Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 629466 (CVE-2017-14061, CVE-2017-14062) - <net-dns/libidn2-2.0.4: Multiple Integer overflows(CVE-2017-{14062,14061})
Summary: <net-dns/libidn2-2.0.4: Multiple Integer overflows(CVE-2017-{14062,14061})
Status: RESOLVED FIXED
Alias: CVE-2017-14061, CVE-2017-14062
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
: 629458 629460 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-08-31 16:38 UTC by Aleksandr Wagner (Kivak)
Modified: 2018-12-02 23:31 UTC (History)
4 users (show)

See Also:
Package list:
=net-dns/libidn2-2.0.4
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-08-31 16:38:34 UTC
CVE-2017-14062 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14062):

Integer overflow in the decode_digit function in puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact. 

References:

https://gitlab.com/libidn/libidn2/blob/master/NEWS
https://gitlab.com/libidn/libidn2/commit/3284eb342cd0ed1a18786e3fcdf0cdd7e76676bd
Comment 1 Aleksandr Wagner (Kivak) 2017-08-31 16:41:56 UTC
CVE-2017-14061 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14061):

Integer overflow in the _isBidi function in bidi.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact. 

References:

https://gitlab.com/libidn/libidn2/blob/master/NEWS
https://gitlab.com/libidn/libidn2/commit/16853b6973a1e72fee2b7cccda85472cb9951305
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2017-09-11 22:55:41 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.

Version 2.0.4 that is not vulnerable is in the tree.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2017-09-12 10:30:50 UTC
Yes, why don't you?
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2017-09-15 07:06:36 UTC
I think CVE-2017-14062 also affects net-dns/libidn. Would that warrant a separate bug report?
Comment 5 Aleksandr Wagner (Kivak) 2017-09-15 15:22:42 UTC
Looking at the source of libidn I cannot locate the vulnerable file or code. This leads be to believe that libidn is not affected by CVE-2017-14062.

The site http://www.gnu.org/software/libidn/#libidn2 also states that " Libidn2 is a standalone library, without any dependency on Libidn".

Gentoo Security Padawan
Kivak
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2017-09-16 11:21:16 UTC
(In reply to Aleksandr Wagner (Kivak) from comment #5)
> Looking at the source of libidn I cannot locate the vulnerable file or code.
> This leads be to believe that libidn is not affected by CVE-2017-14062.

"A superficial glance did not reveal any risk."

> The site http://www.gnu.org/software/libidn/#libidn2 also states that "
> Libidn2 is a standalone library, without any dependency on Libidn".

"A superficial glance did not reveal any risk."

And yet:
http://git.savannah.gnu.org/gitweb/?p=libidn.git;a=commit;h=e9e81b8063b095b02cf104bb992fa9bf9515b9d8
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2017-09-16 11:38:19 UTC
(In reply to Jeroen Roovers from comment #4)
> I think CVE-2017-14062 also affects net-dns/libidn. Would that warrant a
> separate bug report?

Can we now get back to this question?
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2017-09-16 12:33:58 UTC
Also sys-libs/glibc as its libidn/punycode.c (i.e. in 2.26-r1) does not have this patch.
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2017-09-16 13:19:13 UTC
I am not aware of any users of libcidn.so. Perhaps it shouldn't be installed at all or at the very least be made optional through a USE flag. Note that while libidn had a couple of security bugs through the years, the version in glibc has hardly seen updates.

--- a/eclass/toolchain-glibc.eclass
+++ b/eclass/toolchain-glibc.eclass
@@ -782,7 +782,7 @@ glibc_do_configure() {
        pushd "${S}" > /dev/null
        local addons=$(echo */configure | sed \
                -e 's:/configure::g' \
-               -e 's:\(linuxthreads\|nptl\|rtkaio\|glibc-compat\)\( \|$\)::g' \
+               -e 's:\(linuxthreads\|nptl\|rtkaio\|glibc-compat\|libidn\)\( \|$\)::g' \
                -e 's: \+$::' \
                -e 's! !,!g' \
                -e 's!^!,!' \
Comment 10 Aleksandr Wagner (Kivak) 2017-09-16 16:19:19 UTC
(In reply to Jeroen Roovers from comment #6)

My apologies, the package is indeed affected. I have opened a new bug 631130.
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2017-09-30 08:33:16 UTC
(In reply to Jeroen Roovers from comment #3)
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2017-09-30 08:35:24 UTC
(In reply to Aleksandr Wagner (Kivak) from comment #10)
> (In reply to Jeroen Roovers from comment #6)
> 
> My apologies, the package is indeed affected. I have opened a new bug 631130.

No sys-libs/glibc bug?
Comment 13 Aleksandr Wagner (Kivak) 2017-09-30 16:22:41 UTC
(In reply to Jeroen Roovers from comment #12)
> (In reply to Aleksandr Wagner (Kivak) from comment #10)
> > (In reply to Jeroen Roovers from comment #6)
> > 
> > My apologies, the package is indeed affected. I have opened a new bug 631130.
> 
> No sys-libs/glibc bug?

Done, opened in bug 632556
Comment 14 Sergei Trofimovich gentoo-dev 2017-10-02 12:15:13 UTC
Do we stabilize =net-dns/libidn2-2.0.4 here? Worth populating 'Package list' field then.
Or should arched be removed until things are settled here?
Comment 15 Sergei Trofimovich gentoo-dev 2017-10-03 08:59:17 UTC
ia64/ppc/ppc64 stable
Comment 16 Agostino Sarubbo gentoo-dev 2017-10-03 10:53:27 UTC
amd64 stable
Comment 17 Markus Meier gentoo-dev 2017-10-14 06:17:26 UTC
arm stable
Comment 18 Tobias Klausmann gentoo-dev 2017-10-22 21:51:51 UTC
Stable on alpha.
Comment 19 Thomas Deutschmann gentoo-dev Security 2017-10-23 17:59:02 UTC
x86 already stable via https://gitweb.gentoo.org/repo/gentoo.git/commit/net-dns/libidn2?id=190175abdc975280557d281608a528a80fa67117


@ Maintainer(s): Please cleanup!
Comment 20 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-11-11 15:21:03 UTC
tree is clean.
Comment 21 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-12-02 23:30:46 UTC
*** Bug 629460 has been marked as a duplicate of this bug. ***
Comment 22 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-12-02 23:31:52 UTC
*** Bug 629458 has been marked as a duplicate of this bug. ***