Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 17 Jun 2015 17:21:39 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: Re: Re: CVE Request: jabberd remote information
 disclosure

On Mon, 23 Feb 2015 16:16:38 -0500 (EST)
cve-assign@...re.org wrote:

> > If the data ends with an unterminated multi-byte UTF8
> > sequence then libidn may copy data past the buffer into the result.
> 
> > https://github.com/jabberd2/jabberd2/issues/85
> 
> > the stringprep functions from libidn require the input to be valid
> > UTF8
> 
> > The libidn documentation claims "This function will not read or
> > write to characters outside that size." about the length of the
> > buffer that needs to be specified, but this is not true,
> 
> Use CVE-2015-2059 for this libidn out-of-bounds read issue. Possibly
> it could be argued that this is a borderline case for a CVE. However,
> the documentation says "This function will not read or write to
> characters outside that size" rather than "If the input is valid
> UTF-8, then this function will not read or write to characters outside
> that size." If the input is not valid UTF-8, then the function is
> entitled to undefined behavior within the bounds of the buffer.

Old thread, but I thought worth mentioning. This was already found by
Sam Varshavchik in 2013:
http://permalink.gmane.org/gmane.comp.gnu.libidn.general/462

As the CVE is already assigned I don't think this matters too much, but
maybe MITRE wants to reference that.

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.