The idna_to_ascii_4i function in lib/idna.c in libidn before 1.33 allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via 64 bytes of input. CVE: https://nvd.nist.gov/vuln/detail/CVE-2016-6261 libidn upstream fix: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=f20ce1128fb7f4d33297eee307dddaf0f92ac72d The patch applies cleanly.
> > The patch applies cleanly. (but unfortunately requires unrelated code that is not in glibc)
Already reported as bug 19728. *** This bug has been marked as a duplicate of bug 19728 ***
*** This bug has been marked as a duplicate of bug 19729 ***
*** This bug has been marked as a duplicate of bug 19728 ***