oss-sec mailing list archives
Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host
From: Robert Scheck <robert () fedoraproject org>
Date: Wed, 2 Nov 2016 12:53:04 +0100
On Wed, 02 Nov 2016, Daniel Stenberg wrote:
For example, `straße.de` is translated into `strasse.de` using IDNA 2003 but is translated into `xn--strae-oqa.de` using IDNA 2008. Needless to say, those host names could very well resolve to different addresses and be two completely independent servers. IDNA 2008 is mandatory for .de domains. curl is not alone with this problem, as there's currently a big flux in the world of network user-agents about which IDNA version to support and use.
From my point of view, this especially affects GNU libc for example. On the other hand, I am wondering if this should be really classified as a security related issue. Being interested in IDNA 2008 support myself, I did some IDNA 2008 patches in the past, but practically IDNA 2008 support is still not that widespread as I would wish. Does using an older standard (as in IDNA 2003) really classify this issue as a security related one? If so, I guess many upstreams should be explicitly made aware of that soon. Maybe MITRE (or somebody else) could share their thoughts about this, too?
It was first reported to the curl project on October 11 by Christian Heimes.
I reported the "ß" issue and the lack of IDNA 2008 support in cURL on Sun, 18 May 2014 17:17:03 +0200 directly to you, but I didn't classify it as a security related issue though... ;-) Greetings, Robert
Attachment:
_bin
Description:
Current thread:
- [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Daniel Stenberg (Nov 02)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Stuart Henderson (Nov 02)
- Re: Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Hanno Böck (Nov 04)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Robert Scheck (Nov 02)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Hanno Böck (Nov 02)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Daniel Stenberg (Nov 02)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host cve-assign (Nov 04)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Daniel Stenberg (Nov 04)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Robert Scheck (Nov 04)
- Re: Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Kristian Fiskerstrand (Nov 04)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Stuart Henderson (Nov 02)