Created attachment 9039 [details] sample input. libidn's stringprep_utf8_nfkc_normalize function may read out of bounds if an invalid utf-8 string gets passed. glibc bundles libidn. This has been fixed upstream here: http://git.savannah.gnu.org/gitweb/?p=libidn.git;a=commit;h=1fbee57ef3c72db2206dd87e4162108b2f425555 Attached is a sample input that can be triggered with idn -n. Found with american fuzzy lop.
*** Bug 22334 has been marked as a duplicate of this bug. ***
*** Bug 22333 has been marked as a duplicate of this bug. ***
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU C Library master sources". The branch, master has been updated via 7f9f1ecb710eac4d65bb02785ddf288cac098323 (commit) from 5f7b841d3aebdccc2baed27cb4b22ddb08cd7c0c (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7f9f1ecb710eac4d65bb02785ddf288cac098323 commit 7f9f1ecb710eac4d65bb02785ddf288cac098323 Author: Florian Weimer <fweimer@redhat.com> Date: Wed May 23 15:26:19 2018 +0200 Switch IDNA implementation to libidn2 [BZ #19728] [BZ #19729] [BZ #22247] This provides an implementation of the IDNA2008 standard and fixes CVE-2016-6261, CVE-2016-6263, CVE-2017-14062. ----------------------------------------------------------------------- Summary of changes: ChangeLog | 64 + LICENSES | 69 - NEWS | 24 +- config.h.in | 3 - include/dlfcn.h | 2 +- include/idna.h | 8 - inet/Makefile | 12 +- inet/Versions | 2 + inet/getnameinfo.c | 56 +- inet/idna.c | 182 + inet/idna_name_classify.c | 75 + inet/net-internal.h | 27 + inet/tst-idna_name_classify.c | 73 + libidn/Makefile | 34 - libidn/Versions | 6 - libidn/gunicomp.h | 658 --- libidn/gunidecomp.h |10362 ---------------------------------- libidn/iconvme.c | 171 - libidn/iconvme.h | 25 - libidn/idn-stub.c | 142 - libidn/idna.c | 834 --- libidn/idna.h | 96 - libidn/nfkc.c | 1057 ---- libidn/profiles.c | 308 - libidn/punycode.c | 454 -- libidn/punycode.h | 214 - libidn/rfc3454.c | 3544 ------------ libidn/shlib-versions | 1 - libidn/stringprep.c | 668 --- libidn/stringprep.h | 209 - libidn/toutf8.c | 150 - nscd/gai.c | 3 - resolv/Makefile | 24 +- resolv/netdb.h | 16 +- resolv/tst-no-libidn2.c | 2 + resolv/tst-resolv-ai_idn-common.c | 569 ++ resolv/tst-resolv-ai_idn-latin1.c | 50 + resolv/tst-resolv-ai_idn-nolibidn2.c | 151 + resolv/tst-resolv-ai_idn.c | 49 + support/support_format_addrinfo.c | 2 - sysdeps/posix/getaddrinfo.c | 81 +- sysdeps/unix/inet/Subdirs | 1 - sysdeps/unix/inet/configure | 9 - sysdeps/unix/inet/configure.ac | 7 - 44 files changed, 1351 insertions(+), 19143 deletions(-) delete mode 100644 include/idna.h create mode 100644 inet/idna.c create mode 100644 inet/idna_name_classify.c create mode 100644 inet/tst-idna_name_classify.c delete mode 100644 libidn/Makefile delete mode 100644 libidn/Versions delete mode 100644 libidn/gunicomp.h delete mode 100644 libidn/gunidecomp.h delete mode 100644 libidn/iconvme.c delete mode 100644 libidn/iconvme.h delete mode 100644 libidn/idn-stub.c delete mode 100644 libidn/idna.c delete mode 100644 libidn/idna.h delete mode 100644 libidn/nfkc.c delete mode 100644 libidn/profiles.c delete mode 100644 libidn/punycode.c delete mode 100644 libidn/punycode.h delete mode 100644 libidn/rfc3454.c delete mode 100644 libidn/shlib-versions delete mode 100644 libidn/stringprep.c delete mode 100644 libidn/stringprep.h delete mode 100644 libidn/toutf8.c create mode 100644 resolv/tst-no-libidn2.c create mode 100644 resolv/tst-resolv-ai_idn-common.c create mode 100644 resolv/tst-resolv-ai_idn-latin1.c create mode 100644 resolv/tst-resolv-ai_idn-nolibidn2.c create mode 100644 resolv/tst-resolv-ai_idn.c delete mode 100644 sysdeps/unix/inet/configure delete mode 100644 sysdeps/unix/inet/configure.ac
Fixed in 2.28.
If FIXED you presumably want to mark this bug (and 22247) as FIXED (and set the milestone in the case of 22247).
(In reply to joseph@codesourcery.com from comment #5) > If FIXED you presumably want to mark this bug (and 22247) as FIXED (and > set the milestone in the case of 22247). I thought I did that? But the Bugzilla updates took a very long time.