idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string. Reference: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420 Upstream commit: https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c
Created libidn2 tracking bugs for this issue: Affects: epel-all [bug 1764782] Affects: fedora-all [bug 1764781] Created mingw-libidn2 tracking bugs for this issue: Affects: epel-7 [bug 1764784] Affects: fedora-all [bug 1764783]
Is there a specific reason for bug #1764781 and bug #1764782, as libidn2-2.2.0-1 (or later) is shipped on all Fedora and EPEL branches for months now…
(In reply to Robert Scheck from comment #2) > Is there a specific reason for bug #1764781 and bug #1764782, as > libidn2-2.2.0-1 (or later) is shipped on all Fedora and EPEL branches for > months now… Hi Robert, You can close the bug #1764781 and bug #1764782 since it's not affected.
Analysis: This is essentially an overflow in the idn2_to_ascii_4i() function which converts zero terminated input Unicode (UCS-4) string. to ASCII strings and can be triggered with a very long input strings. Note: This function is however deprecated in newer versions of the library and replaced by: idn2_to_ascii_4i2()