Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 632556 (CVE-2017-14062bis) - <sys-libs/glibc-2.25-r7 : libcidn.so: Integer overflow results in denial of service (CVE-2017-14062)
Summary: <sys-libs/glibc-2.25-r7 : libcidn.so: Integer overflow results in denial of s...
Status: RESOLVED FIXED
Alias: CVE-2017-14062bis
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on: 637140 CVE-2018-6551
Blocks:
  Show dependency tree
 
Reported: 2017-09-30 16:19 UTC by Aleksandr Wagner (Kivak)
Modified: 2018-04-04 01:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-09-30 16:19:40 UTC 
In bug 629466 Jeroen Roovers found that sys-libs/glibc is vulnerable to the same CVE that net-dns/libidn is in bug 631130.

References:
https://bugs.gentoo.org/629466#c8
https://bugs.gentoo.org/631130
https://git.savannah.gnu.org/gitweb/?p=libidn.git;a=commit;h=e9e81b8063b095b02cf104bb992fa9bf9515b9d8
https://git.savannah.gnu.org/gitweb/?p=libidn.git;a=commitdiff;h=e9e81b8063b095b02cf104bb992fa9bf9515b9d8;hp=13f07cbf364869842864b082cddeace2f57f3805

@Maintainer(s): Please confirm if this package is vulnerable to this CVE, thank you.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2017-10-05 09:51:39 UTC 
I posted a patch in bug #629466 comment #9 that simply disables building and installing libcidn.
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2017-10-05 10:27:14 UTC 
(In reply to Jeroen Roovers from comment #1)
> I posted a patch in bug #629466 comment #9 that simply disables building and
> installing libcidn.

Let's do that in 2.26, once I've read up on it. 

In 2.25, this short before the stabilization, I'll still add the libidn patch.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2017-10-05 20:38:36 UTC 
(In reply to Andreas K. Hüttel from comment #2)
> (In reply to Jeroen Roovers from comment #1)
> > I posted a patch in bug #629466 comment #9 that simply disables building and
> > installing libcidn.
> 
> Let's do that in 2.26, once I've read up on it. 
> 
> In 2.25, this short before the stabilization, I'll still add the libidn
> patch.

What about other libidn vulnerabilities that were never fixed in glibc upstream or in Gentoo patchsets since 2004?

Like I said before, literally no one is using libcidn so it should be simply removed.
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2017-10-05 20:53:28 UTC 
(In reply to Jeroen Roovers from comment #3)
> 
> What about other libidn vulnerabilities that were never fixed in glibc
> upstream or in Gentoo patchsets since 2004?

I poked glibc upstream in the eye about it. Let's see if anything happens.

(They have a tiny political problem because libidn changed license in the meantime...)

> Like I said before, literally no one is using libcidn so it should be simply
> removed.

That's what I initially thought as well, but it's dynamically loaded by glibc's getaddrinfo on demand.

(Which is also why glibc upstream wants to do away with the add-on mechanism and hard-add it...)
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2017-11-29 12:00:27 UTC 
All vulnerable versions are masked. No further cleanup (toolchain package). 
Nothing to do for toolchain here anymore.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2018-04-04 01:55:10 UTC 
This issue was resolved and addressed in
 GLSA 201804-02 at https://security.gentoo.org/glsa/201804-02
by GLSA coordinator Aaron Bauman (b-man).