curl-library
Re: [SECURITY NOTICE] libidn with bad UTF8 input
Date: Sun, 5 Jul 2015 13:13:28 +0200 (CEST)
On Thu, 2 Jul 2015, Ray Satiro via curl-library wrote:
> My impression is the senior authors/maintainers have had a discussion and
> already made a decision about this issue to not do anything, and that's
> alluded to in the advisory. Based on that I think it's unlikely any
> collaborator is going to put a fix in master and it's probably unlikely any
> are going to participate in the branch. Still, I think it would be good we
> propose some ideas because from what I gather this may be a 'hey it's
> libidn' no 'hey it's libiconv' no 'hey it's libcurl' type thing on who is
> responsible to check the utf-8. Maybe hey it's all of us.
My position is still that this is a problem with libidn but they have since
even reaffirmed their position that this is the fault of the user of libidn. I
think this is based on them not really grasping how we (want to) use this
library.
Also, the only suggested fix we had prior to this security notice would depend
on iconv which seemed like a pretty bad work-around to me.
However: a "native" check that attempts to detect illegal UTF8 symbols to
mitigate this problem would be fine for me to merge to use with all vulnerable
libidn versions. There's of course always the risk that our check isn't
covering all the cases that can cause badness in libidn, but we would at least
do our best to avoid it.
(Sorry for being slow to respond, I'm on vacation.)
-- / daniel.haxx.se ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.htmlReceived on 2015-07-05