CVE-2019-12290
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2019-12290
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-12290.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2019-12290
- Downstream
- Related
- Published
- 2019-10-22T16:15:10Z
- Modified
- 2025-10-13T08:10:09.520693Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.
- References
-
- https://gitlab.com/libidn/libidn2/commit/241e8f486134793cb0f4a5b0e5817a97883401f5
- https://gitlab.com/libidn/libidn2/commit/614117ef6e4c60e1950d742e3edf0a0ef8d389de
- https://gitlab.com/libidn/libidn2/merge_requests/71
- https://security.gentoo.org/glsa/202003-63
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00008.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00009.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UFT76Y7OSGPZV3EBEHD6ISVUM3DLARM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KXDKYWFV6N2HHVSE67FFDM7G3FEL2ZNE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ONG3GJRRJO35COPGVJXXSZLU4J5Y42AT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RSI4TI2JTQWQ3YEUX5X36GTVGKO4QKZ5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6ZXL2RDNQRAHCMKWPOMJFKYJ344X4HL/
- https://usn.ubuntu.com/4168-1/
Affected packages
Git / github.com/libidn/libidn2
Affected ranges
- Type
- GIT
- Repo
- https://github.com/libidn/libidn2
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- GIT
- Repo
- https://gitlab.com/libidn/libidn2
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
libidn2-0.*
libidn2-0.10
libidn2-0.11
libidn2-0.12
libidn2-0.13
libidn2-0.14
libidn2-0.15
libidn2-0.16
libidn2-0.3
libidn2-0.4
libidn2-0.5
libidn2-0.6
libidn2-0.7
libidn2-0.8
libidn2-0.9
libidn2-2.*
libidn2-2.0.0
libidn2-2.0.1
libidn2-2.0.2
libidn2-2.0.3
libidn2-2.0.4
libidn2-2.0.5
libidn2-2.1.0
libidn2-2.1.1
Database specific
{
"vanir_signatures": [
{
"digest": {
"line_hashes": [
"187845366280205581554916051824304641025",
"289222033461961251682366936354811810929",
"189921928984123963418844635464376916147",
"32322299586069872753104641615897259259",
"68915996413258629746358493254944318128",
"295730367312914004971153892094774148693",
"264258165042914839397875976476724874954",
"163321080620791167400093219107764732189",
"178771355685605208775915253908940624378",
"161537723658831945381105479310787500612",
"336132514217847844897387324679739871341",
"125593242869440476194307051446470131116",
"141317671660914381322152364271358431871",
"214631645719211984927038159192097519376",
"266587475166497327939218941668200906676",
"314523723662684879250557283871182831196",
"143571233016551291613287419848004828171",
"334350992102930038829101961090464646085",
"259178560879546280548176550449865355486",
"228263717062548974924835271169699422705",
"209557075922360947708273955807601980744",
"298927573849399498727933349449060804764",
"200870642929510662551358979060379372946",
"83154842888797228375984819460951751371",
"56736669590484047371391910641074305236",
"312501796626787656415207348311880419549",
"238390847104470054703256634220722141936",
"178699996317677438489876796129231280301",
"265343990960947131591128169558107137289",
"20924633486555631153636335400639628014",
"319020322763427148370536823242309996558",
"37599245625922652816097075900812637469",
"140851693938537637181819694478675077710",
"162637764160326715175583723161150223839",
"81206057916669312551064521823174789034",
"90795475823384253914073336123682738196"
],
"threshold": 0.9
},
"id": "CVE-2019-12290-34a4fb6a",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "lib/lookup.c"
},
"source": "https://gitlab.com/libidn/libidn2@241e8f486134793cb0f4a5b0e5817a97883401f5"
},
{
"digest": {
"length": 1237.0,
"function_hash": "196589049652805566618349219444565166789"
},
"id": "CVE-2019-12290-3a2bea05",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "label",
"file": "lib/lookup.c"
},
"source": "https://gitlab.com/libidn/libidn2@241e8f486134793cb0f4a5b0e5817a97883401f5"
},
{
"digest": {
"length": 1609.0,
"function_hash": "158323192680532173773353355260575223296"
},
"id": "CVE-2019-12290-47d0524e",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "usage",
"file": "src/idn2.c"
},
"source": "https://gitlab.com/libidn/libidn2@241e8f486134793cb0f4a5b0e5817a97883401f5"
},
{
"digest": {
"length": 1689.0,
"function_hash": "132847353310256968026952805416658069944"
},
"id": "CVE-2019-12290-7b9c9ae2",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "main",
"file": "src/idn2.c"
},
"source": "https://gitlab.com/libidn/libidn2@241e8f486134793cb0f4a5b0e5817a97883401f5"
},
{
"digest": {
"line_hashes": [
"114932952402425713695135804304977684576"
],
"threshold": 0.9
},
"id": "CVE-2019-12290-88729c3d",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "src/blurbs.h"
},
"source": "https://gitlab.com/libidn/libidn2@241e8f486134793cb0f4a5b0e5817a97883401f5"
},
{
"digest": {
"length": 1929.0,
"function_hash": "312356779681248897141270467858749709960"
},
"id": "CVE-2019-12290-89f31ec5",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "idn2_strerror_name",
"file": "lib/error.c"
},
"source": "https://gitlab.com/libidn/libidn2@241e8f486134793cb0f4a5b0e5817a97883401f5"
},
{
"digest": {
"line_hashes": [
"66902672545539146513614053349137977493",
"35705142242873268246961906559538162778",
"92553056929671371861616070084439320737",
"54063827184499356904768052335394235904",
"41592960057154531973644757130155655068",
"184195417186434568414504093915641920336",
"53637315937563157046328503246039279430",
"91854151707641435040215239355893114590"
],
"threshold": 0.9
},
"id": "CVE-2019-12290-a1de27eb",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "lib/error.c"
},
"source": "https://gitlab.com/libidn/libidn2@241e8f486134793cb0f4a5b0e5817a97883401f5"
},
{
"digest": {
"length": 2571.0,
"function_hash": "87491573228088904306321158771688506918"
},
"id": "CVE-2019-12290-a7b50d06",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "idn2_strerror",
"file": "lib/error.c"
},
"source": "https://gitlab.com/libidn/libidn2@241e8f486134793cb0f4a5b0e5817a97883401f5"
},
{
"digest": {
"length": 403.0,
"function_hash": "16217450268485728176248901353893967410"
},
"id": "CVE-2019-12290-ca931a85",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "set_default_flags",
"file": "lib/lookup.c"
},
"source": "https://gitlab.com/libidn/libidn2@241e8f486134793cb0f4a5b0e5817a97883401f5"
},
{
"digest": {
"line_hashes": [
"166885763631888406267131528687096582745",
"134367394057071990490085530265912699219",
"214378052207718936395517494157405438190",
"232115736145380109018108751105545165544",
"224698098182131758138671533896448875293",
"259038086519496779361696632459998164591",
"6114980826271067092645779402511071784",
"89644263389340556783706497584888941590",
"165727711777409542780179600632295041520",
"26230735817845700437729811762211287753",
"32912217945566229435583919163839432422",
"279461692832200392842104054395391354798",
"315064635494576614957724199126787903121",
"132472155916234525831925478258186666183",
"142262658041150698465307422285829635768",
"127809624820878683290662984068786164174",
"310772457680198278739071035262824120750",
"6059200163761477374636826095744790818",
"199068233433028341871381895255198024036",
"75417734971841325643407933153858414668",
"331623842480580273871638426298658246517"
],
"threshold": 0.9
},
"id": "CVE-2019-12290-ede97f5a",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "src/idn2.c"
},
"source": "https://gitlab.com/libidn/libidn2@241e8f486134793cb0f4a5b0e5817a97883401f5"
}
]
}