Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 635012 (CVE-2016-6263b)

Summary: <sys-libs/glibc-2.28 : denial of service (out-of-bounds read and crash) via crafted UTF-8 data (CVE-2016-6263)
Product: Gentoo Security Reporter: Andreas K. Hüttel <dilfridge>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: toolchain
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://sourceware.org/bugzilla/show_bug.cgi?id=22334
Whiteboard: A3 [glsa+ cve]
Package list:
Runtime testing required: ---

Description Andreas K. Hüttel archtester gentoo-dev 2017-10-21 18:20:51 UTC 
The stringprep_utf8_nfkc_normalize function in lib/nfkc.c in libidn before 1.33 allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted UTF-8 data.

This code is also present in glibc and unpatched there.

CVE:
https://nvd.nist.gov/vuln/detail/CVE-2016-6263

libidn upstream fix:
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=1fbee57ef3c72db2206dd87e4162108b2f425555
Comment 1 D'juan McDonald (domhnall) 2017-10-22 08:15:42 UTC 
@security, can we add to CVE please. 

Gentoo Security Padawan
Daj Uan (jmbailey)
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2017-10-25 21:54:31 UTC 
Patch added in gentoo/2.25 and gentoo/2.26 branch
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2017-10-27 23:16:21 UTC 
(In reply to Andreas K. Hüttel from comment #2)
> Patch added in gentoo/2.25 and gentoo/2.26 branch

Reverted this, since it makes the build fail (the patch relies on additional code added in libidn in the meantime).
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2018-01-17 22:41:36 UTC 
See also https://sourceware.org/ml/libc-alpha/2018-01/msg00335.html
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2018-05-25 18:17:28 UTC 
Fixed upstream in 2.28 (to be released still)
Comment 6 Larry the Git Cow gentoo-dev 2018-06-17 17:22:45 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9e74c8209d768782485ad0f32ab57cf0bd21ca83

commit 9e74c8209d768782485ad0f32ab57cf0bd21ca83
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2018-06-17 17:22:24 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2018-06-17 17:22:38 +0000

    sys-libs/glibc: Add libidn2 dependency.
    
    The getaddrinfo function, when called with the AI_IDN or AI_CANONIDN flags,
    will use the system libidn2 library to perform IDNA encoding. Version 2.0.5
    or later is recommended, otherwise there will be some failures in the glibc
    test suite.
    
    Bug: https://bugs.gentoo.org/635012
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 sys-libs/glibc/glibc-9999.ebuild | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
Comment 7 Andreas K. Hüttel archtester gentoo-dev 2019-05-01 18:49:03 UTC 
All affected packages are masked. No cleanup (toolchain package).
Security please proceed.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2019-08-15 15:40:04 UTC 
This issue was resolved and addressed in
 GLSA 201908-06 at https://security.gentoo.org/glsa/201908-06
by GLSA coordinator Aaron Bauman (b-man).