forgot to cc maintainers...
On Mon, Oct 02 2017, Jeremie Courreges-Anglas <jca@wxcvbn.org> wrote:
> I noticed those through a debian security advisory. Dunno how
> exploitable they are, but here are some more details:
>
> http://git.savannah.gnu.org/gitweb/?p=libidn.git;a=commitdiff;h=e9e81b8063b095b02cf104bb992fa9bf9515b9d8
> https://gitlab.com/libidn/libidn2/commit/16853b6973a1e72fee2b7cccda85472cb9951305
> https://gitlab.com/libidn/libidn2/commit/3284eb342cd0ed1a18786e3fcdf0cdd7e76676bd
>
> https://nvd.nist.gov/vuln/detail/CVE-2017-14061
>
> o CVE-2017-14061: Integer overflow in the _isBidi function in bidi.c in
> Libidn2 before 2.0.4 allows remote attackers to cause a denial of
> service or possibly have unspecified other impact.
>
> https://nvd.nist.gov/vuln/detail/CVE-2017-14062
>
> o CVE-2017-14062: Integer overflow in the decode_digit function in
> puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause
> a denial of service or possibly have unspecified other impact.
>
> The changes look rather safe, but what do you folks think? Put this in
> for 6.2?
>
>
> Index: devel/libidn/Makefile
> ===================================================================
> RCS file: /d/cvs/ports/devel/libidn/Makefile,v
> retrieving revision 1.31
> diff -u -p -r1.31 Makefile
> --- devel/libidn/Makefile 30 Jul 2016 14:22:43 -0000 1.31
> +++ devel/libidn/Makefile 1 Oct 2017 22:21:13 -0000
> @@ -3,6 +3,7 @@
> COMMENT= internationalized string handling
>
> DISTNAME= libidn-1.33
> +REVISION= 0
>
> SHARED_LIBS += idn 17.2 # 17.16
>
> @@ -29,5 +30,9 @@ CONFIGURE_ARGS= --disable-csharp \
>
> post-extract:
> rm ${WRKSRC}/contrib/doxygen/*.orig
> +
> +# hack to avoid regenerating docs
> +post-patch:
> + touch -r ${WRKSRC}/lib/punycode.c${PATCHORIG} ${WRKSRC}/lib/punycode.c
>
> .include <bsd.port.mk>
> Index: devel/libidn/patches/patch-lib_punycode_c
> ===================================================================
> RCS file: devel/libidn/patches/patch-lib_punycode_c
> diff -N devel/libidn/patches/patch-lib_punycode_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ devel/libidn/patches/patch-lib_punycode_c 1 Oct 2017 22:06:28 -0000
> @@ -0,0 +1,27 @@
> +$OpenBSD$
> +
> +commit e9e81b8063b095b02cf104bb992fa9bf9515b9d8
> +Author: Tim Rühsen <tim.ruehsen@gmx.de>
> +Date: Fri Sep 1 10:04:48 2017 +0200
> +
> + lib/punycode.c (decode_digit): Fix integer overflow
> +
> + This fix is a backport from libidn2 and addresses
> + CVE-2017-14062.
> +
> +Index: lib/punycode.c
> +--- lib/punycode.c.orig
> ++++ lib/punycode.c
> +@@ -88,10 +88,10 @@ enum
> + /* point (for use in representing integers) in the range 0 to */
> + /* base-1, or base if cp does not represent a value. */
> +
> +-static punycode_uint
> ++static unsigned
> + decode_digit (punycode_uint cp)
> + {
> +- return cp - 48 < 10 ? cp - 22 : cp - 65 < 26 ? cp - 65 :
> ++ return (unsigned) cp - 48 < 10 ? cp - 22 : cp - 65 < 26 ? cp - 65 :
> + cp - 97 < 26 ? cp - 97 : base;
> + }
> +
> Index: devel/libidn2/Makefile
> ===================================================================
> RCS file: /d/cvs/ports/devel/libidn2/Makefile,v
> retrieving revision 1.2
> diff -u -p -r1.2 Makefile
> --- devel/libidn2/Makefile 18 Apr 2017 21:22:57 -0000 1.2
> +++ devel/libidn2/Makefile 1 Oct 2017 22:06:28 -0000
> @@ -3,6 +3,7 @@
> COMMENT= implementation of IDNA2008 internationalized domain names
>
> DISTNAME= libidn2-2.0.0
> +REVISION= 0
> CATEGORIES= devel
> HOMEPAGE= https://www.gnu.org/software/libidn/\#libidn2
>
> Index: devel/libidn2/patches/patch-lib_bidi_c
> ===================================================================
> RCS file: devel/libidn2/patches/patch-lib_bidi_c
> diff -N devel/libidn2/patches/patch-lib_bidi_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ devel/libidn2/patches/patch-lib_bidi_c 1 Oct 2017 22:06:28 -0000
> @@ -0,0 +1,30 @@
> +$OpenBSD$
> +
> +Fix for CVE-2017-14061
> +
> +commit 16853b6973a1e72fee2b7cccda85472cb9951305
> +Author: Tim Rühsen <tim.ruehsen@gmx.de>
> +Date: Tue Aug 1 11:15:10 2017 +0200
> +
> + lib/bidi: Fix integer overflow (found by fuzzing)
> +
> +Index: lib/bidi.c
> +--- lib/bidi.c.orig
> ++++ lib/bidi.c
> +@@ -30,6 +30,7 @@
> +
> + #include "idn2.h"
> +
> ++#include <sys/types.h>
> + #include <stdbool.h>
> +
> + #include "bidi.h"
> +@@ -39,7 +40,7 @@
> + static bool
> + _isBidi (const uint32_t *label, size_t llen)
> + {
> +- while (llen-- > 0) {
> ++ for (; (ssize_t) llen > 0; llen--) {
> + int bc = uc_bidi_category (*label++);
> +
> + if (bc == UC_BIDI_R || bc == UC_BIDI_AL || bc == UC_BIDI_AN)
> Index: devel/libidn2/patches/patch-lib_punycode_c
> ===================================================================
> RCS file: devel/libidn2/patches/patch-lib_punycode_c
> diff -N devel/libidn2/patches/patch-lib_punycode_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ devel/libidn2/patches/patch-lib_punycode_c 1 Oct 2017 22:06:28 -0000
> @@ -0,0 +1,27 @@
> +$OpenBSD$
> +
> +Fix for CVE-2017-14062
> +
> +commit 3284eb342cd0ed1a18786e3fcdf0cdd7e76676bd
> +Author: Tim Rühsen <tim.ruehsen@gmx.de>
> +Date: Tue Aug 1 11:16:47 2017 +0200
> +
> + lib/puny_decode: Fix integer overflow (found by fuzzing)
> +
> +Index: lib/punycode.c
> +--- lib/punycode.c.orig
> ++++ lib/punycode.c
> +@@ -94,10 +94,10 @@ enum { base = 36, tmin = 1, tmax = 26, skew = 38, damp
> + /* point (for use in representing integers) in the range 0 to */
> + /* base-1, or base if cp does not represent a value. */
> +
> +-static punycode_uint decode_digit(punycode_uint cp)
> ++static unsigned decode_digit(int cp)
> + {
> +- return cp - 48 < 10 ? cp - 22 : cp - 65 < 26 ? cp - 65 :
> +- cp - 97 < 26 ? cp - 97 : base;
> ++ return (unsigned) (cp - 48 < 10 ? cp - 22 : cp - 65 < 26 ? cp - 65 :
> ++ cp - 97 < 26 ? cp - 97 : base);
> + }
> +
> + /* encode_digit(d,flag) returns the basic code point whose value */
--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
No comments:
Post a Comment