I noticed those through a debian security advisory. Dunno how exploitable they are, but here are some more details:
http://git.savannah.gnu.org/gitweb/?p=libidn.git;a=commitdiff;h=e9e81b8063b095b02cf104bb992fa9bf9515b9d8 https://gitlab.com/libidn/libidn2/commit/16853b6973a1e72fee2b7cccda85472cb9951305 https://gitlab.com/libidn/libidn2/commit/3284eb342cd0ed1a18786e3fcdf0cdd7e76676bd https://nvd.nist.gov/vuln/detail/CVE-2017-14061 o CVE-2017-14061: Integer overflow in the _isBidi function in bidi.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact. https://nvd.nist.gov/vuln/detail/CVE-2017-14062 o CVE-2017-14062: Integer overflow in the decode_digit function in puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact. The changes look rather safe, but what do you folks think? Put this in for 6.2? Index: devel/libidn/Makefile =================================================================== RCS file: /d/cvs/ports/devel/libidn/Makefile,v retrieving revision 1.31 diff -u -p -r1.31 Makefile --- devel/libidn/Makefile 30 Jul 2016 14:22:43 -0000 1.31 +++ devel/libidn/Makefile 1 Oct 2017 22:21:13 -0000 @@ -3,6 +3,7 @@ COMMENT= internationalized string handling DISTNAME= libidn-1.33 +REVISION= 0 SHARED_LIBS += idn 17.2 # 17.16 @@ -29,5 +30,9 @@ CONFIGURE_ARGS= --disable-csharp \ post-extract: rm ${WRKSRC}/contrib/doxygen/*.orig + +# hack to avoid regenerating docs +post-patch: + touch -r ${WRKSRC}/lib/punycode.c${PATCHORIG} ${WRKSRC}/lib/punycode.c .include <bsd.port.mk> Index: devel/libidn/patches/patch-lib_punycode_c =================================================================== RCS file: devel/libidn/patches/patch-lib_punycode_c diff -N devel/libidn/patches/patch-lib_punycode_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ devel/libidn/patches/patch-lib_punycode_c 1 Oct 2017 22:06:28 -0000 @@ -0,0 +1,27 @@ +$OpenBSD$ + +commit e9e81b8063b095b02cf104bb992fa9bf9515b9d8 +Author: Tim Rühsen <[email protected]> +Date: Fri Sep 1 10:04:48 2017 +0200 + + lib/punycode.c (decode_digit): Fix integer overflow + + This fix is a backport from libidn2 and addresses + CVE-2017-14062. + +Index: lib/punycode.c +--- lib/punycode.c.orig ++++ lib/punycode.c +@@ -88,10 +88,10 @@ enum + /* point (for use in representing integers) in the range 0 to */ + /* base-1, or base if cp does not represent a value. */ + +-static punycode_uint ++static unsigned + decode_digit (punycode_uint cp) + { +- return cp - 48 < 10 ? cp - 22 : cp - 65 < 26 ? cp - 65 : ++ return (unsigned) cp - 48 < 10 ? cp - 22 : cp - 65 < 26 ? cp - 65 : + cp - 97 < 26 ? cp - 97 : base; + } + Index: devel/libidn2/Makefile =================================================================== RCS file: /d/cvs/ports/devel/libidn2/Makefile,v retrieving revision 1.2 diff -u -p -r1.2 Makefile --- devel/libidn2/Makefile 18 Apr 2017 21:22:57 -0000 1.2 +++ devel/libidn2/Makefile 1 Oct 2017 22:06:28 -0000 @@ -3,6 +3,7 @@ COMMENT= implementation of IDNA2008 internationalized domain names DISTNAME= libidn2-2.0.0 +REVISION= 0 CATEGORIES= devel HOMEPAGE= https://www.gnu.org/software/libidn/\#libidn2 Index: devel/libidn2/patches/patch-lib_bidi_c =================================================================== RCS file: devel/libidn2/patches/patch-lib_bidi_c diff -N devel/libidn2/patches/patch-lib_bidi_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ devel/libidn2/patches/patch-lib_bidi_c 1 Oct 2017 22:06:28 -0000 @@ -0,0 +1,30 @@ +$OpenBSD$ + +Fix for CVE-2017-14061 + +commit 16853b6973a1e72fee2b7cccda85472cb9951305 +Author: Tim Rühsen <[email protected]> +Date: Tue Aug 1 11:15:10 2017 +0200 + + lib/bidi: Fix integer overflow (found by fuzzing) + +Index: lib/bidi.c +--- lib/bidi.c.orig ++++ lib/bidi.c +@@ -30,6 +30,7 @@ + + #include "idn2.h" + ++#include <sys/types.h> + #include <stdbool.h> + + #include "bidi.h" +@@ -39,7 +40,7 @@ + static bool + _isBidi (const uint32_t *label, size_t llen) + { +- while (llen-- > 0) { ++ for (; (ssize_t) llen > 0; llen--) { + int bc = uc_bidi_category (*label++); + + if (bc == UC_BIDI_R || bc == UC_BIDI_AL || bc == UC_BIDI_AN) Index: devel/libidn2/patches/patch-lib_punycode_c =================================================================== RCS file: devel/libidn2/patches/patch-lib_punycode_c diff -N devel/libidn2/patches/patch-lib_punycode_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ devel/libidn2/patches/patch-lib_punycode_c 1 Oct 2017 22:06:28 -0000 @@ -0,0 +1,27 @@ +$OpenBSD$ + +Fix for CVE-2017-14062 + +commit 3284eb342cd0ed1a18786e3fcdf0cdd7e76676bd +Author: Tim Rühsen <[email protected]> +Date: Tue Aug 1 11:16:47 2017 +0200 + + lib/puny_decode: Fix integer overflow (found by fuzzing) + +Index: lib/punycode.c +--- lib/punycode.c.orig ++++ lib/punycode.c +@@ -94,10 +94,10 @@ enum { base = 36, tmin = 1, tmax = 26, skew = 38, damp + /* point (for use in representing integers) in the range 0 to */ + /* base-1, or base if cp does not represent a value. */ + +-static punycode_uint decode_digit(punycode_uint cp) ++static unsigned decode_digit(int cp) + { +- return cp - 48 < 10 ? cp - 22 : cp - 65 < 26 ? cp - 65 : +- cp - 97 < 26 ? cp - 97 : base; ++ return (unsigned) (cp - 48 < 10 ? cp - 22 : cp - 65 < 26 ? cp - 65 : ++ cp - 97 < 26 ? cp - 97 : base); + } + + /* encode_digit(d,flag) returns the basic code point whose value */ -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
