In bug 629466 Jeroen Roovers found that sys-libs/glibc is vulnerable to the same CVE that net-dns/libidn is in bug 631130. References: https://bugs.gentoo.org/629466#c8 https://bugs.gentoo.org/631130 https://git.savannah.gnu.org/gitweb/?p=libidn.git;a=commit;h=e9e81b8063b095b02cf104bb992fa9bf9515b9d8 https://git.savannah.gnu.org/gitweb/?p=libidn.git;a=commitdiff;h=e9e81b8063b095b02cf104bb992fa9bf9515b9d8;hp=13f07cbf364869842864b082cddeace2f57f3805 @Maintainer(s): Please confirm if this package is vulnerable to this CVE, thank you.
I posted a patch in bug #629466 comment #9 that simply disables building and installing libcidn.
(In reply to Jeroen Roovers from comment #1) > I posted a patch in bug #629466 comment #9 that simply disables building and > installing libcidn. Let's do that in 2.26, once I've read up on it. In 2.25, this short before the stabilization, I'll still add the libidn patch.
(In reply to Andreas K. Hüttel from comment #2) > (In reply to Jeroen Roovers from comment #1) > > I posted a patch in bug #629466 comment #9 that simply disables building and > > installing libcidn. > > Let's do that in 2.26, once I've read up on it. > > In 2.25, this short before the stabilization, I'll still add the libidn > patch. What about other libidn vulnerabilities that were never fixed in glibc upstream or in Gentoo patchsets since 2004? Like I said before, literally no one is using libcidn so it should be simply removed.
(In reply to Jeroen Roovers from comment #3) > > What about other libidn vulnerabilities that were never fixed in glibc > upstream or in Gentoo patchsets since 2004? I poked glibc upstream in the eye about it. Let's see if anything happens. (They have a tiny political problem because libidn changed license in the meantime...) > Like I said before, literally no one is using libcidn so it should be simply > removed. That's what I initially thought as well, but it's dynamically loaded by glibc's getaddrinfo on demand. (Which is also why glibc upstream wants to do away with the add-on mechanism and hard-add it...)
All vulnerable versions are masked. No further cleanup (toolchain package). Nothing to do for toolchain here anymore.
This issue was resolved and addressed in GLSA 201804-02 at https://security.gentoo.org/glsa/201804-02 by GLSA coordinator Aaron Bauman (b-man).