[Bug libc/19729] New: out of bounds heap read on invalid utf-8 inputs in stringprep_utf8_nfkc_normalize

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug libc/19729] New: out of bounds heap read on invalid utf-8 inputs in stringprep_utf8_nfkc_normalize

tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=19729

            Bug ID: 19729
           Summary: out of bounds heap read on invalid utf-8 inputs in
                    stringprep_utf8_nfkc_normalize
           Product: glibc
           Version: 2.23
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: hanno at hboeck dot de
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

Created attachment 9039
  --> https://sourceware.org/bugzilla/attachment.cgi?id=9039&action=edit
sample input.

libidn's stringprep_utf8_nfkc_normalize function may read out of bounds if an
invalid utf-8 string gets passed. glibc bundles libidn.

This has been fixed upstream here:
http://git.savannah.gnu.org/gitweb/?p=libidn.git;a=commit;h=1fbee57ef3c72db2206dd87e4162108b2f425555

Attached is a sample input that can be triggered with idn -n.

Found with american fuzzy lop.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug network/19729] out of bounds heap read on invalid utf-8 inputs in stringprep_utf8_nfkc_normalize

tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=19729

Joseph Myers <jsm28 at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|libc                        |network

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug network/19729] out of bounds heap read on invalid utf-8 inputs in stringprep_utf8_nfkc_normalize

tromey at sourceware dot org
In reply to this post by tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=19729

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
                 CC|                            |fweimer at redhat dot com
           Assignee|unassigned at sourceware dot org   |fweimer at redhat dot com

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug network/19729] out of bounds heap read on invalid utf-8 inputs in stringprep_utf8_nfkc_normalize

tromey at sourceware dot org
In reply to this post by tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=19729

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dilfridge at gentoo dot org

--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
*** Bug 22334 has been marked as a duplicate of this bug. ***

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug network/19729] out of bounds heap read on invalid utf-8 inputs in stringprep_utf8_nfkc_normalize

tromey at sourceware dot org
In reply to this post by tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=19729

--- Comment #2 from Florian Weimer <fweimer at redhat dot com> ---
*** Bug 22333 has been marked as a duplicate of this bug. ***

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug network/19729] out of bounds heap read on invalid utf-8 inputs in stringprep_utf8_nfkc_normalize (CVE-2016-6263)

tromey at sourceware dot org
In reply to this post by tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=19729

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|out of bounds heap read on  |out of bounds heap read on
                   |invalid utf-8 inputs in     |invalid utf-8 inputs in
                   |stringprep_utf8_nfkc_normal |stringprep_utf8_nfkc_normal
                   |ize                         |ize (CVE-2016-6263)
              Alias|                            |CVE-2016-6263

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug network/19729] out of bounds heap read on invalid utf-8 inputs in stringprep_utf8_nfkc_normalize (CVE-2016-6263)

tromey at sourceware dot org
In reply to this post by tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=19729

--- Comment #3 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  7f9f1ecb710eac4d65bb02785ddf288cac098323 (commit)
      from  5f7b841d3aebdccc2baed27cb4b22ddb08cd7c0c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7f9f1ecb710eac4d65bb02785ddf288cac098323

commit 7f9f1ecb710eac4d65bb02785ddf288cac098323
Author: Florian Weimer <[hidden email]>
Date:   Wed May 23 15:26:19 2018 +0200

    Switch IDNA implementation to libidn2 [BZ #19728] [BZ #19729] [BZ #22247]

    This provides an implementation of the IDNA2008 standard and fixes
    CVE-2016-6261, CVE-2016-6263, CVE-2017-14062.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                            |   64 +
 LICENSES                             |   69 -
 NEWS                                 |   24 +-
 config.h.in                          |    3 -
 include/dlfcn.h                      |    2 +-
 include/idna.h                       |    8 -
 inet/Makefile                        |   12 +-
 inet/Versions                        |    2 +
 inet/getnameinfo.c                   |   56 +-
 inet/idna.c                          |  182 +
 inet/idna_name_classify.c            |   75 +
 inet/net-internal.h                  |   27 +
 inet/tst-idna_name_classify.c        |   73 +
 libidn/Makefile                      |   34 -
 libidn/Versions                      |    6 -
 libidn/gunicomp.h                    |  658 ---
 libidn/gunidecomp.h                  |10362 ----------------------------------
 libidn/iconvme.c                     |  171 -
 libidn/iconvme.h                     |   25 -
 libidn/idn-stub.c                    |  142 -
 libidn/idna.c                        |  834 ---
 libidn/idna.h                        |   96 -
 libidn/nfkc.c                        | 1057 ----
 libidn/profiles.c                    |  308 -
 libidn/punycode.c                    |  454 --
 libidn/punycode.h                    |  214 -
 libidn/rfc3454.c                     | 3544 ------------
 libidn/shlib-versions                |    1 -
 libidn/stringprep.c                  |  668 ---
 libidn/stringprep.h                  |  209 -
 libidn/toutf8.c                      |  150 -
 nscd/gai.c                           |    3 -
 resolv/Makefile                      |   24 +-
 resolv/netdb.h                       |   16 +-
 resolv/tst-no-libidn2.c              |    2 +
 resolv/tst-resolv-ai_idn-common.c    |  569 ++
 resolv/tst-resolv-ai_idn-latin1.c    |   50 +
 resolv/tst-resolv-ai_idn-nolibidn2.c |  151 +
 resolv/tst-resolv-ai_idn.c           |   49 +
 support/support_format_addrinfo.c    |    2 -
 sysdeps/posix/getaddrinfo.c          |   81 +-
 sysdeps/unix/inet/Subdirs            |    1 -
 sysdeps/unix/inet/configure          |    9 -
 sysdeps/unix/inet/configure.ac       |    7 -
 44 files changed, 1351 insertions(+), 19143 deletions(-)
 delete mode 100644 include/idna.h
 create mode 100644 inet/idna.c
 create mode 100644 inet/idna_name_classify.c
 create mode 100644 inet/tst-idna_name_classify.c
 delete mode 100644 libidn/Makefile
 delete mode 100644 libidn/Versions
 delete mode 100644 libidn/gunicomp.h
 delete mode 100644 libidn/gunidecomp.h
 delete mode 100644 libidn/iconvme.c
 delete mode 100644 libidn/iconvme.h
 delete mode 100644 libidn/idn-stub.c
 delete mode 100644 libidn/idna.c
 delete mode 100644 libidn/idna.h
 delete mode 100644 libidn/nfkc.c
 delete mode 100644 libidn/profiles.c
 delete mode 100644 libidn/punycode.c
 delete mode 100644 libidn/punycode.h
 delete mode 100644 libidn/rfc3454.c
 delete mode 100644 libidn/shlib-versions
 delete mode 100644 libidn/stringprep.c
 delete mode 100644 libidn/stringprep.h
 delete mode 100644 libidn/toutf8.c
 create mode 100644 resolv/tst-no-libidn2.c
 create mode 100644 resolv/tst-resolv-ai_idn-common.c
 create mode 100644 resolv/tst-resolv-ai_idn-latin1.c
 create mode 100644 resolv/tst-resolv-ai_idn-nolibidn2.c
 create mode 100644 resolv/tst-resolv-ai_idn.c
 delete mode 100644 sysdeps/unix/inet/configure
 delete mode 100644 sysdeps/unix/inet/configure.ac

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug network/19729] out of bounds heap read on invalid utf-8 inputs in stringprep_utf8_nfkc_normalize (CVE-2016-6263)

tromey at sourceware dot org
In reply to this post by tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=19729

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |2.28

--- Comment #4 from Florian Weimer <fweimer at redhat dot com> ---
Fixed in 2.28.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug network/19729] out of bounds heap read on invalid utf-8 inputs in stringprep_utf8_nfkc_normalize (CVE-2016-6263)

tromey at sourceware dot org
In reply to this post by tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=19729

--- Comment #5 from joseph at codesourcery dot com <joseph at codesourcery dot com> ---
If FIXED you presumably want to mark this bug (and 22247) as FIXED (and
set the milestone in the case of 22247).

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug network/19729] out of bounds heap read on invalid utf-8 inputs in stringprep_utf8_nfkc_normalize (CVE-2016-6263)

tromey at sourceware dot org
In reply to this post by tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=19729

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #6 from Florian Weimer <fweimer at redhat dot com> ---
(In reply to [hidden email] from comment #5)
> If FIXED you presumably want to mark this bug (and 22247) as FIXED (and
> set the milestone in the case of 22247).

I thought I did that?  But the Bugzilla updates took a very long time.

--
You are receiving this mail because:
You are on the CC list for the bug.