[SECURITY NOTICE] libidn with bad UTF8 input

From : Daniel Stenberg < : Daniel Stenberg < daniel_at_haxx.se





Hi all libcurl users.



Here's a little problem many of us need to be aware of!



PROBLEM



A recent security review of libcurl showed that a remote attacker can

abuse libcurl's support for international domain names to disclose

memory of a libcurl application or cause other unintended behaviors by

passing in a malformed unicode string in the URL parameter.



Despite that this issue has been known several months already, there is

no fix implemented in libidn yet. We have also decided that libcurl is

not responsible for scanning for invalid unicode, making every libcurl

application that is not validating the input encoding of the domain

names possibly vulnerable to this issue.



This problem affects libcurl built to use libidn for IDN support.



A summary of this issue with examples of vulnerable code in PHP and C

is available at [1].



FIX



While there have been patches floating around for this problem, none

seem to have been adopted by the libidn project nor is being

implemented by distributions shipping libidn.



RECOMMENDATION



Rebuild libcurl with libidn support disabled.



Starting now, libcurl will build with libidn disabled by default until

this situation has been changed to satisfaction.



OTHER APPLICATIONS



Other applications using libidn are or may be vulnerable to this

problem too.



CREDITS



Reported by: Gustavo Grieco and Feist Josselin



REFERENCES



[1] = https://blog.thijsalkema.de/me/blog//blog/2015/04/17/validate-the-encoding-before-passing-strings-to-libcurl-or-glibc/

