forgot to cc maintainers... On Mon, Oct 02 2017, Jeremie Courreges-Anglas <[email protected]> wrote: > I noticed those through a debian security advisory. Dunno how > exploitable they are, but here are some more details: > > > http://git.savannah.gnu.org/gitweb/?p=libidn.git;a=commitdiff;h=e9e81b8063b095b02cf104bb992fa9bf9515b9d8 > > https://gitlab.com/libidn/libidn2/commit/16853b6973a1e72fee2b7cccda85472cb9951305 > > https://gitlab.com/libidn/libidn2/commit/3284eb342cd0ed1a18786e3fcdf0cdd7e76676bd > > https://nvd.nist.gov/vuln/detail/CVE-2017-14061 > > o CVE-2017-14061: Integer overflow in the _isBidi function in bidi.c in > Libidn2 before 2.0.4 allows remote attackers to cause a denial of > service or possibly have unspecified other impact. > > https://nvd.nist.gov/vuln/detail/CVE-2017-14062 > > o CVE-2017-14062: Integer overflow in the decode_digit function in > puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause > a denial of service or possibly have unspecified other impact. > > The changes look rather safe, but what do you folks think? Put this in > for 6.2? > > > Index: devel/libidn/Makefile > =================================================================== > RCS file: /d/cvs/ports/devel/libidn/Makefile,v > retrieving revision 1.31 > diff -u -p -r1.31 Makefile > --- devel/libidn/Makefile 30 Jul 2016 14:22:43 -0000 1.31 > +++ devel/libidn/Makefile 1 Oct 2017 22:21:13 -0000 > @@ -3,6 +3,7 @@ > COMMENT= internationalized string handling > > DISTNAME= libidn-1.33 > +REVISION= 0 > > SHARED_LIBS += idn 17.2 # 17.16 > > @@ -29,5 +30,9 @@ CONFIGURE_ARGS= --disable-csharp \ > > post-extract: > rm ${WRKSRC}/contrib/doxygen/*.orig > + > +# hack to avoid regenerating docs > +post-patch: > + touch -r ${WRKSRC}/lib/punycode.c${PATCHORIG} ${WRKSRC}/lib/punycode.c > > .include <bsd.port.mk> > Index: devel/libidn/patches/patch-lib_punycode_c > =================================================================== > RCS file: devel/libidn/patches/patch-lib_punycode_c > diff -N devel/libidn/patches/patch-lib_punycode_c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ devel/libidn/patches/patch-lib_punycode_c 1 Oct 2017 22:06:28 -0000 > @@ -0,0 +1,27 @@ > +$OpenBSD$ > + > +commit e9e81b8063b095b02cf104bb992fa9bf9515b9d8 > +Author: Tim Rühsen <[email protected]> > +Date: Fri Sep 1 10:04:48 2017 +0200 > + > + lib/punycode.c (decode_digit): Fix integer overflow > + > + This fix is a backport from libidn2 and addresses > + CVE-2017-14062. > + > +Index: lib/punycode.c > +--- lib/punycode.c.orig > ++++ lib/punycode.c > +@@ -88,10 +88,10 @@ enum > + /* point (for use in representing integers) in the range 0 to */ > + /* base-1, or base if cp does not represent a value. */ > + > +-static punycode_uint > ++static unsigned > + decode_digit (punycode_uint cp) > + { > +- return cp - 48 < 10 ? cp - 22 : cp - 65 < 26 ? cp - 65 : > ++ return (unsigned) cp - 48 < 10 ? cp - 22 : cp - 65 < 26 ? cp - 65 : > + cp - 97 < 26 ? cp - 97 : base; > + } > + > Index: devel/libidn2/Makefile > =================================================================== > RCS file: /d/cvs/ports/devel/libidn2/Makefile,v > retrieving revision 1.2 > diff -u -p -r1.2 Makefile > --- devel/libidn2/Makefile 18 Apr 2017 21:22:57 -0000 1.2 > +++ devel/libidn2/Makefile 1 Oct 2017 22:06:28 -0000 > @@ -3,6 +3,7 @@ > COMMENT= implementation of IDNA2008 internationalized domain names > > DISTNAME= libidn2-2.0.0 > +REVISION= 0 > CATEGORIES= devel > HOMEPAGE= https://www.gnu.org/software/libidn/\#libidn2 > > Index: devel/libidn2/patches/patch-lib_bidi_c > =================================================================== > RCS file: devel/libidn2/patches/patch-lib_bidi_c > diff -N devel/libidn2/patches/patch-lib_bidi_c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ devel/libidn2/patches/patch-lib_bidi_c 1 Oct 2017 22:06:28 -0000 > @@ -0,0 +1,30 @@ > +$OpenBSD$ > + > +Fix for CVE-2017-14061 > + > +commit 16853b6973a1e72fee2b7cccda85472cb9951305 > +Author: Tim Rühsen <[email protected]> > +Date: Tue Aug 1 11:15:10 2017 +0200 > + > + lib/bidi: Fix integer overflow (found by fuzzing) > + > +Index: lib/bidi.c > +--- lib/bidi.c.orig > ++++ lib/bidi.c > +@@ -30,6 +30,7 @@ > + > + #include "idn2.h" > + > ++#include <sys/types.h> > + #include <stdbool.h> > + > + #include "bidi.h" > +@@ -39,7 +40,7 @@ > + static bool > + _isBidi (const uint32_t *label, size_t llen) > + { > +- while (llen-- > 0) { > ++ for (; (ssize_t) llen > 0; llen--) { > + int bc = uc_bidi_category (*label++); > + > + if (bc == UC_BIDI_R || bc == UC_BIDI_AL || bc == UC_BIDI_AN) > Index: devel/libidn2/patches/patch-lib_punycode_c > =================================================================== > RCS file: devel/libidn2/patches/patch-lib_punycode_c > diff -N devel/libidn2/patches/patch-lib_punycode_c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ devel/libidn2/patches/patch-lib_punycode_c 1 Oct 2017 22:06:28 > -0000 > @@ -0,0 +1,27 @@ > +$OpenBSD$ > + > +Fix for CVE-2017-14062 > + > +commit 3284eb342cd0ed1a18786e3fcdf0cdd7e76676bd > +Author: Tim Rühsen <[email protected]> > +Date: Tue Aug 1 11:16:47 2017 +0200 > + > + lib/puny_decode: Fix integer overflow (found by fuzzing) > + > +Index: lib/punycode.c > +--- lib/punycode.c.orig > ++++ lib/punycode.c > +@@ -94,10 +94,10 @@ enum { base = 36, tmin = 1, tmax = 26, skew = 38, damp > + /* point (for use in representing integers) in the range 0 to */ > + /* base-1, or base if cp does not represent a value. */ > + > +-static punycode_uint decode_digit(punycode_uint cp) > ++static unsigned decode_digit(int cp) > + { > +- return cp - 48 < 10 ? cp - 22 : cp - 65 < 26 ? cp - 65 : > +- cp - 97 < 26 ? cp - 97 : base; > ++ return (unsigned) (cp - 48 < 10 ? cp - 22 : cp - 65 < 26 ? cp - 65 : > ++ cp - 97 < 26 ? cp - 97 : base); > + } > + > + /* encode_digit(d,flag) returns the basic code point whose value */
-- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
