[Bug libc/22247] New: CVE-2017-14062 : Integer overflow in the decode_digit function in puny_decode.c in libidn

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug libc/22247] New: CVE-2017-14062 : Integer overflow in the decode_digit function in puny_decode.c in libidn

tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=22247

            Bug ID: 22247
           Summary: CVE-2017-14062 : Integer overflow in the decode_digit
                    function in puny_decode.c in libidn
           Product: glibc
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: dilfridge at gentoo dot org
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

In bug Gentoo-629466 [1] Jeroen Roovers found that glibc is vulnerable to the
same CVE-2017-14062 [2] as libidn is; see also bug Gentoo-632556 [3].

"Integer overflow in the decode_digit function in puny_decode.c in Libidn2
before 2.0.4 allows remote attackers to cause a denial of service or possibly
have unspecified other impact."

The backport to libidn-1, which should also apply to the glibc code, can be
found here [4].

[1] https://bugs.gentoo.org/show_bug.cgi?id=629466
[2] https://nvd.nist.gov/vuln/detail/CVE-2017-14062
[3] https://bugs.gentoo.org/632556
[4]
https://git.savannah.gnu.org/gitweb/?p=libidn.git;a=commitdiff;h=e9e81b8063b095b02cf104bb992fa9bf9515b9d8

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/22247] CVE-2017-14062 : Integer overflow in the decode_digit function in puny_decode.c in libidn

tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=22247

Andreas K. Huettel <dilfridge at gentoo dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://bugs.gentoo.org/sho
                   |                            |w_bug.cgi?id=632556

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/22247] CVE-2017-14062 : Integer overflow in the decode_digit function in puny_decode.c in libidn

tromey at sourceware dot org
In reply to this post by tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=22247

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
              Flags|                            |security+

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/22247] CVE-2017-14062 : Integer overflow in the decode_digit function in puny_decode.c in libidn

tromey at sourceware dot org
In reply to this post by tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=22247

--- Comment #1 from Andreas K. Huettel <dilfridge at gentoo dot org> ---
Needs another libidn commit, it seems.
http://git.savannah.gnu.org/gitweb/?p=libidn.git;a=commit;h=6c8a9375641ca283b50f9680c90dcd57f9c44798

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/22247] CVE-2017-14062 : Integer overflow in the decode_digit function in puny_decode.c in libidn

tromey at sourceware dot org
In reply to this post by tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=22247

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |ASSIGNED
   Last reconfirmed|                            |2018-01-10
           Assignee|unassigned at sourceware dot org   |fweimer at redhat dot com
     Ever confirmed|0                           |1

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/22247] Integer overflow in the decode_digit function in puny_decode.c in libidn (CVE-2017-14062)

tromey at sourceware dot org
In reply to this post by tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=22247

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|CVE-2017-14062 : Integer    |Integer overflow in the
                   |overflow in the             |decode_digit function in
                   |decode_digit function in    |puny_decode.c in libidn
                   |puny_decode.c in libidn     |(CVE-2017-14062)
              Alias|                            |CVE-2017-14062

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug network/22247] Integer overflow in the decode_digit function in puny_decode.c in libidn (CVE-2017-14062)

tromey at sourceware dot org
In reply to this post by tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=22247

Joseph Myers <jsm28 at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|libc                        |network

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug network/22247] Integer overflow in the decode_digit function in puny_decode.c in libidn (CVE-2017-14062)

tromey at sourceware dot org
In reply to this post by tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=22247

--- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  7f9f1ecb710eac4d65bb02785ddf288cac098323 (commit)
      from  5f7b841d3aebdccc2baed27cb4b22ddb08cd7c0c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7f9f1ecb710eac4d65bb02785ddf288cac098323

commit 7f9f1ecb710eac4d65bb02785ddf288cac098323
Author: Florian Weimer <[hidden email]>
Date:   Wed May 23 15:26:19 2018 +0200

    Switch IDNA implementation to libidn2 [BZ #19728] [BZ #19729] [BZ #22247]

    This provides an implementation of the IDNA2008 standard and fixes
    CVE-2016-6261, CVE-2016-6263, CVE-2017-14062.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                            |   64 +
 LICENSES                             |   69 -
 NEWS                                 |   24 +-
 config.h.in                          |    3 -
 include/dlfcn.h                      |    2 +-
 include/idna.h                       |    8 -
 inet/Makefile                        |   12 +-
 inet/Versions                        |    2 +
 inet/getnameinfo.c                   |   56 +-
 inet/idna.c                          |  182 +
 inet/idna_name_classify.c            |   75 +
 inet/net-internal.h                  |   27 +
 inet/tst-idna_name_classify.c        |   73 +
 libidn/Makefile                      |   34 -
 libidn/Versions                      |    6 -
 libidn/gunicomp.h                    |  658 ---
 libidn/gunidecomp.h                  |10362 ----------------------------------
 libidn/iconvme.c                     |  171 -
 libidn/iconvme.h                     |   25 -
 libidn/idn-stub.c                    |  142 -
 libidn/idna.c                        |  834 ---
 libidn/idna.h                        |   96 -
 libidn/nfkc.c                        | 1057 ----
 libidn/profiles.c                    |  308 -
 libidn/punycode.c                    |  454 --
 libidn/punycode.h                    |  214 -
 libidn/rfc3454.c                     | 3544 ------------
 libidn/shlib-versions                |    1 -
 libidn/stringprep.c                  |  668 ---
 libidn/stringprep.h                  |  209 -
 libidn/toutf8.c                      |  150 -
 nscd/gai.c                           |    3 -
 resolv/Makefile                      |   24 +-
 resolv/netdb.h                       |   16 +-
 resolv/tst-no-libidn2.c              |    2 +
 resolv/tst-resolv-ai_idn-common.c    |  569 ++
 resolv/tst-resolv-ai_idn-latin1.c    |   50 +
 resolv/tst-resolv-ai_idn-nolibidn2.c |  151 +
 resolv/tst-resolv-ai_idn.c           |   49 +
 support/support_format_addrinfo.c    |    2 -
 sysdeps/posix/getaddrinfo.c          |   81 +-
 sysdeps/unix/inet/Subdirs            |    1 -
 sysdeps/unix/inet/configure          |    9 -
 sysdeps/unix/inet/configure.ac       |    7 -
 44 files changed, 1351 insertions(+), 19143 deletions(-)
 delete mode 100644 include/idna.h
 create mode 100644 inet/idna.c
 create mode 100644 inet/idna_name_classify.c
 create mode 100644 inet/tst-idna_name_classify.c
 delete mode 100644 libidn/Makefile
 delete mode 100644 libidn/Versions
 delete mode 100644 libidn/gunicomp.h
 delete mode 100644 libidn/gunidecomp.h
 delete mode 100644 libidn/iconvme.c
 delete mode 100644 libidn/iconvme.h
 delete mode 100644 libidn/idn-stub.c
 delete mode 100644 libidn/idna.c
 delete mode 100644 libidn/idna.h
 delete mode 100644 libidn/nfkc.c
 delete mode 100644 libidn/profiles.c
 delete mode 100644 libidn/punycode.c
 delete mode 100644 libidn/punycode.h
 delete mode 100644 libidn/rfc3454.c
 delete mode 100644 libidn/shlib-versions
 delete mode 100644 libidn/stringprep.c
 delete mode 100644 libidn/stringprep.h
 delete mode 100644 libidn/toutf8.c
 create mode 100644 resolv/tst-no-libidn2.c
 create mode 100644 resolv/tst-resolv-ai_idn-common.c
 create mode 100644 resolv/tst-resolv-ai_idn-latin1.c
 create mode 100644 resolv/tst-resolv-ai_idn-nolibidn2.c
 create mode 100644 resolv/tst-resolv-ai_idn.c
 delete mode 100644 sysdeps/unix/inet/configure
 delete mode 100644 sysdeps/unix/inet/configure.ac

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug network/22247] Integer overflow in the decode_digit function in puny_decode.c in libidn (CVE-2017-14062)

tromey at sourceware dot org
In reply to this post by tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=22247

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Version|unspecified                 |2.28

--- Comment #3 from Florian Weimer <fweimer at redhat dot com> ---
Fixed in 2.28.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug network/22247] Integer overflow in the decode_digit function in puny_decode.c in libidn (CVE-2017-14062)

tromey at sourceware dot org
In reply to this post by tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=22247

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |2.28

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug network/22247] Integer overflow in the decode_digit function in puny_decode.c in libidn (CVE-2017-14062)

tromey at sourceware dot org
In reply to this post by tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=22247

Joseph Myers <jsm28 at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #4 from Joseph Myers <jsm28 at gcc dot gnu.org> ---
Marking FIXED.

--
You are receiving this mail because:
You are on the CC list for the bug.