Bug 1191149 (CVE-2015-2058) - CVE-2015-2058 jabberd: buffer overflow when normalizing strings
Summary: CVE-2015-2058 jabberd: buffer overflow when normalizing strings
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2015-2058
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1191150 1191151
Blocks: 1191152
TreeView+ depends on / blocked
 
Reported: 2015-02-10 14:44 UTC by Vasyl Kaigorodov
Modified: 2019-09-29 13:28 UTC (History)
9 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-04-30 09:00:54 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github jabberd2 jabberd2 issues 85 0 None None None Never

Description Vasyl Kaigorodov 2015-02-10 14:44:48 UTC 
A buffer overflow was found in the XMPP server jabberd2 when normalizing
strings that can lead to remote information disclosure [1]. When parsing a
JID, jabberd2 version 2.3.2 and below truncate the data but do not verify
whether the result is valid UTF8 before passing it to libidn. If the data ends
with an unterminated multi-byte UTF8 sequence then libidn may copy data past
the buffer into the result. This can be exploited by remote clients or remote
servers.

Cve was requested on oss-security:
http://seclists.org/oss-sec/2015/q1/487

[1]: https://github.com/jabberd2/jabberd2/issues/85
Comment 1 Vasyl Kaigorodov 2015-02-10 14:45:54 UTC 
Created jabberd tracking bugs for this issue:

Affects: fedora-all [bug 1191150]
Affects: epel-all [bug 1191151]
Note You need to log in before you can comment on or make changes to this bug.