** libidn: stringprep_utf8_to_ucs4 now rejects invalid UTF-8. CVE-2015-2059 This function has always been documented to not validate that the input UTF-8 string is actually valid UTF-8. Like the rest of the API, when you call a function that works on UTF-8 data, you have to pass it valid UTF-8 data. Application writers appear to have difficulties using interfaces designed like that, as bugs triggered by invalid UTF-8 has been identified in a number of projects (jabberd2, gnutls, wget, and curl). While we could introduce a new API to perform UTF-8 validation, so that applications can easily implement the proper checks, this appear error prone because there is a risk that the check will be forgotten. Instead, we took the more radical approach of modifying the documentation and the implementation of the API. The intention is that all functions that accepts UTF-8 data should validate it before use. This will solve the problem for applications, without needing to change them. This change has the unfortunate side-effect that Surrogate codes (see section 5.5 of RFC 3454) no longer trigger the STRINGPREP_CONTAINS_PROHIBITED error code but instead will trigger the newly introduced STRINGPREP_ICONV_ERROR error code, as the gnulib/libunistring-based code that we use to test UTF-8-compliance rejects Surrogate codes. We hope that this is an acceptable cost to live with in order to improve application security. We welcome feedback on this solution, and we are marking this release as beta rather than stable to signal that we may reconsider this approach if people disagree. Reported by several people including Thijs Alkemade, Gustavo Grieco, Daniel Stenberg, and Nikos Mavrogiannopoulos. Source: http://git.savannah.gnu.org/cgit/libidn.git/plain/NEWS?id=libidn-1-31
Created attachment 159103 [details] libidn-1.31.patch Changelog: - Update to upstream version 1.31 - Add USES=gmake to build on all supported FreeBSD releases PR: 201780 Security: CVE-2015-2059 Security: 4caf01e2-30e6-11e5-a4a5-002590263bf5 Details: - 1.3.1 update is a given. The item worth discussing is upstream's comment in their change log: "and we are marking this release as beta rather than stable to signal that we may reconsider this approach if people disagree. " - Add USES=gmake. libidn-1.30 and libidn-1.31 both build on FreeBSD 10+ where bmake is the default. I tested on 10.1-RELEASE, 10.2-BETA2, and 11-CURRENT. It will not build on 8.4-RELEASE and 9.3-RELEASE (shown below given the default fmake). This makes gmake the default so the port builds on all releases. .... CC tlds.lo CCLD libidn.la Making all in po Error expanding embedded variable. *** [all-recursive] Error code 1
Created attachment 159104 [details] security/vuxml for libidn out-of-bounds read issue with invalid UTF-8 input Changelog: Document libidn out-of-bounds read issue with invalid UTF-8 input PR: 201780 Security: CVE-2015-2059 Security: 4caf01e2-30e6-11e5-a4a5-002590263bf5 Validation: > make validate /bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy" >>> Validating... /usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml >>> Successful. Checking if tidy differs... ... seems okay Checking for space/tab... ... seems okay /usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml > env PKG_DBDIR=/usr/ports/security/vuxml pkg audit libidn-1.2.9 libidn-1.2.9 is vulnerable: libidn -- out-of-bounds read issue with invalid UTF-8 input CVE: CVE-2015-2059 WWW: https://vuxml.FreeBSD.org/freebsd/4caf01e2-30e6-11e5-a4a5-002590263bf5.html 1 problem(s) in the installed packages found. > env PKG_DBDIR=/usr/ports/security/vuxml pkg audit libidn-1.3.1 0 problem(s) in the installed packages found.
Created attachment 159105 [details] Poudriere testport log from 10.1-RELEASE jail Poudriere log attached. The patch was also build tested in Poudriere on the following: 8.4-RELEASE-p31 amd64 8.4-RELEASE-p31 i386 9.3-RELEASE-p17 amd64 9.3-RELEASE-p17 i386 10.1-RELEASE-p14 amd64 10.1-RELEASE-p14 i386 10.2-BETA2 amd64 10.2-BETA2 i386 11.0-CURRENT r284725 amd64 11.0-CURRENT r284725 i386
I can take this
Hi Mark, please commit it. Thanks.
A commit references this bug: Author: feld Date: Thu Jul 23 15:44:57 UTC 2015 New revision: 392734 URL: https://svnweb.freebsd.org/changeset/ports/392734 Log: Document libidn out-of-bounds read issue with invalid UTF-8 input PR: 201780 Security: CVE-2015-2059 Security: 4caf01e2-30e6-11e5-a4a5-002590263bf5 Changes: head/security/vuxml/vuln.xml
vuxml <blockquote> was trimmed because it's a rather large wall of text full of unnecessary details that can be found by following the included links.
A commit references this bug: Author: feld Date: Thu Jul 23 15:49:51 UTC 2015 New revision: 392735 URL: https://svnweb.freebsd.org/changeset/ports/392735 Log: Update to 1.31 Add USES=gmake to build on all supported FreeBSD releases PR: 201780 Security: CVE-2015-2059 Security: 4caf01e2-30e6-11e5-a4a5-002590263bf5 MFH: 2015Q3 Changes: head/dns/libidn/Makefile head/dns/libidn/distinfo head/dns/libidn/pkg-plist
A commit references this bug: Author: feld Date: Thu Jul 23 17:55:50 UTC 2015 New revision: 392742 URL: https://svnweb.freebsd.org/changeset/ports/392742 Log: MFH: r392735 Update to 1.31 Add USES=gmake to build on all supported FreeBSD releases PR: 201780 Security: CVE-2015-2059 Security: 4caf01e2-30e6-11e5-a4a5-002590263bf5 Approved by: ports-secteam (with hat) Changes: _U branches/2015Q3/ branches/2015Q3/dns/libidn/Makefile branches/2015Q3/dns/libidn/distinfo branches/2015Q3/dns/libidn/pkg-plist
Thanks Mark, Any reason for keeping this open? We've got VuXML along with HEAD and 2015Q3. (In reply to Mark Felder from comment #7) Noted. Also noted keeping gmake sorted in USES. Thanks again!
No, just got distracted. Closing.
A commit references this bug: Author: junovitch Date: Mon Aug 3 10:20:59 UTC 2015 New revision: 393468 URL: https://svnweb.freebsd.org/changeset/ports/393468 Log: Correct version range for libidn entry PR: 201780 Security: CVE-2015-2059 Security: 4caf01e2-30e6-11e5-a4a5-002590263bf5 Approved by: feld (mentor) Changes: head/security/vuxml/vuln.xml