Bug 16342

Summary:	libidn new security issue CVE-2015-2059
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	brtians1, sysadmin-bugs
Version:	5	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/651768/
Whiteboard:	has_procedure advisory mga5-64-ok MGA5-32-OK
Source RPM:	libidn-1.29-3.mga5.src.rpm	CVE:
Status comment:
Bug Depends on:
Bug Blocks:	16689

Description David Walser 2015-07-10 15:51:41 CEST

Upstream has released version 1.31 on July 8:
http://lists.gnu.org/archive/html/info-gnu/2015-07/msg00003.html

This updated version is currently considered a "beta," as it changes the behavior of an API, and they haven't yet committed to retaining that change going forward.  We probably shouldn't update it until they do so.  It fixes a security issue in applications that use the API in an unsafe manner.

It was announced on the oss-security list on July 6 that wget and curl are two applications that are affected:
http://openwall.com/lists/oss-security/2015/07/06/5

cURL's approach was to disable libidn support by default, which I have also done in Cauldron.  If we are able to update to a "fixed" version of libidn in the future, we can re-enable curl's libidn support in Cauldron at that time.  For stable releases, it doesn't sound like it will ever make sense to backport this change in libidn, so disabling curl's libidn support there seems to be the way to go.  I have checked this change into Mageia 4 and Mageia 5 SVN.

wget has implemented a change to mitigate the impact of this issue, regardless of what libidn does.  I have checked this patch into Mageia 4, Mageia 5, and Cauldron SVN.

This doesn't sound like a very serious issue to me, so for now, we can include these changes in our next future updates to wget and curl.

Reproducible: 

Steps to Reproduce:

David Walser 2015-07-10 15:51:49 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-07-20 20:54:46 CEST

OpenSuSE has issued an advisory for this on July 17:
http://lists.opensuse.org/opensuse-updates/2015-07/msg00042.html

Interestingly, they updated their stable releases to the libidn 1.31 beta, and Debian-LTS also backported the change.

URL: (none) => http://lwn.net/Vulnerabilities/651768/

Comment 2 David Walser 2015-09-02 19:56:24 CEST

libidn 1.32 has been released on August 1, fixing a regression in 1.31:
http://lists.gnu.org/archive/html/info-gnu/2015-08/msg00000.html

It's still considered a beta, but Debian-LTS, Fedora, and OpenSuSE have gone with it, so let's go with it.  It requires an updated gettext to build in Mageia 4, so I'll push the curl and wget packages that I changed in SVN instead (in another bug).

Advisory:
========================

Updated libidn packages fix security vulnerability:

In libidn before 1.31, stringprep_utf8_to_ucs4 did not validate that the input
UTF-8 string was actually valid UTF-8, which could lead to out-of-bounds
reads (CVE-2015-2059).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2059
http://lists.gnu.org/archive/html/info-gnu/2015-03/msg00000.html
http://lists.gnu.org/archive/html/info-gnu/2015-07/msg00003.html
http://lists.gnu.org/archive/html/info-gnu/2015-08/msg00000.html
http://lists.opensuse.org/opensuse-updates/2015-07/msg00042.html
========================

Updated packages in core/updates_testing:
========================
libidn11-1.32-1.mga5
libidn-devel-1.32-1.mga5
idn-1.32-1.mga5
libidn11-java-1.32-1.mga5
libidn11-mono-1.32-1.mga5

from libidn-1.32-1.mga5.src.rpm

Version: Cauldron => 5
Whiteboard: MGA5TOO, MGA4TOO => (none)

David Walser 2015-09-02 20:01:58 CEST

Blocks: (none) => 16689

Comment 3 David Walser 2015-09-02 22:19:03 CEST

Oops, assigning to QA.  Advisory and package list in Comment 2.

Assignee: bugsquad => qa-bugs

Comment 4 David Walser 2015-09-07 02:49:15 CEST

Mageia 5 i586, curl and wget work fine.

Whiteboard: (none) => has_procedure MGA5-32-OK

Comment 5 Brian Rockwell 2015-09-08 15:43:33 CEST

Hi David,
I only find 32-bit.  No 64-bit version.

Based on your notes, I guess I'll just move to another patch to test.  Let me know.

CC: (none) => brtians1

Comment 6 Rémi Verschelde 2015-09-08 15:47:29 CEST

(In reply to Brian Rockwell from comment #5)
> Hi David,
> I only find 32-bit.  No 64-bit version.

For 64-bit versions, the library would be named lib64idn*, plus there should be a 64-bit idn-1.32-1.mga5.

Comment 7 Brian Rockwell 2015-09-08 15:55:35 CEST

I search on "libidn" and only come back with 1.28.  Must be the mirror I'm using.

Comment 8 claire robinson 2015-09-08 16:23:08 CEST

Testing complete mga5 64
wget & curl ok

Validating. Advisory uploaded.

Please push to 5 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK => has_procedure advisory mga5-64-ok MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2015-09-08 19:57:33 CEST

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0349.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED