Bug 21800 - libidn new security issue CVE-2017-14062
Summary: libidn new security issue CVE-2017-14062
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-10-02 23:33 CEST by David Walser
Modified: 2017-10-09 11:52 CEST (History)
5 users (show)

See Also:
Source RPM: libidn-1.33-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-10-02 23:33:44 CEST
Ubuntu has issued an advisory today (October 2):
https://usn.ubuntu.com/usn/usn-3434-1/

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-10-02 23:33:49 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

David Walser 2017-10-02 23:34:59 CEST

Severity: normal => major

Comment 1 Nicolas Salguero 2017-10-04 14:46:35 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Integer overflow in the decode_digit function in puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact. (CVE-2017-14062)

References:
========================
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14062
https://usn.ubuntu.com/usn/usn-3434-1/

Updated packages in 5/core/updates_testing:
========================
lib(64)idn11-1.33-1.1.mga5
lib(64)idn-devel-1.33-1.1.mga5
idn-1.33-1.1.mga5
lib(64)idn11-java-1.33-1.1.mga5
libidn-javadoc-1.33-1.1.mga5
lib(64)idn11-mono-1.33-1.1.mga5

from SRPMS:
libidn-1.33-1.1.mga5.src.rpm

Updated packages in 6/core/updates_testing:
========================
lib(64)idn11-1.33-1.1.mga6
lib(64)idn-devel-1.33-1.1.mga6
idn-1.33-1.1.mga6
lib(64)idn11-java-1.33-1.1.mga6
libidn-javadoc-1.33-1.1.mga6
lib(64)idn11-mono-1.33-1.1.mga6

from SRPMS:
libidn-1.33-1.1.mga6.src.rpm

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Source RPM: libidn-1.33-2.mga7.src.rpm => libidn-1.33-1.mga6.src.rpm
CC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 6
Status: NEW => ASSIGNED

Comment 2 Herman Viaene 2017-10-05 11:52:31 CEST
MGA6-32 on Asus A6000VM
No installation issues.
I have no idea what this is about. Googling I found http://www.gnu.org/software/libidn/manual/html_node/Invoking-idn.html
So taking it most simple example, I did at CLI:
$ idn
libidn 1.33
Copyright 2002-2015 Simon Josefsson.
GNU Libidn is free software with ABSOLUTELY NO WARRANTY.  For more
information about these matters, see <http://www.gnu.org/licenses/>.
Typ elke invoertekenreeks op een afzonderlijke regel, afgesloten met Enter.
so I entered
räksmörgås.se
and got the answer
xn--rksmrgs-5wao1o.se
but contrary to the site, the command keeps waiting, does not return, so I just pressed <Enter> again and then I got
idn: ## tld_check_4z(): Ontbrekende invoer (missing input)
and then the program returned to the CLI
I leave it to the higher powers to decide if this is a good test.

CC: (none) => herman.viaene

Comment 3 Len Lawrence 2017-10-05 18:40:51 CEST
Re comment 2:

That may well be all we can do.

The link you give mentions Punycode and Wikipedia gives this:
Punycode is a way to represent Unicode within the limited character subset of ASCII used for Internet host names. For example, "München" (German name for Munich) would be encoded as "Mnchen-3ya".
‎
Dealing with this issue seems to be one of the things which idn does.  There may not be much scope for us here.  At least you have opened the door and I shall poke around to see if there is anything we can do.

Thanks Herman.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2017-10-05 18:44:44 CEST
Just installed idn and ran

$ idn -d "Mnchen-3ya"
München

So that's a start.
Comment 5 Len Lawrence 2017-10-06 00:57:49 CEST
@Herman - re comment 2.
I am no higher power but I would recommend that you OK this.  The manual examples work for mga6::x86_64 as well and this is as far as it goes.

$ idn
räksmörgås.se
xn--rksmrgs-5wao1o.se

Control-D to exit.
Len Lawrence 2017-10-06 00:58:14 CEST

Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK

Comment 6 Len Lawrence 2017-10-06 01:32:08 CEST
Too much of a hurry.
Forgot to list updated packages:
- idn-1.33-1.1.mga6.x86_64
- lib64idn-devel-1.33-1.1.mga6.x86_64
- lib64idn11-1.33-1.1.mga6.x86_64
- lib64idn11-java-1.33-1.1.mga6.x86_64
- lib64idn11-mono-1.33-1.1.mga6.x86_64

I also just noticed that although my pre-update test still works, running interactively does nothing but the second string is converted.  In other words the interactive mode encodes by default.  But there are still oddities...

$ idn
Mnchen-3ya 
Mnchen-3ya                         # expected
räksmörgås.se
xn--rksmrgs-5wao1o.se
München
xn--mnchen-3ya                     # why the prefix xn--

$ idn -e räksmörgås.se
rksmrgs.se-q5ar2t                  # not expected
$ idn -e München
Mnchen-3ya

Maybe these differences are related to the "profiles".  Impossible to tell from the documentation.
We need clarification on this.  And I shall play with the commands on a pre-update system.
Len Lawrence 2017-10-06 01:32:31 CEST

Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO
Keywords: (none) => feedback

Comment 7 Len Lawrence 2017-10-06 13:21:22 CEST
Testing on x86_64 for mga5

Trying different options revealed that the xn--mnchen-3ya string is generated when the option idna-to-ascii is used, which suggests that this option is operative in the interactive interface.

$ idn -a München
xn--mnchen-3ya
$ idn -e München
Mnchen-3ya
$ idn -a räksmörgås.se
xn--rksmrgs-5wao1o.se
$ idn -u xn--rksmrgs-5wao1o.se
räksmörgås.se
$ idn -d rksmrgs.se-q5ar2t
räksmörgås.se

Ran the updates:

- idn-1.33-1.1.mga5.x86_64
- lib64idn11-1.33-1.1.mga5.x86_64
- lib64idn11-java-1.33-1.1.mga5.x86_64
- lib64idn11-mono-1.33-1.1.mga5.x86_64

Could not find libidn-javadoc.

Converted strings as shown above, with the same results.  Used --debug, which produced a character by character report.
$ idn -a --debug München
Charset `UTF-8'.
input[0] = U+004d
input[1] = U+00fc
input[2] = U+006e
input[3] = U+0063
input[4] = U+0068
input[5] = U+0065
input[6] = U+006e
tld[0] = U+006d
tld[1] = U+00fc
tld[2] = U+006e
tld[3] = U+0063
tld[4] = U+0068
tld[5] = U+0065
tld[6] = U+006e
output[0] = U+0078
output[1] = U+006e
output[2] = U+002d
output[3] = U+002d
output[4] = U+006d
output[5] = U+006e
output[6] = U+0063
output[7] = U+0068
output[8] = U+0065
output[9] = U+006e
output[10] = U+002d
output[11] = U+0033
output[12] = U+0079
output[13] = U+0061
xn--mnchen-3ya

Looks good for 64-bits.

Keywords: feedback => (none)

Len Lawrence 2017-10-06 16:18:55 CEST

Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK MGA6-64-OK

Lewis Smith 2017-10-08 10:54:12 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 8 Mageia Robot 2017-10-09 11:52:04 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0365.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.