From owner-freebsd-security@freebsd.org Tue Nov 26 23:27:38 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0B4521C4873 for ; Tue, 26 Nov 2019 23:27:38 +0000 (UTC) (envelope-from koobs.freebsd@gmail.com) Received: from mail-pj1-x102f.google.com (mail-pj1-x102f.google.com [IPv6:2607:f8b0:4864:20::102f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47N0S91FHbz4Nt3; Tue, 26 Nov 2019 23:27:36 +0000 (UTC) (envelope-from koobs.freebsd@gmail.com) Received: by mail-pj1-x102f.google.com with SMTP id r67so1261760pjb.0; Tue, 26 Nov 2019 15:27:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:reply-to:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=8uKDzyxtyElJAjdb9CN6pWNkLzFjh/6dS2/aOAYPXY8=; b=G6UDPHubR4/OgT6xmQfk4NwtgdW5JqB56tcxlvCL2v/lQFUGG74wWc7kshBcdw8Trz A4gRzVYOIEym9xgzc7XerEYk1PUy0fII4qsEaephF5D4SI2r8aaNebVCzT4AmX3++44+ azA668vELsAXpzmd3PwfDYVFZtKRROhajEvgtLrGWm0Gj9Y3h1fJiRE9VOWVs3lrVkHh Bv0QSJ5jmbfuB9GwPQgpOjc93vSk4CCdfsI6CO74Oo02aVDdQREf7n6oPsf7TdQQD7Tb ZBEeIZF6fx5IL//o+FLlTET5iwpQoLzH8B3pGX8NFC5rnqs+gAxbr1jv2f6ZKclft2pQ ZEYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:reply-to:subject:to:references:from :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=8uKDzyxtyElJAjdb9CN6pWNkLzFjh/6dS2/aOAYPXY8=; b=AwjqCXTtjuSEWMdFAc3wPF+Hbfbqtzo45wUjRQc8kjl7ZEryqXkPyUlfoVu9M7gfio cbEbaYLdOPoUc2WZg4/0m9qDJZYTOhwpiWQPC9X6k6LISmNncKiz9KGOkkV5D3y9bMNA iOAKL+nwJuZRKYGLOOmXwBUHKPk/Ee2dnMQh3OsPHmfAMquCDBgXsH2xbPc7P8wq27rH xZB5TeYB5rL4tiDWp4Y2fZsrG5Y0Lg77helW9l/91WYb9cnGdcnB7awnjivjXYJCDUJk z3iSFUVOEXXcZaKtqlJzW+LFo8FLvHjXJ3nmlTiC+zY7frhEcijIqNuqLYSKPdcCNz0p ZxNg== X-Gm-Message-State: APjAAAXoX5Cg1uPAGuVjZIjHk8VQ2HUUiVPf7tWgLkybHhqkTwGzlywj PeSfy6k4FUWX8GaWtgB/oaAomsRT X-Google-Smtp-Source: APXvYqyN1ZaeQIT4WY3sWhQlRkjBEo45IIvoPnTNcL7YQG/Vtd6qaKtps9xDWwz6nlQUYMOum9It+g== X-Received: by 2002:a17:90a:25a8:: with SMTP id k37mr1980654pje.127.1574810849814; Tue, 26 Nov 2019 15:27:29 -0800 (PST) Received: from [192.168.1.110] (180-150-68-130.b49644.syd.nbn.aussiebb.net. [180.150.68.130]) by smtp.gmail.com with ESMTPSA id m68sm14311215pfm.85.2019.11.26.15.27.27 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 26 Nov 2019 15:27:29 -0800 (PST) Sender: Kubilay Kocak Reply-To: koobs@FreeBSD.org Subject: Re: libidn2 vulnerability To: "Wall, Stephen" , "freebsd-security@freebsd.org" , Sunpoet Po-Chuan Hsieh References: From: Kubilay Kocak Message-ID: <8a10ddfd-3fd8-f2f7-5918-07c76e9766db@FreeBSD.org> Date: Wed, 27 Nov 2019 10:27:25 +1100 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Thunderbird/71.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 47N0S91FHbz4Nt3 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=G6UDPHub; dmarc=none; spf=pass (mx1.freebsd.org: domain of koobsfreebsd@gmail.com designates 2607:f8b0:4864:20::102f as permitted sender) smtp.mailfrom=koobsfreebsd@gmail.com X-Spamd-Result: default: False [-3.05 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; HAS_REPLYTO(0.00)[koobs@FreeBSD.org]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; REPLYTO_ADDR_EQ_FROM(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; FORGED_SENDER(0.30)[koobs@FreeBSD.org,koobsfreebsd@gmail.com]; IP_SCORE(-0.85)[ipnet: 2607:f8b0::/32(-2.27), asn: 15169(-1.95), country: US(-0.05)]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; FROM_NEQ_ENVFROM(0.00)[koobs@FreeBSD.org,koobsfreebsd@gmail.com]; MID_RHS_MATCH_FROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; TAGGED_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[FreeBSD.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Nov 2019 23:27:38 -0000 On 27/11/2019 12:53 am, Wall, Stephen wrote: > Attempting to build dns/libidn2 in 2019Q4 results in this error: > > > libidn2-2.2.0 is vulnerable: > libidn2 -- roundtrip check vulnerability > CVE: CVE-2019-12290 > WWW: https://vuxml.FreeBSD.org/freebsd/f04f840d-0840-11ea-8d66-75d3253ef913.html > > > The cited link says "libidn2 before 2.2.0", as does the CVE. Is 2.2.0 actually vulnerable? Either the vulnerability database needs to be fixed, or version 2.3.0 should be ported from head. > > Thanks. > The vuxml entry, added in ports r517921 [1] for libidn2 currently declares: libidn2 < 2.3.0 If 2.2.0 fixed the vulnerability (and is not vulnerable), this should have been 'lt 2.2.0' instead. This appears to be the case. Note however, that the 2.2.0 update [2], which fixed the vulnerability was *not* marked for MFH (merging to the quarterly branch). The 2.3.0 update [3], which doesn't fix a vulnerability, just announces the CVE ID for the 2.2.0 fix, *has* been marked for MFH I agree that this is confusing. What I would do is: - Fix the vuxml entry (lt 2.2.0) - Merge the 2.2.0 update (ports r502513) - Also merge the 2.3.0 update (ports r517883) as its a bugfix release libidn2 maintainer (sunpoet) is CC'd [1] https://svnweb.freebsd.org/changeset/ports/517921 [2] http://svnweb.freebsd.org/changeset/ports/502513 [3] http://svnweb.freebsd.org/changeset/ports/517883 [4] https://gitlab.com/libidn/libidn2/blob/master/NEWS