Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libidn: 1.32 -> 1.33 (for CVEs) #17141

Merged
merged 1 commit into from
Jul 26, 2016
Merged

libidn: 1.32 -> 1.33 (for CVEs) #17141

merged 1 commit into from
Jul 26, 2016

Conversation

lsix
Copy link
Member

@lsix lsix commented Jul 21, 2016

Things done
  • Tested using sandboxing
    (nix.useChroot on NixOS,
    or option build-use-chroot in nix.conf
    on non-NixOS)
  • Built on platform(s)
    • NixOS
    • OS X
    • Linux
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

See http://lists.gnu.org/archive/html/info-gnu/2016-07/msg00011.html
for announcement.

@lsix lsix added 1.severity: mass-rebuild This PR causes a large number of packages to rebuild 8.has: package (update) This PR updates a package to a newer version labels Jul 21, 2016
@mention-bot
Copy link

@lancelotsix, thanks for your PR! By analyzing the annotation information on this pull request, we identified @wkennington, @vcunat and @shlevy to be potential reviewers

@grahamc grahamc added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Jul 21, 2016
@grahamc
Copy link
Member

grahamc commented Jul 21, 2016
edited
Loading

This fixes several CVEs I think we should consider backporting to 16.03, too.

API and ABI is backwards compatible with the previous version.

from Andreas Stieger on oss-security:

Hello,

The GNU libidn 1.33 release was announced with the following:

https://lists.gnu.org/archive/html/help-libidn/2016-07/msg00009.html

> ** libidn: Fix out-of-bounds stack read in idna_to_ascii_4i.
> See tests/tst_toascii64oob.c for regression check (and the comment in
> it how to use it).  Reported by Hanno Böck <address@hidden>.

Test:
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=9a1a7e15d0706634971364493fbb06e77e74726c
Fix:
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=f20ce1128fb7f4d33297eee307dddaf0f92ac72d
Changelog:
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=d4c533a5d975bf49090d3cd40acd230b8f79dd32
Follow-up memory leak fix:
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=11abd0e02c16f9e0b6944aea4ef0f2df44b42dd4

> ** idn: Solve out-of-bounds-read when reading one zero byte as input.
> Also replaced fgets with getline.  Reported by Hanno Böck <address@hidden>.

Fix:
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=570e68886c41c2e765e6218cb317d9a9a447a041
Follow-up fix:
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=5e3cb9c7b5bf0ce665b9d68f5ddf095af5c9ba60

> ** libidn: stringprep_utf8_nfkc_normalize reject invalid UTF-8.
> It was always documented to only accept UTF-8 data, but now it doesn't
> crash when presented with such data.  Reported by Hanno Böck.

Test / Fix:
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=1fbee57ef3c72db2206dd87e4162108b2f425555
Changelog:
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=1d2413555dcd1fef26b80445a00a4637965a2df0

Could CVEs please be assigned?

Thanks,
Andreas

@grahamc grahamc changed the title libidn: 1.32 -> 1.33 libidn: 1.32 -> 1.33 (for CVEs) Jul 21, 2016
@obadz
Copy link
Contributor

obadz commented Jul 25, 2016

@vcunat, since you're the king of staging, do you want to merge this?

@vcunat vcunat merged commit e7c8c09 into NixOS:staging Jul 26, 2016
vcunat added a commit that referenced this pull request Jul 26, 2016
@vcunat
Merge #17141: libidn: security 1.32 -> 1.33
fa1012a
vcunat added a commit that referenced this pull request Jul 26, 2016
@vcunat
Merge #17141: libidn: security 1.32 -> 1.33
ced94a5 
(cherry picked from commit fa1012a)
@vcunat
Copy link
Member

vcunat commented Jul 26, 2016

Build-tested, and pushed to staging and 16.03.

@vcunat
Copy link
Member

vcunat commented Jul 26, 2016

  • Version 1.33 (released 2016-07-20) [beta]

Hmm, is that a "beta" version? Well, I suppose it's better than a vulnerable one, at least for now...

adrianpk added a commit to adrianpk/nixpkgs that referenced this pull request May 31, 2024
@adrianpk
Merge NixOS#17141: libidn: security 1.32 -> 1.33
015591c 
(cherry picked from commit fa1012a)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
1.severity: mass-rebuild This PR causes a large number of packages to rebuild 1.severity: security Issues which raise a security issue, or PRs that fix one 8.has: package (update) This PR updates a package to a newer version
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@lsix @mention-bot @grahamc @obadz @vcunat