CVE-2015-2059
Published: 12 August 2015
The stringprep_utf8_to_ucs4 function in libin before 1.31, as used in jabberd2, allows context-dependent attackers to read system memory and possibly have other unspecified impact via invalid UTF-8 characters in a string, which triggers an out-of-bounds read.
Notes
| Author | Note |
|---|---|
| sbeattie | libidn2-0 does not appear to implement stringprep. |
| mdeslaur | This CVE was fixed in 1.31 and regression fixed in 1.32 |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
libidn Launchpad, Ubuntu, Debian |
lucid |
Ignored
(reached end-of-life)
|
| precise |
Released
(1.23-2ubuntu0.1)
|
|
| trusty |
Released
(1.28-1ubuntu2.1)
|
|
| upstream |
Released
(1.32)
|
|
| utopic |
Ignored
(reached end-of-life)
|
|
| vivid |
Ignored
(reached end-of-life)
|
|
| wily |
Ignored
(reached end-of-life)
|
|
| xenial |
Not vulnerable
(1.32-3ubuntu1)
|
|
| yakkety |
Not vulnerable
(1.33-1)
|
|
| zesty |
Not vulnerable
(1.33-1)
|
|
|
Patches: upstream: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=2e97c2796581c27213962c77f5a8571a598f9a2e upstream: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=58c721ac2dc96bccd737f3f544f3a22a50477bbf |
||