subject:"Bug#948898\: stretch\-pu\: package libidn\/1.33\-1"

Bug#948898: stretch-pu: package libidn/1.33-1

2020-01-24 Thread Adam D. Barratt

Control: tags -1 + confirmed

On Tue, 2020-01-14 at 17:01 +0100, Santiago R.R. wrote:
> as suggested by Salvatore, I would like to propose fixing CVE-2017-
> 14062 (#873903) in libidn via an update to stretch. Please find the
> debdiff attached. The tests I have made are described above.
> 

Please go ahead.

Regards,

Adam

Bug#948898: stretch-pu: package libidn/1.33-1

2020-01-14 Thread Santiago R.R.

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: stretch
Severity: normal

El 13/12/19 a las 23:39, Salvatore Bonaccorso escribió:
> Hi Santiago,
> 
> On Mon, Jul 09, 2018 at 07:54:39PM +0200, Santiago R.R. wrote:
> > El 27/06/18 a las 00:01, Santiago R.R. escribió:
> > > El 10/06/18 a las 14:49, Moritz Mühlenhoff escribió:
> > > > On Sun, Jun 10, 2018 at 10:24:29AM +0200, Santiago R.R. wrote:
> > > > > El 30/04/18 a las 12:20, Santiago escribió:
> > > > > > On Tue, 12 Sep 2017 10:05:25 + =?utf-8?b?T25kxZllaiBTdXLDvQ==?= 
> > > > > >  wrote:
> > > > > …
> > > > > > 
> > > > > > Hi Ondřey, security team,
> > > > > > 
> > > > > > CVE-2017-14062 has been fixed in wheezy, but still open in jessie 
> > > > > > and
> > > > > > stretch. Are you willing to fix it? Would you like some help?
> > > > > 
> > > > > Dear security-team,
> > > > > 
> > > > > Please, find attached the debdiffs (s/santiago-//) for both jessie and
> > > > > stretch. Could you please review it and let me know if it's OK to be
> > > > > uploaded?
> > > > 
> > > > debdiffs per se are not really saving us any work. What's more important
> > > > is a description of all the tests you made with a build of your patches
> > > > in oldstable and stable.
> > > 
...
> > > AFAIU, the decode_digit function, modified by the patch, is used by
> > > punycode_decode, and in turn, by idna.c's idna_to_unicode_internal, and
> > > this by different public functions.
> > > 
> > > I am not aware of any PoC to test the issue. So to test the patch I
> > > tried the libidn idn tool, and queried encoded/decoded internationalized
> > > qnames against local resolvers.
> > > 
> > > idn can encode to and decode from punycode:
> > > 
> > > santiago@stretch:~$ idn -e árbol
> > > rbol-4na
> > > 
> > > And to confirm the encoded punycode is reversible:
> > > 
> > > santiago@stretch:~$ idn -e árbol | idn -d
> > > árbol
> > > 
> > > I tested two local resolvers that depend on libidn11: dnsmasq in jessie,
> > > and getdns in stretch. I have accessed via elinks (that also depends on
> > > libidn11) to different internationalized qnames, in both UTF-8 and
> > > ACE (ASCII Compatible Encoding) encoded form, e.g. xn--j1ay.xn--p1ai.
> > > Just to be sure, I rebuild those three packages: dnsmasq, getdns and
> > > elinks.
> > > 
> > > Should that be OK?
> > > 
> > > Please, tell me if you think any further testing is needed, or if you
> > > have any other concern.
> > 
...
> 
> While reviewing some older issues I re-encoutered CVE-2017-14062.
> 
> Could you fix this via upcoming stretch point release?
> 
> Regards,
> Salvatore

Dear release team,

as suggested by Salvatore, I would like to propose fixing CVE-2017-14062
(#873903) in libidn via an update to stretch. Please find the debdiff
attached. The tests I have made are described above.

Please, let me know if it's OK to upload it.

Cheers,

 -- Santiago
diff -Nru libidn-1.33/debian/changelog libidn-1.33/debian/changelog
--- libidn-1.33/debian/changelog2016-07-21 10:25:59.0 +0200
+++ libidn-1.33/debian/changelog2020-01-14 15:42:19.0 +0100
@@ -1,3 +1,15 @@
+libidn (1.33-1+deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2017-14062: An integer overflow vulnerability in libidn's Punycode
+handling (an encoding used to convert Unicode characters to ASCII) which
+would have allowed remote attackers to cause a denial of service.
+  * Import 0004-Update-Makefile.gdoc-to-use-GDOC_BIN-instead-of-hard.patch
+from unstable to avoid a FTBFS.
+- Add textinfo to Build-Deps.
+
+ -- Santiago R.R.   Tue, 14 Jan 2020 15:42:19 +0100
+
 libidn (1.33-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru libidn-1.33/debian/control libidn-1.33/debian/control
--- libidn-1.33/debian/control  2016-07-21 10:22:20.0 +0200
+++ libidn-1.33/debian/control  2020-01-14 15:28:51.0 +0100
@@ -4,7 +4,7 @@
 Maintainer: Debian Libidn Team 
 Uploaders: Anibal Monsalve Salazar , Simon Josefsson 

 Standards-Version: 3.9.8
-Build-Depends: debhelper (>= 9), gcj-jdk [!arm !hppa !hurd-i386 !mips64el], 
fastjar [!arm !hppa !hurd-i386 !mips64el], dh-autoreconf, autopoint (>= 0.19.3)
+Build-Depends: debhelper (>= 9), gcj-jdk [!arm !hppa !hurd-i386 !mips64el], 
fastjar [!arm !hppa !hurd-i386 !mips64el], dh-autoreconf, autopoint (>= 
0.19.3), texinfo
 Homepage: https://www.gnu.org/software/libidn/
 Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/libidn.git
 Vcs-Git: https://anonscm.debian.org/git/collab-maint/libidn.git
diff -Nru 
libidn-1.33/debian/patches/0004-Update-Makefile.gdoc-to-use-GDOC_BIN-instead-of-hard.patch
 
libidn-1.33/debian/patches/0004-Update-Makefile.gdoc-to-use-GDOC_BIN-instead-of-hard.patch
--- 
libidn-1.33/debian/patches/0004-Update-Makefile.gdoc-to-use-GDOC_BIN-instead-of-hard.patch
  1970-01-01 01:00:00.0 +0100
+++

Bug#948898: stretch-pu: package libidn/1.33-1

Bug#948898: stretch-pu: package libidn/1.33-1

2 matches

Site Navigation

Mail list logo

Footer information