CVE-2017-14062 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14062): Integer overflow in the decode_digit function in puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact. References: https://gitlab.com/libidn/libidn2/blob/master/NEWS https://gitlab.com/libidn/libidn2/commit/3284eb342cd0ed1a18786e3fcdf0cdd7e76676bd
CVE-2017-14061 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14061): Integer overflow in the _isBidi function in bidi.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact. References: https://gitlab.com/libidn/libidn2/blob/master/NEWS https://gitlab.com/libidn/libidn2/commit/16853b6973a1e72fee2b7cccda85472cb9951305
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself. Version 2.0.4 that is not vulnerable is in the tree.
Yes, why don't you?
I think CVE-2017-14062 also affects net-dns/libidn. Would that warrant a separate bug report?
Looking at the source of libidn I cannot locate the vulnerable file or code. This leads be to believe that libidn is not affected by CVE-2017-14062. The site http://www.gnu.org/software/libidn/#libidn2 also states that " Libidn2 is a standalone library, without any dependency on Libidn". Gentoo Security Padawan Kivak
(In reply to Aleksandr Wagner (Kivak) from comment #5) > Looking at the source of libidn I cannot locate the vulnerable file or code. > This leads be to believe that libidn is not affected by CVE-2017-14062. "A superficial glance did not reveal any risk." > The site http://www.gnu.org/software/libidn/#libidn2 also states that " > Libidn2 is a standalone library, without any dependency on Libidn". "A superficial glance did not reveal any risk." And yet: http://git.savannah.gnu.org/gitweb/?p=libidn.git;a=commit;h=e9e81b8063b095b02cf104bb992fa9bf9515b9d8
(In reply to Jeroen Roovers from comment #4) > I think CVE-2017-14062 also affects net-dns/libidn. Would that warrant a > separate bug report? Can we now get back to this question?
Also sys-libs/glibc as its libidn/punycode.c (i.e. in 2.26-r1) does not have this patch.
I am not aware of any users of libcidn.so. Perhaps it shouldn't be installed at all or at the very least be made optional through a USE flag. Note that while libidn had a couple of security bugs through the years, the version in glibc has hardly seen updates. --- a/eclass/toolchain-glibc.eclass +++ b/eclass/toolchain-glibc.eclass @@ -782,7 +782,7 @@ glibc_do_configure() { pushd "${S}" > /dev/null local addons=$(echo */configure | sed \ -e 's:/configure::g' \ - -e 's:\(linuxthreads\|nptl\|rtkaio\|glibc-compat\)\( \|$\)::g' \ + -e 's:\(linuxthreads\|nptl\|rtkaio\|glibc-compat\|libidn\)\( \|$\)::g' \ -e 's: \+$::' \ -e 's! !,!g' \ -e 's!^!,!' \
(In reply to Jeroen Roovers from comment #6) My apologies, the package is indeed affected. I have opened a new bug 631130.
(In reply to Jeroen Roovers from comment #3)
(In reply to Aleksandr Wagner (Kivak) from comment #10) > (In reply to Jeroen Roovers from comment #6) > > My apologies, the package is indeed affected. I have opened a new bug 631130. No sys-libs/glibc bug?
(In reply to Jeroen Roovers from comment #12) > (In reply to Aleksandr Wagner (Kivak) from comment #10) > > (In reply to Jeroen Roovers from comment #6) > > > > My apologies, the package is indeed affected. I have opened a new bug 631130. > > No sys-libs/glibc bug? Done, opened in bug 632556
Do we stabilize =net-dns/libidn2-2.0.4 here? Worth populating 'Package list' field then. Or should arched be removed until things are settled here?
ia64/ppc/ppc64 stable
amd64 stable
arm stable
Stable on alpha.
x86 already stable via https://gitweb.gentoo.org/repo/gentoo.git/commit/net-dns/libidn2?id=190175abdc975280557d281608a528a80fa67117 @ Maintainer(s): Please cleanup!
tree is clean.
*** Bug 629460 has been marked as a duplicate of this bug. ***
*** Bug 629458 has been marked as a duplicate of this bug. ***
