oss-sec mailing list archives

Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host

From: Stuart Henderson <stu () spacehopper org>
Date: Wed, 2 Nov 2016 11:07:45 +0000

On 2016/11/02 08:13, Daniel Stenberg wrote:

In version 7.51.0, the parser function is fixed.

A [patch for CVE-2016-8625](https://curl.haxx.se/CVE-2016-8625.patch) is
available.


This switches to using libidn2, which hasn't had a substantial commit
in around 5 years (https://gitlab.com/jas/libidn2/commits/master), and
currently doesn't even show up in the file listing for the https
version of alpha.gnu.org/gnu/libidn/. (Somehow http and https are
different; the https version has HSTS headers which you might need to
take into account if comparing).

Moving something as widely used as curl to this makes me feel a little
uneasy (and I'm a bit surprised it wasn't called out specifically in the
release notes).

Has anyone poked at it much yet?

Current thread:

[SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Daniel Stenberg (Nov 02)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Stuart Henderson (Nov 02)
  - Re: Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Hanno Böck (Nov 04)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Robert Scheck (Nov 02)
  - Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Hanno Böck (Nov 02)
  - Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Daniel Stenberg (Nov 02)
  - Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host cve-assign (Nov 04)
    - Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Daniel Stenberg (Nov 04)
    - Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Robert Scheck (Nov 04)
    - Re: Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Kristian Fiskerstrand (Nov 04)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Florian Weimer (Nov 03)