Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 697752 (CVE-2019-12290, CVE-2019-18224) - <net-dns/libidn2-2.2.0: multiple vulnerabilities (CVE-2019-{18224,12290})
Summary: <net-dns/libidn2-2.2.0: multiple vulnerabilities (CVE-2019-{18224,12290})
Status: RESOLVED FIXED
Alias: CVE-2019-12290, CVE-2019-18224
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://gitlab.com/libidn/libidn2/com...
Whiteboard: A2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-10-15 08:34 UTC by Jeroen Roovers
Modified: 2020-03-30 14:47 UTC (History)
0 users

See Also:
Package list:
=net-dns/libidn2-2.3.0
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers gentoo-dev 2019-10-15 08:34:49 UTC
Libidn2 NEWS -- History of user-visible changes.                -*- outline -*-
Copyright (C) 2011-2017 Simon Josefsson
Copyright (C) 2018-2019 Tim Ruehsen
See the end for copying conditions.

* Version 2.x.x (unreleased)

** Mitre has assigned CVE-2019-12290 which was fixed by
   the roundtrip feature introduced in 2.2.0 (commit 241e8f48)

** Update the data tables from Unicode 6.3.0 to Unicode 11.0


* Version 2.2.0 (released 2019-05-23)

** Perform A-Label roundtrip for lookup functions by default
[...]

That's mentioned in commit [1].

The solution might be to stabilise 2.2.0 but [2] suggests that the SONAME might need to be bumped because _idn2_punycode_decode was removed, or some symbols might need to be reinstated (this happens a lot with libidn/libidn2).


[1] https://gitlab.com/libidn/libidn2/commit/241e8f486134793cb0f4a5b0e5817a97883401f5
[2] https://gitlab.com/libidn/libidn2/issues/74
Comment 1 Thomas Deutschmann gentoo-dev Security 2019-10-26 17:58:49 UTC
@ maintainer(s): How about rev bumping and adding https://gitlab.com/fweimer/libidn2/commit/fdd3b791c23d366c89264b15b50aeb5bb98ad1ce ?
Comment 2 Andreas K. Hüttel gentoo-dev 2019-11-27 19:16:31 UTC
(In reply to Jeroen Roovers from comment #0)
> 
> The solution might be to stabilise 2.2.0 but [2] suggests that the SONAME
> might need to be bumped because _idn2_punycode_decode was removed, or some
> symbols might need to be reinstated (this happens a lot with libidn/libidn2).
> 

That part is fixed in 2.3.0, so we should probably go for 2.3.0 instead.

Has also the advantage of Unicode 11, bringing libidn2 back in step with glibc, and of fixing the related failures in the glibc test suite.
Comment 3 Jeroen Roovers gentoo-dev 2019-11-27 21:18:41 UTC
(In reply to Andreas K. Hüttel from comment #2)
> (In reply to Jeroen Roovers from comment #0)
> > 
> > The solution might be to stabilise 2.2.0 but [2] suggests that the SONAME
> > might need to be bumped because _idn2_punycode_decode was removed, or some
> > symbols might need to be reinstated (this happens a lot with libidn/libidn2).
> > 
> 
> That part is fixed in 2.3.0, so we should probably go for 2.3.0 instead.

Yes, hence the change dated 2019-11-14...
Comment 4 Mart Raudsepp gentoo-dev 2020-03-17 13:03:16 UTC
arm64 stable
Comment 5 Rolf Eike Beer 2020-03-17 18:30:04 UTC
hppa/sparc stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-03-17 18:44:56 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-03-18 09:46:14 UTC
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-03-18 09:49:36 UTC
s390 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-03-18 11:12:09 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-03-18 11:18:30 UTC
ppc64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-03-18 11:31:33 UTC
ia64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2020-03-18 15:22:25 UTC
x86 stable
Comment 13 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2020-03-26 14:07:34 UTC
SuperH port disbanded.
Comment 14 Larry the Git Cow gentoo-dev 2020-03-29 10:25:07 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=587cf62ba1aa7f20122547ae627532e544a91168

commit 587cf62ba1aa7f20122547ae627532e544a91168
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2020-03-29 10:24:58 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2020-03-29 10:25:01 +0000

    net-dns/libidn2: destabilize down to ~m68k
    
    Bug: https://bugs.gentoo.org/697752
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 net-dns/libidn2/libidn2-2.1.1a-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 15 Sergei Trofimovich gentoo-dev 2020-03-29 10:25:44 UTC
Destabilized down to ~m68k.
Comment 16 Sam James archtester gentoo-dev Security 2020-03-29 17:49:19 UTC
@maintainer(s), please cleanup
Comment 17 Larry the Git Cow gentoo-dev 2020-03-30 04:03:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5973465138e4612bffbc5f71285dc0e403f3c2f7

commit 5973465138e4612bffbc5f71285dc0e403f3c2f7
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-03-30 04:03:08 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-03-30 04:03:29 +0000

    net-dns/libidn2: Old
    
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=697752
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-dns/libidn2/Manifest                 |  1 -
 net-dns/libidn2/libidn2-2.1.1a-r1.ebuild | 53 --------------------------------
 2 files changed, 54 deletions(-)
Comment 18 Sam James archtester gentoo-dev Security 2020-03-30 11:16:41 UTC
Thanks everyone.
Comment 19 Thomas Deutschmann gentoo-dev Security 2020-03-30 14:21:44 UTC
Adding CVE-2019-18224.


New GLSA request filed.
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2020-03-30 14:47:38 UTC
This issue was resolved and addressed in
 GLSA 202003-63 at https://security.gentoo.org/glsa/202003-63
by GLSA coordinator Thomas Deutschmann (whissi).