Name | CVE-2019-18224 |
Description | idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DSA-4613-1 |
Debian Bugs | 942895 |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
libidn2 (PTS) | bullseye | 2.3.0-5 | fixed |
| bookworm | 2.3.3-1 | fixed |
| sid, trixie | 2.3.7-2 | fixed |
The information below is based on the following data on fixed versions.
Notes
- libidn2-0 <not-affected> (Vulnerable code not present)
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420
https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c