oss-sec mailing list archives

Re: Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host

From: Hanno Böck <hanno () hboeck de>
Date: Fri, 4 Nov 2016 09:52:32 +0100

On Wed, 2 Nov 2016 11:07:45 +0000
Stuart Henderson <stu () spacehopper org> wrote:

This switches to using libidn2,

[...]

Has anyone poked at it much yet?


I poked a bit.
Nothing spectacular, a stac underread (accesses -1 of array), but only
in the command line tool:
https://gitlab.com/jas/libidn2/commit/3e3742321e7a280874903a7f7ae9bae7852c3415

And a memleak (not committed yet, sent to the maintianer).

It's only one function, so it's not too much to test.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Current thread:

[SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Daniel Stenberg (Nov 02)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Stuart Henderson (Nov 02)
  - Re: Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Hanno Böck (Nov 04)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Robert Scheck (Nov 02)
  - Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Hanno Böck (Nov 02)
  - Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Daniel Stenberg (Nov 02)
  - Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host cve-assign (Nov 04)
    - Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Daniel Stenberg (Nov 04)
    - Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Robert Scheck (Nov 04)
    - Re: Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Kristian Fiskerstrand (Nov 04)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Florian Weimer (Nov 03)