Ubuntu has issued an advisory today (October 2): https://usn.ubuntu.com/usn/usn-3434-1/ Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
Severity: normal => major
Suggested advisory: ======================== The updated packages fix a security vulnerability: Integer overflow in the decode_digit function in puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact. (CVE-2017-14062) References: ======================== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14062 https://usn.ubuntu.com/usn/usn-3434-1/ Updated packages in 5/core/updates_testing: ======================== lib(64)idn11-1.33-1.1.mga5 lib(64)idn-devel-1.33-1.1.mga5 idn-1.33-1.1.mga5 lib(64)idn11-java-1.33-1.1.mga5 libidn-javadoc-1.33-1.1.mga5 lib(64)idn11-mono-1.33-1.1.mga5 from SRPMS: libidn-1.33-1.1.mga5.src.rpm Updated packages in 6/core/updates_testing: ======================== lib(64)idn11-1.33-1.1.mga6 lib(64)idn-devel-1.33-1.1.mga6 idn-1.33-1.1.mga6 lib(64)idn11-java-1.33-1.1.mga6 libidn-javadoc-1.33-1.1.mga6 lib(64)idn11-mono-1.33-1.1.mga6 from SRPMS: libidn-1.33-1.1.mga6.src.rpm
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOSource RPM: libidn-1.33-2.mga7.src.rpm => libidn-1.33-1.mga6.src.rpmCC: (none) => nicolas.salgueroAssignee: pkg-bugs => qa-bugsVersion: Cauldron => 6Status: NEW => ASSIGNED
MGA6-32 on Asus A6000VM No installation issues. I have no idea what this is about. Googling I found http://www.gnu.org/software/libidn/manual/html_node/Invoking-idn.html So taking it most simple example, I did at CLI: $ idn libidn 1.33 Copyright 2002-2015 Simon Josefsson. GNU Libidn is free software with ABSOLUTELY NO WARRANTY. For more information about these matters, see <http://www.gnu.org/licenses/>. Typ elke invoertekenreeks op een afzonderlijke regel, afgesloten met Enter. so I entered räksmörgås.se and got the answer xn--rksmrgs-5wao1o.se but contrary to the site, the command keeps waiting, does not return, so I just pressed <Enter> again and then I got idn: ## tld_check_4z(): Ontbrekende invoer (missing input) and then the program returned to the CLI I leave it to the higher powers to decide if this is a good test.
CC: (none) => herman.viaene
Re comment 2: That may well be all we can do. The link you give mentions Punycode and Wikipedia gives this: Punycode is a way to represent Unicode within the limited character subset of ASCII used for Internet host names. For example, "München" (German name for Munich) would be encoded as "Mnchen-3ya". Dealing with this issue seems to be one of the things which idn does. There may not be much scope for us here. At least you have opened the door and I shall poke around to see if there is anything we can do. Thanks Herman.
CC: (none) => tarazed25
Just installed idn and ran $ idn -d "Mnchen-3ya" München So that's a start.
@Herman - re comment 2. I am no higher power but I would recommend that you OK this. The manual examples work for mga6::x86_64 as well and this is as far as it goes. $ idn räksmörgås.se xn--rksmrgs-5wao1o.se Control-D to exit.
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
Too much of a hurry. Forgot to list updated packages: - idn-1.33-1.1.mga6.x86_64 - lib64idn-devel-1.33-1.1.mga6.x86_64 - lib64idn11-1.33-1.1.mga6.x86_64 - lib64idn11-java-1.33-1.1.mga6.x86_64 - lib64idn11-mono-1.33-1.1.mga6.x86_64 I also just noticed that although my pre-update test still works, running interactively does nothing but the second string is converted. In other words the interactive mode encodes by default. But there are still oddities... $ idn Mnchen-3ya Mnchen-3ya # expected räksmörgås.se xn--rksmrgs-5wao1o.se München xn--mnchen-3ya # why the prefix xn-- $ idn -e räksmörgås.se rksmrgs.se-q5ar2t # not expected $ idn -e München Mnchen-3ya Maybe these differences are related to the "profiles". Impossible to tell from the documentation. We need clarification on this. And I shall play with the commands on a pre-update system.
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOOKeywords: (none) => feedback
Testing on x86_64 for mga5 Trying different options revealed that the xn--mnchen-3ya string is generated when the option idna-to-ascii is used, which suggests that this option is operative in the interactive interface. $ idn -a München xn--mnchen-3ya $ idn -e München Mnchen-3ya $ idn -a räksmörgås.se xn--rksmrgs-5wao1o.se $ idn -u xn--rksmrgs-5wao1o.se räksmörgås.se $ idn -d rksmrgs.se-q5ar2t räksmörgås.se Ran the updates: - idn-1.33-1.1.mga5.x86_64 - lib64idn11-1.33-1.1.mga5.x86_64 - lib64idn11-java-1.33-1.1.mga5.x86_64 - lib64idn11-mono-1.33-1.1.mga5.x86_64 Could not find libidn-javadoc. Converted strings as shown above, with the same results. Used --debug, which produced a character by character report. $ idn -a --debug München Charset `UTF-8'. input[0] = U+004d input[1] = U+00fc input[2] = U+006e input[3] = U+0063 input[4] = U+0068 input[5] = U+0065 input[6] = U+006e tld[0] = U+006d tld[1] = U+00fc tld[2] = U+006e tld[3] = U+0063 tld[4] = U+0068 tld[5] = U+0065 tld[6] = U+006e output[0] = U+0078 output[1] = U+006e output[2] = U+002d output[3] = U+002d output[4] = U+006d output[5] = U+006e output[6] = U+0063 output[7] = U+0068 output[8] = U+0065 output[9] = U+006e output[10] = U+002d output[11] = U+0033 output[12] = U+0079 output[13] = U+0061 xn--mnchen-3ya Looks good for 64-bits.
Keywords: feedback => (none)
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK MGA6-64-OK
Keywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0365.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED