An out-of-bounds read flaw was found in libidn, which could potentially allow an attacker to disclose sensitive information from an application using the libidn library.
This flaw was identified along with a flaw in jabberd2 (CVE-2015-2058, bug 1191149). MITRE assigned a separate CVE for libidn with the following reasoning:
> The libidn documentation claims "This function will not read or write to
> characters outside that size." about the length of the buffer that needs to
> be specified, but this is not true,
Use CVE-2015-2059 for this libidn out-of-bounds read issue. Possibly
it could be argued that this is a borderline case for a CVE. However,
the documentation says "This function will not read or write to
characters outside that size" rather than "If the input is valid
UTF-8, then this function will not read or write to characters outside
that size." If the input is not valid UTF-8, then the function is
entitled to undefined behavior within the bounds of the buffer.
Related upstream issue:
Created libidn tracking bugs for this issue:
Affects: fedora-all [bug 1197797]
Note that this flaw does not affect libidn2 because it does not implement the stringprep function.
This issue affects the versions of libidn as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
*** Bug 1215275 has been marked as a duplicate of this bug. ***
Issue was fixed in version 1.31.
libidn-1.31-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
libidn-1.31-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
It seems there was a bug in the new code and it's possible to crash libidn with malformed UTF-8.
The new 1.32 release fixes this issue.