Buffer overflow in libidn (Alpine package)
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2015-2059 |
| CWE-ID | CWE-119 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
IBM Tivoli Storage Manager Server applications / File servers (FTP/HTTP) libidn (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor |
IBM Corporation Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Buffer overflow
EUVDB-ID: #VU32284
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2015-2059
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The stringprep_utf8_to_ucs4 function in libin before 1.31, as used in jabberd2, allows context-dependent attackers to read system memory and possibly have other unspecified impact via invalid UTF-8 characters in a string, which triggers an out-of-bounds read.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Tivoli Storage Manager: 6.1.4
libidn (Alpine package): 2.10.7ubuntu3
libidn (Alpine package): 3.0pl1-69
libidn (Alpine package): 5.2.1-2 - 5.93-3
libidn (Alpine package): 0.9.2
libidn (Alpine package): 0.2.5
libidn (Alpine package): 7.3.0.118
libidn (Alpine package):
libidn (Alpine package): before 1.31-r0
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_tivoli_storage_manager:6.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:alpine:libidn_alpine_package:2.10.7ubuntu3:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:libidn_alpine_package:3.0pl1-69:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:libidn_alpine_package:5.2.1-2:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:libidn_alpine_package:5.93-3:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:libidn_alpine_package:0.9.2:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:libidn_alpine_package:0.2.5:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:libidn_alpine_package:7.3.0.118:*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:libidn_alpine_package::*:*:*:*:alpine_linux:*:*
- cpe:2.3:a:alpine:libidn_alpine_package:*:*:*:*:*:alpine_linux:*:3.1
https://git.alpinelinux.org/aports/commit/?id=a2b2fff7d43c71ecc89002de88d855f730975a58
https://git.alpinelinux.org/aports/commit/?id=5bafcce1dd15bf47e71e22042af62ece632ebe5d
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
