[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE Request: jabberd remote information disclosure
From:       cve-assign () mitre ! org
Date:       2015-02-23 21:16:38
Message-ID: 20150223211638.C124242E00E () smtpvbsrv1 ! mitre ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> When parsing a JID, jabberd2 version 2.3.2 and below truncate the data
> but do not verify whether the result is valid UTF8 before passing it
> to libidn.

Use CVE-2015-2058 for this jabberd2 vulnerability in which truncation
fails to preserve the validity of the input, because the truncation
occurs on a byte boundary that is not necessarily a character
boundary. (The resulting invalid input has security-relevant
mishandling within the current version of a required library, and it's
reasonable to expect that security-relevant mishandling could occur in
other cases.)

> If the data ends with an unterminated multi-byte UTF8
> sequence then libidn may copy data past the buffer into the result.

> https://github.com/jabberd2/jabberd2/issues/85

> the stringprep functions from libidn require the input to be valid UTF8

> The libidn documentation claims "This function will not read or write
> to characters outside that size." about the length of the buffer that
> needs to be specified, but this is not true,

Use CVE-2015-2059 for this libidn out-of-bounds read issue. Possibly
it could be argued that this is a borderline case for a CVE. However,
the documentation says "This function will not read or write to
characters outside that size" rather than "If the input is valid
UTF-8, then this function will not read or write to characters outside
that size." If the input is not valid UTF-8, then the function is
entitled to undefined behavior within the bounds of the buffer.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJU65hlAAoJEKllVAevmvmsW34H/ipX4VQsrkAIbksSpkx4Q22i
ClWlsfzlzu7cgqyvuLbgVVt5FqHRqM6aSjcDwkWcB0gXUH/WzzyyHS4iOIomTxld
GUQQ1J+1G2/cuwLKdlpjeFM9Gs9E5wNoVPv7VZwBoFegWmyipfr7afZ9AHn9BmP4
FPe5Md6smDf7x5g/mecqlQQ28YyYBDNWWvYG9Q0HaKoc1fpUP4hPA3hznx/5xb+V
2ln4SGQu/62sZJySzNhw4Y70xJ5lEXL8C5pnS4KA6kslNYEEsVPT6hiNMcrsQEUM
zgB5HJuLnoB2FuCl1ZihCXVDwz7HA/YyvX6S4u/XAS0DEspi0B89SkRTMjDDzCI=
=cEQY
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]