CRUX

Welcome to CRUX bug tracking.
Tasklist

FS#1554 - Secutiry fix for libidn-1.33(CVE-2017-14062)

Attached to Project: CRUX
Opened by Lee (xeirrr) - Friday, 12 January 2018, 03:51 GMT
Last edited by Git commit closer (gitcloser) - Tuesday, 16 January 2018, 16:56 GMT
Task Type Bug Report
Category ports → core/opt
Status Closed
Assigned To Jose V Beneyto (sepen)
Operating System CRUX
Severity High
Priority High
Reported Version 3.3
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

This is a old CVE fix for libidn-1.33. The relative commit can be found in the following:

http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=e9e81b8063b095b02cf104bb992fa9bf9515b9d8
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=6c8a9375641ca283b50f9680c90dcd57f9c44798

I combined the above and create an attachment named CVE-2017-14062.patch, please consider updating.
This task depends upon

Closed by  Git commit closer (gitcloser)
Tuesday, 16 January 2018, 16:56 GMT
Reason for closing:  Fixed
Additional comments about closing:  Fixed by commit
Comment by Fredrik Rinnestam (frinnst) - Sunday, 14 January 2018, 20:28 GMT
Do you have a patch for the port?
Comment by Lee (xeirrr) - Tuesday, 16 January 2018, 08:09 GMT
See the attachment: CVE-2017-14062.patch. It can be applied for the port. If you can't see the attachment, see the following:

--- a/lib/punycode.c 2016-01-14 21:42:33.000000000 +0800
+++ b/lib/punycode.c 2018-01-12 11:36:58.027226633 +0800
@@ -88,11 +88,11 @@ enum
/* point (for use in representing integers) in the range 0 to */
/* base-1, or base if cp does not represent a value. */

-static punycode_uint
-decode_digit (punycode_uint cp)
+static unsigned
+decode_digit (int cp)
{
- return cp - 48 < 10 ? cp - 22 : cp - 65 < 26 ? cp - 65 :
- cp - 97 < 26 ? cp - 97 : base;
+ return (unsigned) (cp - 48 < 10 ? cp - 22 : cp - 65 < 26 ? cp - 65 :
+ cp - 97 < 26 ? cp - 97 : base);
}

/* encode_digit(d,flag) returns the basic code point whose value */
--- a/tests/tst_idna.c 2016-01-14 21:42:33.000000000 +0800
+++ b/tests/tst_idna.c 2018-01-12 11:36:58.027226633 +0800
@@ -211,7 +211,7 @@ static const struct idna idna[] = {
'x', 'n', '-', '-', 'f', 'o', 0x3067},
IDNA_ACE_PREFIX "too long too long too long too long too long too "
"long too long too long too long too long ", 0,
- IDNA_CONTAINS_ACE_PREFIX, IDNA_PUNYCODE_ERROR}
+ IDNA_CONTAINS_ACE_PREFIX, IDNA_INVALID_LENGTH}
};

void
Comment by Fredrik Rinnestam (frinnst) - Tuesday, 16 January 2018, 08:28 GMT
I was thinking a complete patch for the port.

Have you actually tested the patch? When I did I encountered some odd behavior with automake.
Comment by Lee (xeirrr) - Tuesday, 16 January 2018, 16:48 GMT
Yeah,you are right. I only generated the patch and forgot to test it. The source code is generated with automake-1.14, so we need to regenerate it. Here is what I did in Pkgfile:

Add help2man(needed to generate manuals) and texinfo(nedded to generate .info files, avaliable in 6c37/crux-ports if you can add to opt/contrib) as dependencies...

Add CVE-2017-14062.patch to source=()

sed -i '25 s/10/15/' configure.ac # This bumps minimal required automake to 1.15.

autoreconf -f -i -v # regenerate configure

patch -p1 < $SRC/CVE-2017-14062.patch

Then install libidn-1.33 will succeed... I know it costs extra work, but what I can come up with....

Loading...