UBUNTU-CVE-2019-12290

GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.

References

Affected packages

Ubuntu:Pro:14.04:LTS / libidn2-0

Package

Name: libidn2-0
Purl: pkg:deb/ubuntu/libidn2-0@0.9-1ubuntu0.1~esm1?arch=source&distro=esm-infra-legacy/trusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.9-1

0.9-1ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "idn2",
            "binary_version": "0.9-1ubuntu0.1~esm1"
        },
        {
            "binary_name": "libidn2-0",
            "binary_version": "0.9-1ubuntu0.1~esm1"
        },
        {
            "binary_name": "libidn2-0-dev",
            "binary_version": "0.9-1ubuntu0.1~esm1"
        }
    ]
}

Ubuntu:Pro:16.04:LTS / libidn2-0

Package

Name: libidn2-0
Purl: pkg:deb/ubuntu/libidn2-0@0.10-3ubuntu0.1~esm1?arch=source&distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.10-3

0.10-3ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "idn2",
            "binary_version": "0.10-3ubuntu0.1~esm1"
        },
        {
            "binary_name": "libidn2-0",
            "binary_version": "0.10-3ubuntu0.1~esm1"
        },
        {
            "binary_name": "libidn2-0-dev",
            "binary_version": "0.10-3ubuntu0.1~esm1"
        }
    ]
}

Ubuntu:18.04:LTS / libidn2

Package

Name: libidn2
Purl: pkg:deb/ubuntu/libidn2@2.0.4-1.1ubuntu0.2?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.4-1.1ubuntu0.2

Affected versions

2.*

2.0.4-1

2.0.4-1.1

2.0.4-1.1build2

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_name": "idn2",
            "binary_version": "2.0.4-1.1ubuntu0.2"
        },
        {
            "binary_name": "libidn2-0",
            "binary_version": "2.0.4-1.1ubuntu0.2"
        },
        {
            "binary_name": "libidn2-0-dev",
            "binary_version": "2.0.4-1.1ubuntu0.2"
        },
        {
            "binary_name": "libidn2-dev",
            "binary_version": "2.0.4-1.1ubuntu0.2"
        }
    ]
}