Bugzilla – Bug 923241
VUL-1: CVE-2015-2059: libidn: out-of-bounds read with stringprep on invalid UTF-8
Last modified: 2019-08-28 22:39:06 UTC
http://seclists.org/oss-sec/2015/q1/672 If the data ends with an unterminated multi-byte UTF8 sequence then libidn may copy data past the buffer into the result. https://github.com/jabberd2/jabberd2/issues/85 the stringprep functions from libidn require the input to be valid UTF8 The libidn documentation claims "This function will not read or write to characters outside that size." about the length of the buffer that needs to be specified, but this is not true, Use CVE-2015-2059 for this libidn out-of-bounds read issue. Possibly it could be argued that this is a borderline case for a CVE. However, the documentation says "This function will not read or write to characters outside that size" rather than "If the input is valid UTF-8, then this function will not read or write to characters outside that size." If the input is not valid UTF-8, then the function is entitled to undefined behavior within the bounds of the buffer.
bugbot adjusting priority
from https://lists.gnu.org/archive/html/info-gnu/2015-07/msg00003.html > Libidn 1.31 released > > ** libidn: stringprep_utf8_to_ucs4 now rejects invalid UTF-8. CVE-2015-2059 > This function has always been documented to not validate that the > input UTF-8 string is actually valid UTF-8. Like the rest of the API, > when you call a function that works on UTF-8 data, you have to pass it > valid UTF-8 data. Application writers appear to have difficulties > using interfaces designed like that, as bugs triggered by invalid > UTF-8 has been identified in a number of projects (jabberd2, gnutls, > wget, and curl). While we could introduce a new API to perform UTF-8 > validation, so that applications can easily implement the proper > checks, this appear error prone because there is a risk that the check > will be forgotten. Instead, we took the more radical approach of > modifying the documentation and the implementation of the API. The > intention is that all functions that accepts UTF-8 data should > validate it before use. This will solve the problem for applications, > without needing to change them. This change has the unfortunate > side-effect that Surrogate codes (see section 5.5 of RFC 3454) no > longer trigger the STRINGPREP_CONTAINS_PROHIBITED error code but > instead will trigger the newly introduced STRINGPREP_ICONV_ERROR error > code, as the gnulib/libunistring-based code that we use to test > UTF-8-compliance rejects Surrogate codes. We hope that this is an > acceptable cost to live with in order to improve application security. > We welcome feedback on this solution, and we are marking this release > as beta rather than stable to signal that we may reconsider this > approach if people disagree. Reported by several people including > Thijs Alkemade, Gustavo Grieco, Daniel Stenberg, and Nikos > Mavrogiannopoulos. Commit: http://git.savannah.gnu.org/gitweb/?p=libidn.git;a=commit;h=2e97c2796581c27213962c77f5a8571a598f9a2e commit d28219f5f0607d06c43eccb4e407708c38ed8f9c Author: Alessandro Ghedini <alessandro@ghedini.me> Date: Thu Jun 4 11:42:38 2015 +0200 Use strdup() to duplicate a buffer This apparently fixes the "Invalid read of size 4" error from valgrind that was reported at https://bugs.debian.org/724069 Signed-off-by: Simon Josefsson <simon@josefsson.org>
commit 2e97c2796581c27213962c77f5a8571a598f9a2e Author: Simon Josefsson <simon@josefsson.org> Date: Wed Jul 8 02:06:22 2015 +0200 libidn: stringprep_utf8_to_ucs4 now rejects invalid UTF-8. CVE-2015-2059
This is an autogenerated message for OBS integration: This bug (923241) was mentioned in https://build.opensuse.org/request/show/315645 Factory / libidn https://build.opensuse.org/request/show/315646 13.2 / libidn https://build.opensuse.org/request/show/315647 13.1 / libidn
This is an autogenerated message for OBS integration: This bug (923241) was mentioned in https://build.opensuse.org/request/show/315649 Factory / libidn
openSUSE-SU-2015:1261-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 923241 CVE References: CVE-2015-2059 Sources used: openSUSE 13.2 (src): libidn-1.31-3.3.1 openSUSE 13.1 (src): libidn-1.31-7.3.1
SUSE-SU-2016:2079-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 923241,990189,990190,990191 CVE References: CVE-2015-2059,CVE-2015-8948,CVE-2016-6261,CVE-2016-6262,CVE-2016-6263 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): libidn-1.28-4.1 SUSE Linux Enterprise Server 12-SP1 (src): libidn-1.28-4.1 SUSE Linux Enterprise Desktop 12-SP1 (src): libidn-1.28-4.1
openSUSE-SU-2016:2135-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 923241,990189,990190,990191 CVE References: CVE-2015-2059,CVE-2015-8948,CVE-2016-6261,CVE-2016-6262,CVE-2016-6263 Sources used: openSUSE Leap 42.1 (src): libidn-1.28-6.1
SUSE-SU-2016:2291-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 923241,990189,990190,990191 CVE References: CVE-2015-2059,CVE-2015-8948,CVE-2016-6261,CVE-2016-6262,CVE-2016-6263 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): libidn-1.10-6.1 SUSE Linux Enterprise Server 11-SP4 (src): libidn-1.10-6.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): libidn-1.10-6.1
released