CVE-2025-47153: out-of-bounds access in some 32-bit builds of Node.js

[Alan Coopersmith <alan.coopersmith () oracle com>]

https://lists.debian.org/debian-lts-announce/2025/05/msg00003.html announces:

   Node.js a popular server side javascript engine was affected by
   a vulnerability on 32bits architecture.

   Build processes for libuv and Node.js for 32-bit systems,
   have an inconsistent off_t size (e.g., building on i386 Debian always uses
   _FILE_OFFSET_BITS=64 for the libuv dynamic library,
   but uses the _FILE_OFFSET_BITS global system default of 32 for nodejs),
   leading to out-of-bounds access.

[I thought this was interesting to bring to the list since I don't remember
 seeing _FILE_OFFSET_BITS mismatches assigned CVE ids in the past, though
 they clearly cause differing size calculations for 'struct stat' instances.
 One can easily imagine _TIME_BITS mismatches having the same effect as 32-bit
 builders start rolling out 64-bit time support to prepare for the year 2038.]

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris