From owner-freebsd-security@freebsd.org  Tue Nov 26 13:53:48 2019
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8D3B91B7133
 for <freebsd-security@mailman.nyi.freebsd.org>;
 Tue, 26 Nov 2019 13:53:48 +0000 (UTC)
 (envelope-from stephen.wall@redcom.com)
Received: from smtp1.redcom.com (smtp1.redcom.com [192.86.3.143])
 by mx1.freebsd.org (Postfix) with ESMTP id 47Mlk35JRhz3MRl
 for <freebsd-security@freebsd.org>; Tue, 26 Nov 2019 13:53:47 +0000 (UTC)
 (envelope-from stephen.wall@redcom.com)
Received: from localhost (localhost [127.0.0.1])
 by smtp1.redcom.com (Postfix) with ESMTP id B0EA2A0F4
 for <freebsd-security@freebsd.org>; Tue, 26 Nov 2019 08:53:46 -0500 (EST)
X-Virus-Scanned: amavisd-new at redcom.com
Received: from smtp1.redcom.com ([127.0.0.1])
 by localhost (smtp1.redcom.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id XIV7anXHf2NF for <freebsd-security@freebsd.org>;
 Tue, 26 Nov 2019 08:53:44 -0500 (EST)
Received: from pie.redcom.com (pie [192.168.33.15])
 by smtp1.redcom.com (Postfix) with ESMTP id 77BACA0F3
 for <freebsd-security@freebsd.org>; Tue, 26 Nov 2019 08:53:44 -0500 (EST)
Received: from exch-03.redcom.com (exch-03.redcom.com [192.168.32.32])
 by pie.redcom.com (8.11.7p1+Sun/8.10.2) with ESMTP id xAQDriL14101
 for <freebsd-security@freebsd.org>; Tue, 26 Nov 2019 08:53:44 -0500 (EST)
Received: from exch-03.redcom.com (fd00::8549:68c0:3d5f:ee62) by
 exch-03.redcom.com (fd00::8549:68c0:3d5f:ee62) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.330.5; 
 Tue, 26 Nov 2019 08:53:44 -0500
Received: from exch-03.redcom.com ([fe80::a442:ce34:c9c8:268f]) by
 exch-03.redcom.com ([fe80::a442:ce34:c9c8:268f%3]) with mapi id
 15.02.0330.010; Tue, 26 Nov 2019 08:53:44 -0500
From: "Wall, Stephen" <stephen.wall@redcom.com>
To: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
Subject: libidn2 vulnerability
Thread-Topic: libidn2 vulnerability
Thread-Index: AdWkX9Uan8UQDBTETa2kLMXbpeJuZw==
Date: Tue, 26 Nov 2019 13:53:44 +0000
Message-ID: <b1cfa58c457745f597071101e84a6f13@redcom.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [192.168.84.20]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Rspamd-Queue-Id: 47Mlk35JRhz3MRl
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of stephen.wall@redcom.com designates
 192.86.3.143 as permitted sender) smtp.mailfrom=stephen.wall@redcom.com
X-Spamd-Result: default: False [-3.19 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; HAS_XOIP(0.00)[];
 FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:192.86.3.143/32];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org];
 DMARC_NA(0.00)[redcom.com]; RCPT_COUNT_ONE(0.00)[1];
 NEURAL_HAM_LONG(-1.00)[-1.000,0];
 IP_SCORE(-0.99)[ip: (-2.59), ipnet: 192.86.3.0/24(-1.29), asn: 46679(-1.03),
 country: US(-0.05)]; 
 RCVD_IN_DNSWL_NONE(0.00)[143.3.86.192.list.dnswl.org : 127.0.10.0];
 TO_DN_EQ_ADDR_ALL(0.00)[]; RCVD_NO_TLS_LAST(0.10)[];
 FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:46679, ipnet:192.86.3.0/24, country:US];
 MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_SEVEN(0.00)[7]
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Nov 2019 13:53:48 -0000

Attempting to build dns/libidn2 in 2019Q4 results in this error:


libidn2-2.2.0 is vulnerable:
libidn2 -- roundtrip check vulnerability
CVE: CVE-2019-12290
WWW: https://vuxml.FreeBSD.org/freebsd/f04f840d-0840-11ea-8d66-75d3253ef913=
.html


The cited link says "libidn2 before 2.2.0", as does the CVE.  Is 2.2.0 actu=
ally vulnerable?  Either the vulnerability database needs to be fixed, or v=
ersion 2.3.0 should be ported from head.

Thanks.

--=20
Stephen Wall
Senior Staff Software Engineer
585.924.7550

REDCOM Laboratories, Inc.
One Redcom Center
Victor, NY 14564-0995
www.redcom.com

DUNS 09-166-5919 | CAGE 1U548
Woman Owned Small Business


From owner-freebsd-security@freebsd.org  Tue Nov 26 23:27:38 2019
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0B4521C4873
 for <freebsd-security@mailman.nyi.freebsd.org>;
 Tue, 26 Nov 2019 23:27:38 +0000 (UTC)
 (envelope-from koobs.freebsd@gmail.com)
Received: from mail-pj1-x102f.google.com (mail-pj1-x102f.google.com
 [IPv6:2607:f8b0:4864:20::102f])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 47N0S91FHbz4Nt3;
 Tue, 26 Nov 2019 23:27:36 +0000 (UTC)
 (envelope-from koobs.freebsd@gmail.com)
Received: by mail-pj1-x102f.google.com with SMTP id r67so1261760pjb.0;
 Tue, 26 Nov 2019 15:27:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=sender:reply-to:subject:to:references:from:message-id:date
 :user-agent:mime-version:in-reply-to:content-language
 :content-transfer-encoding;
 bh=8uKDzyxtyElJAjdb9CN6pWNkLzFjh/6dS2/aOAYPXY8=;
 b=G6UDPHubR4/OgT6xmQfk4NwtgdW5JqB56tcxlvCL2v/lQFUGG74wWc7kshBcdw8Trz
 A4gRzVYOIEym9xgzc7XerEYk1PUy0fII4qsEaephF5D4SI2r8aaNebVCzT4AmX3++44+
 azA668vELsAXpzmd3PwfDYVFZtKRROhajEvgtLrGWm0Gj9Y3h1fJiRE9VOWVs3lrVkHh
 Bv0QSJ5jmbfuB9GwPQgpOjc93vSk4CCdfsI6CO74Oo02aVDdQREf7n6oPsf7TdQQD7Tb
 ZBEeIZF6fx5IL//o+FLlTET5iwpQoLzH8B3pGX8NFC5rnqs+gAxbr1jv2f6ZKclft2pQ
 ZEYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:sender:reply-to:subject:to:references:from
 :message-id:date:user-agent:mime-version:in-reply-to
 :content-language:content-transfer-encoding;
 bh=8uKDzyxtyElJAjdb9CN6pWNkLzFjh/6dS2/aOAYPXY8=;
 b=AwjqCXTtjuSEWMdFAc3wPF+Hbfbqtzo45wUjRQc8kjl7ZEryqXkPyUlfoVu9M7gfio
 cbEbaYLdOPoUc2WZg4/0m9qDJZYTOhwpiWQPC9X6k6LISmNncKiz9KGOkkV5D3y9bMNA
 iOAKL+nwJuZRKYGLOOmXwBUHKPk/Ee2dnMQh3OsPHmfAMquCDBgXsH2xbPc7P8wq27rH
 xZB5TeYB5rL4tiDWp4Y2fZsrG5Y0Lg77helW9l/91WYb9cnGdcnB7awnjivjXYJCDUJk
 z3iSFUVOEXXcZaKtqlJzW+LFo8FLvHjXJ3nmlTiC+zY7frhEcijIqNuqLYSKPdcCNz0p
 ZxNg==
X-Gm-Message-State: APjAAAXoX5Cg1uPAGuVjZIjHk8VQ2HUUiVPf7tWgLkybHhqkTwGzlywj
 PeSfy6k4FUWX8GaWtgB/oaAomsRT
X-Google-Smtp-Source: APXvYqyN1ZaeQIT4WY3sWhQlRkjBEo45IIvoPnTNcL7YQG/Vtd6qaKtps9xDWwz6nlQUYMOum9It+g==
X-Received: by 2002:a17:90a:25a8:: with SMTP id
 k37mr1980654pje.127.1574810849814; 
 Tue, 26 Nov 2019 15:27:29 -0800 (PST)
Received: from [192.168.1.110] (180-150-68-130.b49644.syd.nbn.aussiebb.net.
 [180.150.68.130])
 by smtp.gmail.com with ESMTPSA id m68sm14311215pfm.85.2019.11.26.15.27.27
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Tue, 26 Nov 2019 15:27:29 -0800 (PST)
Sender: Kubilay Kocak <koobs.freebsd@gmail.com>
Reply-To: koobs@FreeBSD.org
Subject: Re: libidn2 vulnerability
To: "Wall, Stephen" <stephen.wall@redcom.com>,
 "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>,
 Sunpoet Po-Chuan Hsieh <sunpoet@FreeBSD.org>
References: <b1cfa58c457745f597071101e84a6f13@redcom.com>
From: Kubilay Kocak <koobs@FreeBSD.org>
Message-ID: <8a10ddfd-3fd8-f2f7-5918-07c76e9766db@FreeBSD.org>
Date: Wed, 27 Nov 2019 10:27:25 +1100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101
 Thunderbird/71.0
MIME-Version: 1.0
In-Reply-To: <b1cfa58c457745f597071101e84a6f13@redcom.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 47N0S91FHbz4Nt3
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=gmail.com header.s=20161025 header.b=G6UDPHub;
 dmarc=none;
 spf=pass (mx1.freebsd.org: domain of koobsfreebsd@gmail.com designates
 2607:f8b0:4864:20::102f as permitted sender)
 smtp.mailfrom=koobsfreebsd@gmail.com
X-Spamd-Result: default: False [-3.05 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[];
 HAS_REPLYTO(0.00)[koobs@FreeBSD.org]; TO_DN_SOME(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36];
 REPLYTO_ADDR_EQ_FROM(0.00)[]; RCVD_COUNT_THREE(0.00)[3];
 DKIM_TRACE(0.00)[gmail.com:+];
 FORGED_SENDER(0.30)[koobs@FreeBSD.org,koobsfreebsd@gmail.com];
 IP_SCORE(-0.85)[ipnet: 2607:f8b0::/32(-2.27), asn: 15169(-1.95), country:
 US(-0.05)]; MIME_TRACE(0.00)[0:+];
 FREEMAIL_ENVFROM(0.00)[gmail.com];
 FROM_NEQ_ENVFROM(0.00)[koobs@FreeBSD.org,koobsfreebsd@gmail.com];
 MID_RHS_MATCH_FROM(0.00)[];
 ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
 ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; TAGGED_FROM(0.00)[];
 FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain];
 DMARC_NA(0.00)[FreeBSD.org]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 RCVD_TLS_ALL(0.00)[]
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Nov 2019 23:27:38 -0000

On 27/11/2019 12:53 am, Wall, Stephen wrote:
> Attempting to build dns/libidn2 in 2019Q4 results in this error:
> 
> 
> libidn2-2.2.0 is vulnerable:
> libidn2 -- roundtrip check vulnerability
> CVE: CVE-2019-12290
> WWW: https://vuxml.FreeBSD.org/freebsd/f04f840d-0840-11ea-8d66-75d3253ef913.html
> 
> 
> The cited link says "libidn2 before 2.2.0", as does the CVE.  Is 2.2.0 actually vulnerable?  Either the vulnerability database needs to be fixed, or version 2.3.0 should be ported from head.
> 
> Thanks.
> 

The vuxml entry, added in ports r517921 [1] for libidn2 currently declares:

  libidn2 < 2.3.0

If 2.2.0 fixed the vulnerability (and is not vulnerable), this should 
have been 'lt 2.2.0' instead. This appears to be the case.

Note however, that the 2.2.0 update [2], which fixed the vulnerability 
was *not* marked for MFH (merging to the quarterly branch).

The 2.3.0 update [3], which doesn't fix a vulnerability, just announces 
the CVE ID for the 2.2.0 fix, *has* been marked for MFH

I agree that this is confusing.

What I would do is:

- Fix the vuxml entry (lt 2.2.0)
- Merge the 2.2.0 update (ports r502513)
- Also merge the 2.3.0 update (ports r517883) as its a bugfix release

libidn2 maintainer (sunpoet) is CC'd

[1] https://svnweb.freebsd.org/changeset/ports/517921
[2] http://svnweb.freebsd.org/changeset/ports/502513
[3] http://svnweb.freebsd.org/changeset/ports/517883
[4] https://gitlab.com/libidn/libidn2/blob/master/NEWS