Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.DEB.2.20.1611020812500.375@tvnag.unkk.fr>
Date: Wed, 2 Nov 2016 08:13:26 +0100 (CET)
From: Daniel Stenberg <daniel@...x.se>
To: curl security announcements -- curl users <curl-users@...l.haxx.se>,
        curl-announce@...l.haxx.se,
        libcurl hacking <curl-library@...l.haxx.se>,
        oss-security@...ts.openwall.com
Subject: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host

IDNA 2003 makes curl use wrong host
===================================

Project cURL Security Advisory, November 2, 2016 -
[Permalink](https://curl.haxx.se/docs/adv_20161102K.html)

VULNERABILITY
-------------

When curl is built with libidn to handle International Domain Names (IDNA), it
translates them to puny code for DNS resolving using the IDNA 2003 standard,
while IDNA 2008 is the modern and up-to-date IDNA standard.

This misalignment causes problems with for example domains using the German ß
character (known as the Unicode Character 'LATIN SMALL LETTER SHARP S') which
is used at times in the .de TLD and is translated differently in the two IDNA
standards, leading to users potentially and unknowingly issuing network
transfer requests to the wrong host.

For example, `straße.de` is translated into `strasse.de` using IDNA 2003 but
is translated into `xn--strae-oqa.de` using IDNA 2008. Needless to say, those
host names could very well resolve to different addresses and be two
completely independent servers. IDNA 2008 is mandatory for .de domains.

curl is not alone with this problem, as there's currently a big flux in the
world of network user-agents about which IDNA version to support and use.

This name problem exists for DNS-using protocols in curl, but only when built
to use libidn.

We are not aware of any exploit of this flaw.

INFO
----

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2016-8625 to this issue.

AFFECTED VERSIONS
-----------------

This flaw exists in the following curl versions.

- Affected versions: curl 7.12.0 to and including 7.50.3
- Not affected versions: curl < 7.12.0 and curl >= 7.51.0

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION
------------

In version 7.51.0, the parser function is fixed.

A [patch for CVE-2016-8625](https://curl.haxx.se/CVE-2016-8625.patch) is
available.

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

  A - Upgrade curl and libcurl to version 7.51.0

  B - Apply the patch to your version and rebuild

TIME LINE
---------

It was first reported to the curl project on October 11 by Christian Heimes.

We contacted distros@...nwall on October 19.

curl 7.51.0 was released on November 2 2016, coordinated with the publication
of this advisory.

CREDITS
-------

Thanks to Christian Heimes

-- 

  / daniel.haxx.se

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.