19011 – libidn new security issues CVE-2015-8948 and CVE-2016-626[1-3]

Bug 19011 - libidn new security issues CVE-2015-8948 and CVE-2016-626[1-3]

Summary: libidn new security issues CVE-2015-8948 and CVE-2016-626[1-3]

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/695325/
Whiteboard:	has_procedure MGA5-32-OK MGA5-64-OK a...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2016-07-21 19:06 CEST by David Walser
Modified:	2016-07-27 00:11 CEST (History)
CC List:	2 users (show)

See Also:
Source RPM:	libidn-1.32-4.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-07-21 19:06:29 CEST

CVEs have been assigned for issues fixed in libidn 1.33:
http://openwall.com/lists/oss-security/2016/07/21/4
https://lists.gnu.org/archive/html/help-libidn/2016-07/msg00009.html

Freeze push requested for Cauldron.  Mageia 5 is also affected.

David Walser 2016-07-21 19:06:37 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2016-07-22 01:15:22 CEST

Updated packages uploaded for Mageia 5 and Cauldron.

libidn is used by wget and curl, so those can be used to test this.

Advisory:
========================

Updated libidn packages fix security vulnerabilities:

Out-of-bounds stack read in libidn before 1.33 in idna_to_ascii_4i (CVE-2016-6261).

Out-of-bounds-read in libidn when reading one zero byte as input (CVE-2015-8948,
CVE-2016-6262).

In libidn before 1.33, stringprep_utf8_nfkc_normalize would crash when presented
with invalid UTF-8 (CVE-2016-6263).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8948
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6261
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6262
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6263
https://lists.gnu.org/archive/html/help-libidn/2016-07/msg00009.html
http://openwall.com/lists/oss-security/2016/07/21/4
========================

Updated packages in core/updates_testing:
========================
libidn11-1.33-1.mga5
libidn-devel-1.33-1.mga5
idn-1.33-1.mga5
libidn11-java-1.33-1.mga5
libidn11-mono-1.33-1.mga5

from libidn-1.33-1.mga5.src.rpm

Version: Cauldron => 5
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO => has_procedure

Comment 2 David Walser 2016-07-23 23:44:27 CEST

Note that some of the security issues have tests in the package's test suite, which is run at build time.  General testing of wget and curl should suffice.

Comment 3 David Walser 2016-07-24 00:33:23 CEST

wget and curl work fine on Mageia 5 i586.

Whiteboard: has_procedure => has_procedure MGA5-32-OK

Comment 4 David Walser 2016-07-25 20:12:22 CEST

wget and curl work fine on Mageia 5 x86_64.

Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK

Comment 5 David Walser 2016-07-25 20:28:27 CEST

Fedora has issued an advisory for this on July 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EQDCSQNM5LICMOIEU5H63QDQ4Z436KC5/

URL: (none) => http://lwn.net/Vulnerabilities/695325/

Dave Hodgins 2016-07-26 23:56:22 CEST

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2016-07-27 00:11:46 CEST

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0269.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.