Bug 201780 - dns/libidn: out-of-bounds read issue with invalid UTF-8 input (CVE-2015-2059)
Summary: dns/libidn: out-of-bounds read issue with invalid UTF-8 input (CVE-2015-2059)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-ports-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-07-23 03:18 UTC by Jason Unovitch
Modified: 2015-08-03 10:21 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (gaod)


Attachments
libidn-1.31.patch (1.61 KB, patch)
2015-07-23 03:28 UTC, Jason Unovitch
no flags Details | Diff
security/vuxml for libidn out-of-bounds read issue with invalid UTF-8 input (2.93 KB, patch)
2015-07-23 03:30 UTC, Jason Unovitch
junovitch: maintainer-approval? (ports-secteam)
Details | Diff
Poudriere testport log from 10.1-RELEASE jail (86.11 KB, text/x-log)
2015-07-23 03:33 UTC, Jason Unovitch
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jason Unovitch freebsd_committer freebsd_triage 2015-07-23 03:18:04 UTC
** libidn: stringprep_utf8_to_ucs4 now rejects invalid UTF-8. CVE-2015-2059

This function has always been documented to not validate that the input UTF-8 string is actually valid UTF-8.  Like the rest of the API, when you call a function that works on UTF-8 data, you have to pass it valid UTF-8 data.  Application writers appear to have difficulties using interfaces designed like that, as bugs triggered by invalid UTF-8 has been identified in a number of projects (jabberd2, gnutls, wget, and curl).  While we could introduce a new API to perform UTF-8 validation, so that applications can easily implement the proper checks, this appear error prone because there is a risk that the check will be forgotten.  Instead, we took the more radical approach of modifying the documentation and the implementation of the API.  The intention is that all functions that accepts UTF-8 data should validate it before use.  This will solve the problem for applications, without needing to change them.  This change has the unfortunate side-effect that Surrogate codes (see section 5.5 of RFC 3454) no longer trigger the STRINGPREP_CONTAINS_PROHIBITED error code but instead will trigger the newly introduced STRINGPREP_ICONV_ERROR error code, as the gnulib/libunistring-based code that we use to test UTF-8-compliance rejects Surrogate codes.  We hope that this is an acceptable cost to live with in order to improve application security. We welcome feedback on this solution, and we are marking this release as beta rather than stable to signal that we may reconsider this approach if people disagree.  Reported by several people including Thijs Alkemade, Gustavo Grieco, Daniel Stenberg, and Nikos Mavrogiannopoulos.

Source: http://git.savannah.gnu.org/cgit/libidn.git/plain/NEWS?id=libidn-1-31
Comment 1 Jason Unovitch freebsd_committer freebsd_triage 2015-07-23 03:28:32 UTC
Created attachment 159103 [details]
libidn-1.31.patch

Changelog:

- Update to upstream version 1.31
- Add USES=gmake to build on all supported FreeBSD releases

PR:		201780
Security:	CVE-2015-2059
Security:	4caf01e2-30e6-11e5-a4a5-002590263bf5


Details:
- 1.3.1 update is a given. The item worth discussing is upstream's comment in their change log:
"and we are marking this release as beta rather than stable to signal that we may reconsider this approach if people disagree. "

- Add USES=gmake.  libidn-1.30 and libidn-1.31 both build on FreeBSD 10+ where bmake is the default.  I tested on 10.1-RELEASE, 10.2-BETA2, and 11-CURRENT.  It will not build on 8.4-RELEASE and 9.3-RELEASE (shown below given the default fmake).  This makes gmake the default so the port builds on all releases.

....
  CC       tlds.lo
  CCLD     libidn.la
Making all in po
Error expanding embedded variable.
*** [all-recursive] Error code 1
Comment 2 Jason Unovitch freebsd_committer freebsd_triage 2015-07-23 03:30:39 UTC
Created attachment 159104 [details]
security/vuxml for libidn out-of-bounds read issue with invalid UTF-8 input

Changelog:

Document libidn out-of-bounds read issue with invalid UTF-8 input

PR:		201780
Security:	CVE-2015-2059
Security:	4caf01e2-30e6-11e5-a4a5-002590263bf5

Validation:
> make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml

> env PKG_DBDIR=/usr/ports/security/vuxml pkg audit libidn-1.2.9
libidn-1.2.9 is vulnerable:
libidn -- out-of-bounds read issue with invalid UTF-8 input
CVE: CVE-2015-2059
WWW: https://vuxml.FreeBSD.org/freebsd/4caf01e2-30e6-11e5-a4a5-002590263bf5.html

1 problem(s) in the installed packages found.

> env PKG_DBDIR=/usr/ports/security/vuxml pkg audit libidn-1.3.1
0 problem(s) in the installed packages found.
Comment 3 Jason Unovitch freebsd_committer freebsd_triage 2015-07-23 03:33:09 UTC
Created attachment 159105 [details]
Poudriere testport log from 10.1-RELEASE jail

Poudriere log attached.  The patch was also build tested in Poudriere on the following:

8.4-RELEASE-p31      amd64
8.4-RELEASE-p31      i386
9.3-RELEASE-p17      amd64
9.3-RELEASE-p17      i386
10.1-RELEASE-p14     amd64
10.1-RELEASE-p14     i386
10.2-BETA2           amd64
10.2-BETA2           i386
11.0-CURRENT r284725 amd64
11.0-CURRENT r284725 i386
Comment 4 Mark Felder freebsd_committer freebsd_triage 2015-07-23 15:40:20 UTC
I can take this
Comment 5 Hung-Yi Chen 2015-07-23 15:41:47 UTC
Hi Mark, please commit it. Thanks.
Comment 6 commit-hook freebsd_committer freebsd_triage 2015-07-23 15:45:22 UTC
A commit references this bug:

Author: feld
Date: Thu Jul 23 15:44:57 UTC 2015
New revision: 392734
URL: https://svnweb.freebsd.org/changeset/ports/392734

Log:
  Document libidn out-of-bounds read issue with invalid UTF-8 input

  PR:		201780
  Security:	CVE-2015-2059
  Security:	4caf01e2-30e6-11e5-a4a5-002590263bf5

Changes:
  head/security/vuxml/vuln.xml
Comment 7 Mark Felder freebsd_committer freebsd_triage 2015-07-23 15:47:38 UTC
vuxml <blockquote> was trimmed because it's a rather large wall of text full of unnecessary details that can be found by following the included links.
Comment 8 commit-hook freebsd_committer freebsd_triage 2015-07-23 15:50:24 UTC
A commit references this bug:

Author: feld
Date: Thu Jul 23 15:49:51 UTC 2015
New revision: 392735
URL: https://svnweb.freebsd.org/changeset/ports/392735

Log:
  Update to 1.31
  Add USES=gmake to build on all supported FreeBSD releases

  PR:		201780
  Security:	CVE-2015-2059
  Security:	4caf01e2-30e6-11e5-a4a5-002590263bf5
  MFH:		2015Q3

Changes:
  head/dns/libidn/Makefile
  head/dns/libidn/distinfo
  head/dns/libidn/pkg-plist
Comment 9 commit-hook freebsd_committer freebsd_triage 2015-07-23 17:56:42 UTC
A commit references this bug:

Author: feld
Date: Thu Jul 23 17:55:50 UTC 2015
New revision: 392742
URL: https://svnweb.freebsd.org/changeset/ports/392742

Log:
  MFH: r392735

  Update to 1.31
  Add USES=gmake to build on all supported FreeBSD releases

  PR:		201780
  Security:	CVE-2015-2059
  Security:	4caf01e2-30e6-11e5-a4a5-002590263bf5
  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2015Q3/
  branches/2015Q3/dns/libidn/Makefile
  branches/2015Q3/dns/libidn/distinfo
  branches/2015Q3/dns/libidn/pkg-plist
Comment 10 Jason Unovitch freebsd_committer freebsd_triage 2015-07-24 00:46:56 UTC
Thanks Mark,
Any reason for keeping this open?  We've got VuXML along with HEAD and 2015Q3.

(In reply to Mark Felder from comment #7)
Noted.  Also noted keeping gmake sorted in USES.  Thanks again!
Comment 11 Mark Felder freebsd_committer freebsd_triage 2015-07-24 13:38:39 UTC
No, just got distracted.


Closing.
Comment 12 commit-hook freebsd_committer freebsd_triage 2015-08-03 10:21:14 UTC
A commit references this bug:

Author: junovitch
Date: Mon Aug  3 10:20:59 UTC 2015
New revision: 393468
URL: https://svnweb.freebsd.org/changeset/ports/393468

Log:
  Correct version range for libidn entry

  PR:		201780
  Security:	CVE-2015-2059
  Security:	4caf01e2-30e6-11e5-a4a5-002590263bf5
  Approved by:	feld (mentor)

Changes:
  head/security/vuxml/vuln.xml