Bug 39440

Summary: libidn: Multiple issues (4.1)
Product: UCS Reporter: Arvid Requate <requate>
Component: Security updatesAssignee: Janek Walkenhorst <walkenhorst>
Status: CLOSED FIXED QA Contact: Arvid Requate <requate>
Severity: normal    
Priority: P2 CC: gohmann
Version: UCS 4.1Flags: requate: Patch_Available+
Target Milestone: UCS 4.1-3-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Security
Max CVSS v3 score:
Bug Depends on:    
Bug Blocks: 41949    

Description Arvid Requate univentionstaff 2015-09-30 10:13:05 CEST 
* The stringprep_utf8_to_ucs4 function in libidn before 1.31, as used in jabberd2 and other applications, allows context-dependent attackers to read system memory and possibly have other unspecified impact via invalid UTF-8 characters in a string, which triggers an out-of-bounds read (CVE-2015-2059)

GNU Libidn is a fully documented implementation of the Stringprep, Punycode and IDNA specifications. Libidn's purpose is to encode and decode internationalized domain names.

Possibly affects gnutls, wget, and curl
Comment 1 Arvid Requate univentionstaff 2016-05-23 18:17:29 CEST 
Upstream Debian package version 1.25-2+deb7u1 fixes this issue.
Comment 2 Arvid Requate univentionstaff 2016-08-09 17:23:45 CEST 
Upstream Debian package version 1.25-2+deb7u2 fixes the following issues:

* Solve out-of-bounds-read when reading one zero byte as input (CVE-2015-8948)
* out-of-bounds stack read in idna_to_ascii_4i (CVE-2016-6261)
* stringprep_utf8_nfkc_normalize reject invalid UTF-8 (CVE-2016-6263)

CVE-2015-8948: CVSS v2 base score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVE-2016-6261: CVSS v2 base score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVE-2016-6263: CVSS v2 base score: 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
Comment 3 Janek Walkenhorst univentionstaff 2016-08-26 13:04:43 CEST 
Tests (i386): OK
Advisory: libidn.yaml
Comment 4 Arvid Requate univentionstaff 2016-09-05 17:56:11 CEST 
Verified:
* 1.25-2+deb7u2 imported and built
* No UCS patches
* Package update Ok (amd64)
* Advisory Ok
Comment 5 Janek Walkenhorst univentionstaff 2016-09-07 18:41:39 CEST 
<http://errata.software-univention.de/ucs/4.1/240.html>