I noticed those through a debian security advisory. Dunno how
exploitable they are, but here are some more details:
http://git.savannah.gnu.org/gitweb/?p=libidn.git;a=commitdiff;h=e9e81b8063b095b02cf104bb992fa9bf9515b9d8
https://gitlab.com/libidn/libidn2/commit/16853b6973a1e72fee2b7cccda85472cb9951305
https://gitlab.com/libidn/libidn2/commit/3284eb342cd0ed1a18786e3fcdf0cdd7e76676bd
https://nvd.nist.gov/vuln/detail/CVE-2017-14061
o CVE-2017-14061: Integer overflow in the _isBidi function in bidi.c in
Libidn2 before 2.0.4 allows remote attackers to cause a denial of
service or possibly have unspecified other impact.
https://nvd.nist.gov/vuln/detail/CVE-2017-14062
o CVE-2017-14062: Integer overflow in the decode_digit function in
puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause
a denial of service or possibly have unspecified other impact.
The changes look rather safe, but what do you folks think? Put this in
for 6.2?
Index: devel/libidn/Makefile
===================================================================
RCS file: /d/cvs/ports/devel/libidn/Makefile,v
retrieving revision 1.31
diff -u -p -r1.31 Makefile
--- devel/libidn/Makefile 30 Jul 2016 14:22:43 -0000 1.31
+++ devel/libidn/Makefile 1 Oct 2017 22:21:13 -0000
@@ -3,6 +3,7 @@
COMMENT= internationalized string handling
DISTNAME= libidn-1.33
+REVISION= 0
SHARED_LIBS += idn 17.2 # 17.16
@@ -29,5 +30,9 @@ CONFIGURE_ARGS= --disable-csharp \
post-extract:
rm ${WRKSRC}/contrib/doxygen/*.orig
+
+# hack to avoid regenerating docs
+post-patch:
+ touch -r ${WRKSRC}/lib/punycode.c${PATCHORIG} ${WRKSRC}/lib/punycode.c
.include <bsd.port.mk>
Index: devel/libidn/patches/patch-lib_punycode_c
===================================================================
RCS file: devel/libidn/patches/patch-lib_punycode_c
diff -N devel/libidn/patches/patch-lib_punycode_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ devel/libidn/patches/patch-lib_punycode_c 1 Oct 2017 22:06:28 -0000
@@ -0,0 +1,27 @@
+$OpenBSD$
+
+commit e9e81b8063b095b02cf104bb992fa9bf9515b9d8
+Author: Tim Rühsen <tim.ruehsen@gmx.de>
+Date: Fri Sep 1 10:04:48 2017 +0200
+
+ lib/punycode.c (decode_digit): Fix integer overflow
+
+ This fix is a backport from libidn2 and addresses
+ CVE-2017-14062.
+
+Index: lib/punycode.c
+--- lib/punycode.c.orig
++++ lib/punycode.c
+@@ -88,10 +88,10 @@ enum
+ /* point (for use in representing integers) in the range 0 to */
+ /* base-1, or base if cp does not represent a value. */
+
+-static punycode_uint
++static unsigned
+ decode_digit (punycode_uint cp)
+ {
+- return cp - 48 < 10 ? cp - 22 : cp - 65 < 26 ? cp - 65 :
++ return (unsigned) cp - 48 < 10 ? cp - 22 : cp - 65 < 26 ? cp - 65 :
+ cp - 97 < 26 ? cp - 97 : base;
+ }
+
Index: devel/libidn2/Makefile
===================================================================
RCS file: /d/cvs/ports/devel/libidn2/Makefile,v
retrieving revision 1.2
diff -u -p -r1.2 Makefile
--- devel/libidn2/Makefile 18 Apr 2017 21:22:57 -0000 1.2
+++ devel/libidn2/Makefile 1 Oct 2017 22:06:28 -0000
@@ -3,6 +3,7 @@
COMMENT= implementation of IDNA2008 internationalized domain names
DISTNAME= libidn2-2.0.0
+REVISION= 0
CATEGORIES= devel
HOMEPAGE= https://www.gnu.org/software/libidn/\#libidn2
Index: devel/libidn2/patches/patch-lib_bidi_c
===================================================================
RCS file: devel/libidn2/patches/patch-lib_bidi_c
diff -N devel/libidn2/patches/patch-lib_bidi_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ devel/libidn2/patches/patch-lib_bidi_c 1 Oct 2017 22:06:28 -0000
@@ -0,0 +1,30 @@
+$OpenBSD$
+
+Fix for CVE-2017-14061
+
+commit 16853b6973a1e72fee2b7cccda85472cb9951305
+Author: Tim Rühsen <tim.ruehsen@gmx.de>
+Date: Tue Aug 1 11:15:10 2017 +0200
+
+ lib/bidi: Fix integer overflow (found by fuzzing)
+
+Index: lib/bidi.c
+--- lib/bidi.c.orig
++++ lib/bidi.c
+@@ -30,6 +30,7 @@
+
+ #include "idn2.h"
+
++#include <sys/types.h>
+ #include <stdbool.h>
+
+ #include "bidi.h"
+@@ -39,7 +40,7 @@
+ static bool
+ _isBidi (const uint32_t *label, size_t llen)
+ {
+- while (llen-- > 0) {
++ for (; (ssize_t) llen > 0; llen--) {
+ int bc = uc_bidi_category (*label++);
+
+ if (bc == UC_BIDI_R || bc == UC_BIDI_AL || bc == UC_BIDI_AN)
Index: devel/libidn2/patches/patch-lib_punycode_c
===================================================================
RCS file: devel/libidn2/patches/patch-lib_punycode_c
diff -N devel/libidn2/patches/patch-lib_punycode_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ devel/libidn2/patches/patch-lib_punycode_c 1 Oct 2017 22:06:28 -0000
@@ -0,0 +1,27 @@
+$OpenBSD$
+
+Fix for CVE-2017-14062
+
+commit 3284eb342cd0ed1a18786e3fcdf0cdd7e76676bd
+Author: Tim Rühsen <tim.ruehsen@gmx.de>
+Date: Tue Aug 1 11:16:47 2017 +0200
+
+ lib/puny_decode: Fix integer overflow (found by fuzzing)
+
+Index: lib/punycode.c
+--- lib/punycode.c.orig
++++ lib/punycode.c
+@@ -94,10 +94,10 @@ enum { base = 36, tmin = 1, tmax = 26, skew = 38, damp
+ /* point (for use in representing integers) in the range 0 to */
+ /* base-1, or base if cp does not represent a value. */
+
+-static punycode_uint decode_digit(punycode_uint cp)
++static unsigned decode_digit(int cp)
+ {
+- return cp - 48 < 10 ? cp - 22 : cp - 65 < 26 ? cp - 65 :
+- cp - 97 < 26 ? cp - 97 : base;
++ return (unsigned) (cp - 48 < 10 ? cp - 22 : cp - 65 < 26 ? cp - 65 :
++ cp - 97 < 26 ? cp - 97 : base);
+ }
+
+ /* encode_digit(d,flag) returns the basic code point whose value */
--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
No comments:
Post a Comment