Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 20 Jul 2016 22:37:00 +0200
From: Andreas Stieger <andreas.stieger@...e.com>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: CVE request: multiple issues fixed in GNU libidn 1.33

Hello,

The GNU libidn 1.33 release was announced with the following:

https://lists.gnu.org/archive/html/help-libidn/2016-07/msg00009.html

> ** libidn: Fix out-of-bounds stack read in idna_to_ascii_4i.
> See tests/tst_toascii64oob.c for regression check (and the comment in
> it how to use it).  Reported by Hanno Böck <address@...den>.

Test:
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=9a1a7e15d0706634971364493fbb06e77e74726c
Fix:
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=f20ce1128fb7f4d33297eee307dddaf0f92ac72d
Changelog:
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=d4c533a5d975bf49090d3cd40acd230b8f79dd32
Follow-up memory leak fix:
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=11abd0e02c16f9e0b6944aea4ef0f2df44b42dd4

> ** idn: Solve out-of-bounds-read when reading one zero byte as input.
> Also replaced fgets with getline.  Reported by Hanno Böck <address@...den>.

Fix:
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=570e68886c41c2e765e6218cb317d9a9a447a041
Follow-up fix:
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=5e3cb9c7b5bf0ce665b9d68f5ddf095af5c9ba60

> ** libidn: stringprep_utf8_nfkc_normalize reject invalid UTF-8.
> It was always documented to only accept UTF-8 data, but now it doesn't
> crash when presented with such data.  Reported by Hanno Böck.

Test / Fix:
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=1fbee57ef3c72db2206dd87e4162108b2f425555
Changelog:
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=1d2413555dcd1fef26b80445a00a4637965a2df0

Could CVEs please be assigned?

Thanks,
Andreas

-- 
Andreas Stieger <andreas.stieger@...e.com>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton,
HRB 21284 (AG Nürnberg)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.