From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: libidn security update Date: Fri, 2 Sep 2016 02:40:33 -0400 Message-ID: <20160902064033.GA14316@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="cWoXeonUoKmBZSoM" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:60016) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bfi9e-00082z-SM for guix-devel@gnu.org; Fri, 02 Sep 2016 02:40:47 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bfi9a-00049x-Ks for guix-devel@gnu.org; Fri, 02 Sep 2016 02:40:45 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:50002) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bfi9Y-00047m-Ri for guix-devel@gnu.org; Fri, 02 Sep 2016 02:40:42 -0400 Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148]) by mail.messagingengine.com (Postfix) with ESMTPA id 2E805F29D3 for ; Fri, 2 Sep 2016 02:40:35 -0400 (EDT) Content-Disposition: inline List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --cWoXeonUoKmBZSoM Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable The last release of libidn, 1.33, fixed this bugs: https://security-tracker.debian.org/tracker/CVE-2015-8948 https://security-tracker.debian.org/tracker/CVE-2016-6261 https://security-tracker.debian.org/tracker/CVE-2016-6263 We already have libidn 1.33 on core-updates. Quoted from the release announcment [0]: ** libidn: Fix out-of-bounds stack read in idna_to_ascii_4i. See tests/tst_toascii64oob.c for regression check (and the comment in it how to use it). Reported by Hanno B=F6ck . ** idn: Solve out-of-bounds-read when reading one zero byte as input. Also replaced fgets with getline. Reported by Hanno B=F6ck . ** libidn: stringprep_utf8_nfkc_normalize reject invalid UTF-8. It was always documented to only accept UTF-8 data, but now it doesn't crash when presented with such data. Reported by Hanno B=F6ck. ** Dropped valgrind suppressions file, should no longer be needed. ** API and ABI is backwards compatible with the previous version. [0] https://lists.gnu.org/archive/html/help-libidn/2016-07/msg00009.html --cWoXeonUoKmBZSoM Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXyR7dAAoJECZG+jC6yn8IES0P/Rex6afb5gbZGUmO+UTxSywP Bdbypm3sxrjX++NPWpzp2kMXIPZ+xwYVxz/M1hvztzG+qYNCNvQWU4FIVhPVavxT ioBivJiAyh/03DkJ0LfIJOr9RJycsVJ4O+IOh7xfdDpmknJxFCGUGj5ZD7/KMmyP nd8kLecEhE+bopzzi1YlTLEDjHbUVpbXCyqaZVF0CYaRKYSbOYn6NEWCqBuOGmnI 0y2pPLZ02Kl4u80xNEeXNG4qRGMzyIAcjaWLq8OMxd3GwA7l7gjPjoLmxQo00RQV GuW+rBXY4WqzcA1GaQCDbQS+oByn/SqpETMJ6Ks4FFcj0BC/dIBp3LfKlO+UgtsN AyCFQRSKQjNB1Z7745QEgln9pvjIsla7L9fZ4ehabqVbGhfJC1+ZDSIa9vJns3X+ tSq94vOLgmVNVIikRLpaxVk7/KxXoO57b53xyLPpX5dKvIAEKMkRl0Z6j55SiwLT q9ddR/CuZDGhMG3AkIcoKvgpbYc98yIG7AX31DTttYALnAdRtv/i3x3LxUJilx8b LC6UYA1jaA7FRrIY2aw078UQymVBJWaj2+7yuonvvXFV2Js5ou623KNhpMatOd/x eFS+KTx5cRjhcI7nPNhYdMeQJWEe8hQyvc9HbQmuuXQdYhaDQ9tm4YG2CwNbUiHn YG19WelUQGrbubdo0qN1 =7iwX -----END PGP SIGNATURE----- --cWoXeonUoKmBZSoM--