Bug 1154884 (CVE-2019-12290)

Summary: VUL-0: CVE-2019-12290: libidn2: Improper roundtrip checks when converting A-labels to U-labels
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/245498/
Whiteboard: CVSSv3:SUSE:CVE-2019-12290:6.5:(AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) CVSSv2:NVD:CVE-2019-12290:5.0:(AV:N/AC:L/Au:N/C:N/I:P/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexandros Toptsoglou 2019-10-23 15:31:42 UTC
CVE-2019-12290

GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.

References:

https://gitlab.com/libidn/libidn2/commit/241e8f486134793cb0f4a5b0e5817a97883401f5
https://gitlab.com/libidn/libidn2/commit/614117ef6e4c60e1950d742e3edf0a0ef8d389de
https://gitlab.com/libidn/libidn2/merge_requests/71

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1764345
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12290
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12290
https://gitlab.com/libidn/libidn2/commit/241e8f486134793cb0f4a5b0e5817a97883401f5
https://gitlab.com/libidn/libidn2/commit/614117ef6e4c60e1950d742e3edf0a0ef8d389de
https://gitlab.com/libidn/libidn2/merge_requests/71
Comment 1 Alexandros Toptsoglou 2019-10-23 15:34:45 UTC
Tracked SUSE:SLE-15 as affected
Comment 2 Tomáš Chvátal 2019-10-24 09:20:25 UTC
Package changelog update sent to TW and updated version sent to SLE15.
Comment 3 Swamp Workflow Management 2019-10-24 09:50:07 UTC
This is an autogenerated message for OBS integration:
This bug (1154884) was mentioned in
https://build.opensuse.org/request/show/742496 Factory / libidn2
Comment 5 Swamp Workflow Management 2019-11-28 14:13:21 UTC
SUSE-SU-2019:3086-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1154884,1154887
CVE References: CVE-2019-12290,CVE-2019-18224
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    libidn2-2.2.0-3.3.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    libidn2-2.2.0-3.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    libidn2-2.2.0-3.3.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    libidn2-2.2.0-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2019-12-03 17:11:37 UTC
openSUSE-SU-2019:2613-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1154884,1154887
CVE References: CVE-2019-12290,CVE-2019-18224
Sources used:
openSUSE Leap 15.0 (src):    libidn2-2.2.0-lp150.2.3.1
Comment 7 Swamp Workflow Management 2019-12-03 17:12:55 UTC
openSUSE-SU-2019:2611-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1154884,1154887
CVE References: CVE-2019-12290,CVE-2019-18224
Sources used:
openSUSE Leap 15.1 (src):    libidn2-2.2.0-lp151.3.3.1
Comment 8 Alexandros Toptsoglou 2020-07-10 13:35:10 UTC
Done