Debian always uses
_FILE_OFFSET_BITS=64 for the libuv dynamic library,
but uses the _FILE_OFFSET_BITS global system default of 32 for nodejs),
leading to out-of-bounds access.
[I thought this was interesting to bring to the list since I don't remember
seeing _FILE_OFFSET_BITS mismatches assigned CVE ids in the past, though
they clearly cause differing size calculations for 'struct stat' instances.
One can easily imagine _TIME_BITS mismatches having the same effect as 32-bit
builders start rolling out 64-bit time support to prepare for the year 2038.]
--
-Alan Coopersmith- alan.coopersm...@oracle.com
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
