1764345 – (CVE-2019-12290) CVE-2019-12290 libidn2: Improper roundtrip checks when converting A-labels to U-labels

Bug 1764345 (CVE-2019-12290) - CVE-2019-12290 libidn2: Improper roundtrip checks when converting A-labels to U-labels

Summary: CVE-2019-12290 libidn2: Improper roundtrip checks when converting A-labels to...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-12290
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1772703 1773229
Blocks:
TreeView+	depends on / blocked

Reported:	2019-10-22 20:10 UTC by Pedro Sampaio
Modified:	2021-10-27 10:49 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-10-27 10:49:50 UTC
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2019-10-22 20:10:44 UTC

GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.

References:

https://gitlab.com/libidn/libidn2/commit/241e8f486134793cb0f4a5b0e5817a97883401f5
https://gitlab.com/libidn/libidn2/commit/614117ef6e4c60e1950d742e3edf0a0ef8d389de
https://gitlab.com/libidn/libidn2/merge_requests/71

Note You need to log in before you can comment on or make changes to this bug.