An out-of-bounds read flaw was found in libidn, which could potentially allow an attacker to disclose sensitive information from an application using the libidn library. This flaw was identified along with a flaw in jabberd2 (CVE-2015-2058, bug 1191149). MITRE assigned a separate CVE for libidn with the following reasoning: """ > The libidn documentation claims "This function will not read or write to > characters outside that size." about the length of the buffer that needs to > be specified, but this is not true, Use CVE-2015-2059 for this libidn out-of-bounds read issue. Possibly it could be argued that this is a borderline case for a CVE. However, the documentation says "This function will not read or write to characters outside that size" rather than "If the input is valid UTF-8, then this function will not read or write to characters outside that size." If the input is not valid UTF-8, then the function is entitled to undefined behavior within the bounds of the buffer. """ [http://seclists.org/oss-sec/2015/q1/672] Related upstream issue: https://github.com/jabberd2/jabberd2/issues/85
Created libidn tracking bugs for this issue: Affects: fedora-all [bug 1197797]
Note that this flaw does not affect libidn2 because it does not implement the stringprep function.
Statement: This issue affects the versions of libidn as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
*** Bug 1215275 has been marked as a duplicate of this bug. ***
upstream commit: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=2e97c279
Issue was fixed in version 1.31.
libidn-1.31-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
libidn-1.31-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
It seems there was a bug in the new code and it's possible to crash libidn with malformed UTF-8. http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=58c721ac2dc96bccd737f3f544f3a22a50477bbf https://lists.gnu.org/archive/html/help-libidn/2015-07/msg00026.html The new 1.32 release fixes this issue.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2015-2059