CVE-2019-12290
https://notcve.org/view.php?id=CVE-2019-12290
GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated. GNU libidn2 versiones anteriores a 2.2.0, no puede realizar las comprobaciones de ida y vuelta especificadas en RFC3490 Sección 4.2, cuando se convierte etiquetas A en etiquetas U. Esto hace posible en algunas circunstancias que un dominio se haga pasar por otro. • http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00008.html http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00009.html https://gitlab.com/libidn/libidn2/commit/241e8f486134793cb0f4a5b0e5817a97883401f5 https://gitlab.com/libidn/libidn2/commit/614117ef6e4c60e1950d742e3edf0a0ef8d389de https://gitlab.com/libidn/libidn2/merge_requests/71 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UFT76Y7OSGPZV3EBEHD6ISVUM3DLARM https://lists.fedoraproject.org/archives/list/package • CWE-20: Improper Input Validation •
CVE-2019-18224
https://notcve.org/view.php?id=CVE-2019-18224
idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string. La función idn2_to_ascii_4i en la biblioteca lib/lookup.c en GNU libidn2 versiones anteriores a 2.1.1, presenta un desbordamiento del búfer en la región heap de la memoria por medio de una cadena de dominio larga. • http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00008.html http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00009.html https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420 https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c https://github.com/libidn/libidn2/compare/libidn2-2.1.0...libidn2-2.1.1 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JDQVQ2XPV5BTZUFINT7AFJSKNNBVURNJ https://lists.fedoraproject • CWE-787: Out-of-bounds Write •
CVE-2017-14061
https://notcve.org/view.php?id=CVE-2017-14061
Integer overflow in the _isBidi function in bidi.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact. Una vulnerabilidad de desbordamiento de enteros en la función _isBidi de bidi.c en Libidn2 en versiones anteriores a la 2.0.4 permite a los atacantes remotos provocar una denegación de servicio y posiblemente otro impacto no especificado. • https://gitlab.com/libidn/libidn2/blob/master/NEWS https://gitlab.com/libidn/libidn2/commit/16853b6973a1e72fee2b7cccda85472cb9951305 • CWE-190: Integer Overflow or Wraparound •
CVE-2017-14062
https://notcve.org/view.php?id=CVE-2017-14062
Integer overflow in the decode_digit function in puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact. Una vulnerabilidad de desbordamiento de enteros en la función puny_decode.c en Libidn2 en versiones anteriores a la 2.0.4 permite a los atacantes remotos provocar una denegación de servicio y posiblemente otro impacto no especificado. • http://www.debian.org/security/2017/dsa-3988 https://gitlab.com/libidn/libidn2/blob/master/NEWS https://gitlab.com/libidn/libidn2/commit/3284eb342cd0ed1a18786e3fcdf0cdd7e76676bd https://lists.debian.org/debian-lts-announce/2018/07/msg00040.html • CWE-190: Integer Overflow or Wraparound •