The stringprep_utf8_nfkc_normalize function in lib/nfkc.c in libidn before 1.33 allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted UTF-8 data. This code is also present in glibc and unpatched there. CVE: https://nvd.nist.gov/vuln/detail/CVE-2016-6263 libidn upstream fix: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=1fbee57ef3c72db2206dd87e4162108b2f425555
@security, can we add to CVE please. Gentoo Security Padawan Daj Uan (jmbailey)
Patch added in gentoo/2.25 and gentoo/2.26 branch
(In reply to Andreas K. Hüttel from comment #2) > Patch added in gentoo/2.25 and gentoo/2.26 branch Reverted this, since it makes the build fail (the patch relies on additional code added in libidn in the meantime).
See also https://sourceware.org/ml/libc-alpha/2018-01/msg00335.html
Fixed upstream in 2.28 (to be released still)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9e74c8209d768782485ad0f32ab57cf0bd21ca83 commit 9e74c8209d768782485ad0f32ab57cf0bd21ca83 Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2018-06-17 17:22:24 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2018-06-17 17:22:38 +0000 sys-libs/glibc: Add libidn2 dependency. The getaddrinfo function, when called with the AI_IDN or AI_CANONIDN flags, will use the system libidn2 library to perform IDNA encoding. Version 2.0.5 or later is recommended, otherwise there will be some failures in the glibc test suite. Bug: https://bugs.gentoo.org/635012 Package-Manager: Portage-2.3.40, Repoman-2.3.9 sys-libs/glibc/glibc-9999.ebuild | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
All affected packages are masked. No cleanup (toolchain package). Security please proceed.
This issue was resolved and addressed in GLSA 201908-06 at https://security.gentoo.org/glsa/201908-06 by GLSA coordinator Aaron Bauman (b-man).