Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 589304 - <net-dns/libidn-1.33: out-of-bounds read (CVE-2015-8948,CVE-2016-{6261,6262,6263})
Summary: <net-dns/libidn-1.33: out-of-bounds read (CVE-2015-8948,CVE-2016-{6261,6262,6...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2016/q3/119
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks: CVE-2015-8948, CVE-2016-6261, CVE-2016-6262, CVE-2016-6263
  Show dependency tree
 
Reported: 2016-07-21 06:15 UTC by Jeroen Roovers (RETIRED)
Modified: 2018-03-27 02:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2016-07-21 06:15:29 UTC
Arch teams, please test and mark stable:
=net-dns/libidn-1.32-r1
Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2016-07-21 06:20:22 UTC
Libidn NEWS -- History of user-visible changes.                 -*- outline -*-
Copyright (C) 2002-2016 Simon Josefsson
See the end for copying conditions.

* Version 1.33 (released 2016-07-20) [beta]

** libidn: Fix out-of-bounds stack read in idna_to_ascii_4i.
See tests/tst_toascii64oob.c for regression check (and the comment in
it how to use it).  Reported by Hanno Böck <hanno@hboeck.de>.

** idn: Solve out-of-bounds-read when reading one zero byte as input.
Also replaced fgets with getline.  Reported by Hanno Böck <hanno@hboeck.de>.

** libidn: stringprep_utf8_nfkc_normalize reject invalid UTF-8.
It was always documented to only accept UTF-8 data, but now it doesn't
crash when presented with such data.  Reported by Hanno Böck.

** Dropped valgrind suppressions file, should no longer be needed.

** API and ABI is backwards compatible with the previous version.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2016-07-23 06:45:11 UTC
Stable for HPPA PPC64.
Comment 3 Markus Meier gentoo-dev 2016-07-24 18:42:22 UTC
arm stable
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2016-07-26 12:41:03 UTC
Stable on alpha.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2016-07-27 06:56:24 UTC
Stable for AMD64 x86.
Comment 6 Agostino Sarubbo gentoo-dev 2016-09-29 09:37:12 UTC
sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-09-29 12:37:59 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-09-29 13:30:27 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2016-10-01 09:35:27 UTC
(In reply to Tobias Klausmann from comment #4)
> Stable on alpha.

commit d6dafb3fe044e95fdc1d71c343c0848c0849fe8e
Author: Tobias Klausmann <klausman@gentoo.org>
Date:   Tue Jul 26 14:40:59 2016 +0200

    net-dns/libidn-1.32-r1: add alpha keyword

    Gentoo-Bug: 589304

That was the wrong version.
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2016-10-01 09:36:04 UTC
(In reply to Agostino Sarubbo from comment #8)
> ia64 stable.
> 
> Maintainer(s), please cleanup.

Keywords for net-dns/libidn:
           | a a a h i p p s x m a m n r s s | e u s | r
           | l m r p a p p p 8 i r 6 i i 3 h | a n l | e
           | p d m p 6 c c a 6 p m 8 o s 9   | p u o | p
           | h 6   a 4   6 r   s 6 k s c 0   | i s t | o
           | a 4         4 c     4   2 v     |   e   |
           |                                 |   d   |
-----------+---------------------------------+-------+-------
1.30       | + + + + + + + + + ~ ~ ~ o o ~ ~ | 5 # 0 | gentoo
1.32-r1    | + ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ o o ~ ~ | 5 o   | gentoo
[I]1.33    | ~ + + + + + + + + ~ ~ ~ o o ~ ~ | 6 o   | gentoo
Comment 11 Tobias Klausmann (RETIRED) gentoo-dev 2016-10-01 17:41:41 UTC
(In reply to Jeroen Roovers from comment #9)
> (In reply to Tobias Klausmann from comment #4)
> > Stable on alpha.
> 
> commit d6dafb3fe044e95fdc1d71c343c0848c0849fe8e
> Author: Tobias Klausmann <klausman@gentoo.org>
> Date:   Tue Jul 26 14:40:59 2016 +0200
> 
>     net-dns/libidn-1.32-r1: add alpha keyword
> 
>     Gentoo-Bug: 589304
> 
> That was the wrong version.

Fixed.
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-11-11 12:47:39 UTC
GLSA Vote: No
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2016-11-11 12:47:48 UTC
CVE-2016-6263 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6263):
  The stringprep_utf8_nfkc_normalize function in lib/nfkc.c in libidn before
  1.33 allows context-dependent attackers to cause a denial of service
  (out-of-bounds read and crash) via crafted UTF-8 data.

CVE-2016-6262 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6262):
  idn in libidn before 1.33 might allow remote attackers to obtain sensitive
  memory information by reading a zero byte as input, which triggers an
  out-of-bounds read, a different vulnerability than CVE-2015-8948.

CVE-2016-6261 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6261):
  The idna_to_ascii_4i function in lib/idna.c in libidn before 1.33 allows
  context-dependent attackers to cause a denial of service (out-of-bounds read
  and crash) via 64 bytes of input.
Comment 14 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-23 02:12:36 UTC
Removing aliases for tracker