Summary: | <net-dns/libidn2-2.0.4: Multiple Integer overflows(CVE-2017-{14062,14061}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Aleksandr Wagner (Kivak) <alwag> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ago, jer, slyfox, toolchain |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=629458 https://bugs.gentoo.org/show_bug.cgi?id=629460 https://bugs.gentoo.org/show_bug.cgi?id=624600 https://bugs.gentoo.org/show_bug.cgi?id=632556 |
||
Whiteboard: | B3 [noglsa cve] | ||
Package list: |
=net-dns/libidn2-2.0.4
|
Runtime testing required: | --- |
Description
Aleksandr Wagner (Kivak)
2017-08-31 16:38:34 UTC
CVE-2017-14061 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14061): Integer overflow in the _isBidi function in bidi.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact. References: https://gitlab.com/libidn/libidn2/blob/master/NEWS https://gitlab.com/libidn/libidn2/commit/16853b6973a1e72fee2b7cccda85472cb9951305 Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself. Version 2.0.4 that is not vulnerable is in the tree. Yes, why don't you? I think CVE-2017-14062 also affects net-dns/libidn. Would that warrant a separate bug report? Looking at the source of libidn I cannot locate the vulnerable file or code. This leads be to believe that libidn is not affected by CVE-2017-14062. The site http://www.gnu.org/software/libidn/#libidn2 also states that " Libidn2 is a standalone library, without any dependency on Libidn". Gentoo Security Padawan Kivak (In reply to Aleksandr Wagner (Kivak) from comment #5) > Looking at the source of libidn I cannot locate the vulnerable file or code. > This leads be to believe that libidn is not affected by CVE-2017-14062. "A superficial glance did not reveal any risk." > The site http://www.gnu.org/software/libidn/#libidn2 also states that " > Libidn2 is a standalone library, without any dependency on Libidn". "A superficial glance did not reveal any risk." And yet: http://git.savannah.gnu.org/gitweb/?p=libidn.git;a=commit;h=e9e81b8063b095b02cf104bb992fa9bf9515b9d8 (In reply to Jeroen Roovers from comment #4) > I think CVE-2017-14062 also affects net-dns/libidn. Would that warrant a > separate bug report? Can we now get back to this question? Also sys-libs/glibc as its libidn/punycode.c (i.e. in 2.26-r1) does not have this patch. I am not aware of any users of libcidn.so. Perhaps it shouldn't be installed at all or at the very least be made optional through a USE flag. Note that while libidn had a couple of security bugs through the years, the version in glibc has hardly seen updates. --- a/eclass/toolchain-glibc.eclass +++ b/eclass/toolchain-glibc.eclass @@ -782,7 +782,7 @@ glibc_do_configure() { pushd "${S}" > /dev/null local addons=$(echo */configure | sed \ -e 's:/configure::g' \ - -e 's:\(linuxthreads\|nptl\|rtkaio\|glibc-compat\)\( \|$\)::g' \ + -e 's:\(linuxthreads\|nptl\|rtkaio\|glibc-compat\|libidn\)\( \|$\)::g' \ -e 's: \+$::' \ -e 's! !,!g' \ -e 's!^!,!' \ (In reply to Jeroen Roovers from comment #6) My apologies, the package is indeed affected. I have opened a new bug 631130. (In reply to Jeroen Roovers from comment #3) (In reply to Aleksandr Wagner (Kivak) from comment #10) > (In reply to Jeroen Roovers from comment #6) > > My apologies, the package is indeed affected. I have opened a new bug 631130. No sys-libs/glibc bug? (In reply to Jeroen Roovers from comment #12) > (In reply to Aleksandr Wagner (Kivak) from comment #10) > > (In reply to Jeroen Roovers from comment #6) > > > > My apologies, the package is indeed affected. I have opened a new bug 631130. > > No sys-libs/glibc bug? Done, opened in bug 632556 Do we stabilize =net-dns/libidn2-2.0.4 here? Worth populating 'Package list' field then. Or should arched be removed until things are settled here? ia64/ppc/ppc64 stable amd64 stable arm stable Stable on alpha. x86 already stable via https://gitweb.gentoo.org/repo/gentoo.git/commit/net-dns/libidn2?id=190175abdc975280557d281608a528a80fa67117 @ Maintainer(s): Please cleanup! tree is clean. *** Bug 629460 has been marked as a duplicate of this bug. *** *** Bug 629458 has been marked as a duplicate of this bug. *** |