cnvd - cnvd-2015-05402

cnvd-2015-05402

Vulnerability from cnvd

Title

jabberd2 libidn缓冲区溢出漏洞

Description

jabberd2是一款基于XMMP（一种以XML为基础的开放式实时通信协议）的即时聊天服务器。libidn是一个通过IETF国际域名（IDN）实施字符串预处理、Punycode和IDNA规格定义的包。 jabberd2中使用的libidn 1.30及之前版本的‘stringprep_utf8_to_ucs4’函数中存在安全漏洞，攻击者可借助字符串中无效的UTF-8字符利用该漏洞读取系统内存。

Severity

中

Patch Name

jabberd2 libidn缓冲区溢出漏洞的补丁

Patch Description

Formal description

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=2e97c279

Reference

http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162549.html

Impacted products

Name
libidn project libidn <= 1.30

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2015-2059"
    }
  },
  "description": "jabberd2\u662f\u4e00\u6b3e\u57fa\u4e8eXMMP\uff08\u4e00\u79cd\u4ee5XML\u4e3a\u57fa\u7840\u7684\u5f00\u653e\u5f0f\u5b9e\u65f6\u901a\u4fe1\u534f\u8bae\uff09\u7684\u5373\u65f6\u804a\u5929\u670d\u52a1\u5668\u3002libidn\u662f\u4e00\u4e2a\u901a\u8fc7IETF\u56fd\u9645\u57df\u540d\uff08IDN\uff09\u5b9e\u65bd\u5b57\u7b26\u4e32\u9884\u5904\u7406\u3001Punycode\u548cIDNA\u89c4\u683c\u5b9a\u4e49\u7684\u5305\u3002 \r\n\r\njabberd2\u4e2d\u4f7f\u7528\u7684libidn 1.30\u53ca\u4e4b\u524d\u7248\u672c\u7684\u2018stringprep_utf8_to_ucs4\u2019\u51fd\u6570\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u501f\u52a9\u5b57\u7b26\u4e32\u4e2d\u65e0\u6548\u7684UTF-8\u5b57\u7b26\u5229\u7528\u8be5\u6f0f\u6d1e\u8bfb\u53d6\u7cfb\u7edf\u5185\u5b58\u3002",
  "discovererName": "Fedora Project",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\nhttp://git.savannah.gnu.org/cgit/libidn.git/commit/?id=2e97c279",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2015-05402",
  "openTime": "2015-08-20",
  "patchDescription": "jabberd2\u662f\u4e00\u6b3e\u57fa\u4e8eXMMP\uff08\u4e00\u79cd\u4ee5XML\u4e3a\u57fa\u7840\u7684\u5f00\u653e\u5f0f\u5b9e\u65f6\u901a\u4fe1\u534f\u8bae\uff09\u7684\u5373\u65f6\u804a\u5929\u670d\u52a1\u5668\u3002libidn\u662f\u4e00\u4e2a\u901a\u8fc7IETF\u56fd\u9645\u57df\u540d\uff08IDN\uff09\u5b9e\u65bd\u5b57\u7b26\u4e32\u9884\u5904\u7406\u3001Punycode\u548cIDNA\u89c4\u683c\u5b9a\u4e49\u7684\u5305\u3002 \r\n\r\njabberd2\u4e2d\u4f7f\u7528\u7684libidn 1.30\u53ca\u4e4b\u524d\u7248\u672c\u7684\u2018stringprep_utf8_to_ucs4\u2019\u51fd\u6570\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u501f\u52a9\u5b57\u7b26\u4e32\u4e2d\u65e0\u6548\u7684UTF-8\u5b57\u7b26\u5229\u7528\u8be5\u6f0f\u6d1e\u8bfb\u53d6\u7cfb\u7edf\u5185\u5b58\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "jabberd2 libidn\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "libidn project libidn \u003c= 1.30"
  },
  "referenceLink": "http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162549.html",
  "serverity": "\u4e2d",
  "submitTime": "2015-08-14",
  "title": "jabberd2 libidn\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e"
}

CVE-2015-2059 (GCVE-0-2015-2059)

Vulnerability from cvelistv5

Published

2015-08-12 14:00

Modified

2024-08-06 05:02

Severity ?

CWE

Summary

The stringprep_utf8_to_ucs4 function in libin before 1.31, as used in jabberd2, allows context-dependent attackers to read system memory and possibly have other unspecified impact via invalid UTF-8 characters in a string, which triggers an out-of-bounds read.

References

URL

Tags

	http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162537.html	vendor-advisory, x_refsource_FEDORA
	http://www.debian.org/security/2016/dsa-3578	vendor-advisory, x_refsource_DEBIAN
	http://lists.opensuse.org/opensuse-updates/2015-07/msg00042.html	vendor-advisory, x_refsource_SUSE
	https://github.com/jabberd2/jabberd2/issues/85	x_refsource_CONFIRM
	http://lists.opensuse.org/opensuse-updates/2016-08/msg00098.html	vendor-advisory, x_refsource_SUSE
	http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162549.html	vendor-advisory, x_refsource_FEDORA
	http://www.securityfocus.com/bid/72736	vdb-entry, x_refsource_BID
	http://www.openwall.com/lists/oss-security/2015/02/23/25	mailing-list, x_refsource_MLIST
	http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=2e97c279	x_refsource_CONFIRM
	http://www.ubuntu.com/usn/USN-3068-1	vendor-advisory, x_refsource_UBUNTU