CVE-2015-2059

Publication date 12 August 2015

Last updated 24 July 2024

The stringprep_utf8_to_ucs4 function in libin before 1.31, as used in jabberd2, allows context-dependent attackers to read system memory and possibly have other unspecified impact via invalid UTF-8 characters in a string, which triggers an out-of-bounds read.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
libidn	17.04 zesty	Not affected
	16.10 yakkety	Not affected
	16.04 LTS xenial	Not affected
	15.10 wily	Ignored
	15.04 vivid	Ignored
	14.10 utopic	Ignored
	14.04 LTS trusty	Fixed 1.28-1ubuntu2.1
	12.04 LTS precise	Fixed 1.23-2ubuntu0.1
	10.04 LTS lucid	Ignored

Notes

sbeattie

libidn2-0 does not appear to implement stringprep.

mdeslaur

This CVE was fixed in 1.31 and regression fixed in 1.32

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
libidn	Upstream: ?id=2e9 Upstream: ?id=58c

References

Related Ubuntu Security Notices (USN)