Bug 19729 (CVE-2016-6263) - out of bounds heap read on invalid utf-8 inputs in stringprep_utf8_nfkc_normalize (CVE-2016-6263)
Summary: out of bounds heap read on invalid utf-8 inputs in stringprep_utf8_nfkc_norma...
Status: RESOLVED FIXED
Alias: CVE-2016-6263
Product: glibc
Classification: Unclassified
Component: network (show other bugs)
Version: 2.23
: P2 normal
Target Milestone: 2.28
Assignee: Florian Weimer
URL:
Keywords:
: 22334 (view as bug list)
Depends on:
Blocks:
 
Reported: 2016-02-25 12:25 UTC by Hanno Boeck
Modified: 2018-05-23 16:58 UTC (History)
3 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
sample input. (9 bytes, application/octet-stream)
2016-02-25 12:25 UTC, Hanno Boeck
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Boeck 2016-02-25 12:25:48 UTC
Created attachment 9039 [details]
sample input.

libidn's stringprep_utf8_nfkc_normalize function may read out of bounds if an invalid utf-8 string gets passed. glibc bundles libidn.

This has been fixed upstream here:
http://git.savannah.gnu.org/gitweb/?p=libidn.git;a=commit;h=1fbee57ef3c72db2206dd87e4162108b2f425555

Attached is a sample input that can be triggered with idn -n.

Found with american fuzzy lop.
Comment 1 Florian Weimer 2018-01-10 18:36:08 UTC
*** Bug 22334 has been marked as a duplicate of this bug. ***
Comment 2 Florian Weimer 2018-01-10 18:36:44 UTC
*** Bug 22333 has been marked as a duplicate of this bug. ***
Comment 3 cvs-commit@gcc.gnu.org 2018-05-23 13:28:08 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  7f9f1ecb710eac4d65bb02785ddf288cac098323 (commit)
      from  5f7b841d3aebdccc2baed27cb4b22ddb08cd7c0c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7f9f1ecb710eac4d65bb02785ddf288cac098323

commit 7f9f1ecb710eac4d65bb02785ddf288cac098323
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed May 23 15:26:19 2018 +0200

    Switch IDNA implementation to libidn2 [BZ #19728] [BZ #19729] [BZ #22247]
    
    This provides an implementation of the IDNA2008 standard and fixes
    CVE-2016-6261, CVE-2016-6263, CVE-2017-14062.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                            |   64 +
 LICENSES                             |   69 -
 NEWS                                 |   24 +-
 config.h.in                          |    3 -
 include/dlfcn.h                      |    2 +-
 include/idna.h                       |    8 -
 inet/Makefile                        |   12 +-
 inet/Versions                        |    2 +
 inet/getnameinfo.c                   |   56 +-
 inet/idna.c                          |  182 +
 inet/idna_name_classify.c            |   75 +
 inet/net-internal.h                  |   27 +
 inet/tst-idna_name_classify.c        |   73 +
 libidn/Makefile                      |   34 -
 libidn/Versions                      |    6 -
 libidn/gunicomp.h                    |  658 ---
 libidn/gunidecomp.h                  |10362 ----------------------------------
 libidn/iconvme.c                     |  171 -
 libidn/iconvme.h                     |   25 -
 libidn/idn-stub.c                    |  142 -
 libidn/idna.c                        |  834 ---
 libidn/idna.h                        |   96 -
 libidn/nfkc.c                        | 1057 ----
 libidn/profiles.c                    |  308 -
 libidn/punycode.c                    |  454 --
 libidn/punycode.h                    |  214 -
 libidn/rfc3454.c                     | 3544 ------------
 libidn/shlib-versions                |    1 -
 libidn/stringprep.c                  |  668 ---
 libidn/stringprep.h                  |  209 -
 libidn/toutf8.c                      |  150 -
 nscd/gai.c                           |    3 -
 resolv/Makefile                      |   24 +-
 resolv/netdb.h                       |   16 +-
 resolv/tst-no-libidn2.c              |    2 +
 resolv/tst-resolv-ai_idn-common.c    |  569 ++
 resolv/tst-resolv-ai_idn-latin1.c    |   50 +
 resolv/tst-resolv-ai_idn-nolibidn2.c |  151 +
 resolv/tst-resolv-ai_idn.c           |   49 +
 support/support_format_addrinfo.c    |    2 -
 sysdeps/posix/getaddrinfo.c          |   81 +-
 sysdeps/unix/inet/Subdirs            |    1 -
 sysdeps/unix/inet/configure          |    9 -
 sysdeps/unix/inet/configure.ac       |    7 -
 44 files changed, 1351 insertions(+), 19143 deletions(-)
 delete mode 100644 include/idna.h
 create mode 100644 inet/idna.c
 create mode 100644 inet/idna_name_classify.c
 create mode 100644 inet/tst-idna_name_classify.c
 delete mode 100644 libidn/Makefile
 delete mode 100644 libidn/Versions
 delete mode 100644 libidn/gunicomp.h
 delete mode 100644 libidn/gunidecomp.h
 delete mode 100644 libidn/iconvme.c
 delete mode 100644 libidn/iconvme.h
 delete mode 100644 libidn/idn-stub.c
 delete mode 100644 libidn/idna.c
 delete mode 100644 libidn/idna.h
 delete mode 100644 libidn/nfkc.c
 delete mode 100644 libidn/profiles.c
 delete mode 100644 libidn/punycode.c
 delete mode 100644 libidn/punycode.h
 delete mode 100644 libidn/rfc3454.c
 delete mode 100644 libidn/shlib-versions
 delete mode 100644 libidn/stringprep.c
 delete mode 100644 libidn/stringprep.h
 delete mode 100644 libidn/toutf8.c
 create mode 100644 resolv/tst-no-libidn2.c
 create mode 100644 resolv/tst-resolv-ai_idn-common.c
 create mode 100644 resolv/tst-resolv-ai_idn-latin1.c
 create mode 100644 resolv/tst-resolv-ai_idn-nolibidn2.c
 create mode 100644 resolv/tst-resolv-ai_idn.c
 delete mode 100644 sysdeps/unix/inet/configure
 delete mode 100644 sysdeps/unix/inet/configure.ac
Comment 4 Florian Weimer 2018-05-23 13:31:25 UTC
Fixed in 2.28.
Comment 5 joseph@codesourcery.com 2018-05-23 16:57:02 UTC
If FIXED you presumably want to mark this bug (and 22247) as FIXED (and 
set the milestone in the case of 22247).
Comment 6 Florian Weimer 2018-05-23 16:58:02 UTC
(In reply to joseph@codesourcery.com from comment #5)
> If FIXED you presumably want to mark this bug (and 22247) as FIXED (and 
> set the milestone in the case of 22247).

I thought I did that?  But the Bugzilla updates took a very long time.