Bug 697752 (CVE-2019-12290, CVE-2019-18224)

Summary:	<net-dns/libidn2-2.2.0: multiple vulnerabilities (CVE-2019-{18224,12290})
Product:	Gentoo Security	Reporter:	Jeroen Roovers (RETIRED) <jer>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	Flags:	stable-bot: sanity-check+
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://gitlab.com/libidn/libidn2/commit/614117ef6e4c60e1950d742e3edf0a0ef8d389de
Whiteboard:	A2 [glsa+ cve]
Package list:	=net-dns/libidn2-2.3.0	Runtime testing required:	---

Description Jeroen Roovers (RETIRED) gentoo-dev

2019-10-15 08:34:49 UTC

Libidn2 NEWS -- History of user-visible changes.                -*- outline -*-
Copyright (C) 2011-2017 Simon Josefsson
Copyright (C) 2018-2019 Tim Ruehsen
See the end for copying conditions.

* Version 2.x.x (unreleased)

** Mitre has assigned CVE-2019-12290 which was fixed by
   the roundtrip feature introduced in 2.2.0 (commit 241e8f48)

** Update the data tables from Unicode 6.3.0 to Unicode 11.0


* Version 2.2.0 (released 2019-05-23)

** Perform A-Label roundtrip for lookup functions by default
[...]

That's mentioned in commit [1].

The solution might be to stabilise 2.2.0 but [2] suggests that the SONAME might need to be bumped because _idn2_punycode_decode was removed, or some symbols might need to be reinstated (this happens a lot with libidn/libidn2).


[1] https://gitlab.com/libidn/libidn2/commit/241e8f486134793cb0f4a5b0e5817a97883401f5
[2] https://gitlab.com/libidn/libidn2/issues/74

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2019-10-26 17:58:49 UTC

@ maintainer(s): How about rev bumping and adding https://gitlab.com/fweimer/libidn2/commit/fdd3b791c23d366c89264b15b50aeb5bb98ad1ce ?

Comment 2 Andreas K. Hüttel archtester

2019-11-27 19:16:31 UTC

(In reply to Jeroen Roovers from comment #0)
> 
> The solution might be to stabilise 2.2.0 but [2] suggests that the SONAME
> might need to be bumped because _idn2_punycode_decode was removed, or some
> symbols might need to be reinstated (this happens a lot with libidn/libidn2).
> 

That part is fixed in 2.3.0, so we should probably go for 2.3.0 instead.

Has also the advantage of Unicode 11, bringing libidn2 back in step with glibc, and of fixing the related failures in the glibc test suite.

Comment 3 Jeroen Roovers (RETIRED) gentoo-dev

2019-11-27 21:18:41 UTC

(In reply to Andreas K. Hüttel from comment #2)
> (In reply to Jeroen Roovers from comment #0)
> > 
> > The solution might be to stabilise 2.2.0 but [2] suggests that the SONAME
> > might need to be bumped because _idn2_punycode_decode was removed, or some
> > symbols might need to be reinstated (this happens a lot with libidn/libidn2).
> > 
> 
> That part is fixed in 2.3.0, so we should probably go for 2.3.0 instead.

Yes, hence the change dated 2019-11-14...

Comment 4 Mart Raudsepp gentoo-dev

2020-03-17 13:03:16 UTC

arm64 stable

Comment 5 Rolf Eike Beer archtester

2020-03-17 18:30:04 UTC

hppa/sparc stable

Comment 6 Agostino Sarubbo gentoo-dev

2020-03-17 18:44:56 UTC

amd64 stable

Comment 7 Agostino Sarubbo gentoo-dev

2020-03-18 09:46:14 UTC

arm stable

Comment 8 Agostino Sarubbo gentoo-dev

2020-03-18 09:49:36 UTC

s390 stable

Comment 9 Agostino Sarubbo gentoo-dev

2020-03-18 11:12:09 UTC

ppc stable

Comment 10 Agostino Sarubbo gentoo-dev

2020-03-18 11:18:30 UTC

ppc64 stable

Comment 11 Agostino Sarubbo gentoo-dev

2020-03-18 11:31:33 UTC

ia64 stable

Comment 12 Agostino Sarubbo gentoo-dev

2020-03-18 15:22:25 UTC

x86 stable

Comment 13 Mikle Kolyada (RETIRED) archtester

2020-03-26 14:07:34 UTC

SuperH port disbanded.

Comment 14 Larry the Git Cow gentoo-dev

2020-03-29 10:25:07 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=587cf62ba1aa7f20122547ae627532e544a91168

commit 587cf62ba1aa7f20122547ae627532e544a91168
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2020-03-29 10:24:58 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2020-03-29 10:25:01 +0000

    net-dns/libidn2: destabilize down to ~m68k
    
    Bug: https://bugs.gentoo.org/697752
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 net-dns/libidn2/libidn2-2.1.1a-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 15 Sergei Trofimovich (RETIRED) gentoo-dev

2020-03-29 10:25:44 UTC

Destabilized down to ~m68k.

Comment 16 Sam James archtester

2020-03-29 17:49:19 UTC

@maintainer(s), please cleanup

Comment 17 Larry the Git Cow gentoo-dev

2020-03-30 04:03:33 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5973465138e4612bffbc5f71285dc0e403f3c2f7

commit 5973465138e4612bffbc5f71285dc0e403f3c2f7
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-03-30 04:03:08 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-03-30 04:03:29 +0000

    net-dns/libidn2: Old
    
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=697752
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-dns/libidn2/Manifest                 |  1 -
 net-dns/libidn2/libidn2-2.1.1a-r1.ebuild | 53 --------------------------------
 2 files changed, 54 deletions(-)

Comment 18 Sam James archtester

2020-03-30 11:16:41 UTC

Thanks everyone.

Comment 19 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-30 14:21:44 UTC

Adding CVE-2019-18224.


New GLSA request filed.

Comment 20 GLSAMaker/CVETool Bot gentoo-dev

2020-03-30 14:47:38 UTC

This issue was resolved and addressed in
 GLSA 202003-63 at https://security.gentoo.org/glsa/202003-63
by GLSA coordinator Thomas Deutschmann (whissi).