This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug libc/22247] New: CVE-2017-14062 : Integer overflow in the decode_digit function in puny_decode.c in libidn


https://sourceware.org/bugzilla/show_bug.cgi?id=22247

            Bug ID: 22247
           Summary: CVE-2017-14062 : Integer overflow in the decode_digit
                    function in puny_decode.c in libidn
           Product: glibc
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: dilfridge at gentoo dot org
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

In bug Gentoo-629466 [1] Jeroen Roovers found that glibc is vulnerable to the
same CVE-2017-14062 [2] as libidn is; see also bug Gentoo-632556 [3].

"Integer overflow in the decode_digit function in puny_decode.c in Libidn2
before 2.0.4 allows remote attackers to cause a denial of service or possibly
have unspecified other impact."

The backport to libidn-1, which should also apply to the glibc code, can be
found here [4].

[1] https://bugs.gentoo.org/show_bug.cgi?id=629466
[2] https://nvd.nist.gov/vuln/detail/CVE-2017-14062
[3] https://bugs.gentoo.org/632556
[4]
https://git.savannah.gnu.org/gitweb/?p=libidn.git;a=commitdiff;h=e9e81b8063b095b02cf104bb992fa9bf9515b9d8

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]