[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] [bug #45236] Memory disclosure in wget using incomplete U
From: |
Ander Juaristi |
Subject: |
Re: [Bug-wget] [bug #45236] Memory disclosure in wget using incomplete UTF-8 sequences |
Date: |
Tue, 02 Jun 2015 12:50:07 +0200 |
User-agent: |
Thunderbird on Linux |
On 06/02/2015 10:36 AM, anonymous wrote:
Hello,
We discovered a vulnerability in the parsing and processing of international
domain names performed by the GNU IDN library in wget.
It affects systems using the UTF-8 locales and allows to read bytes outside
allocated buffers, using incomplete UTF-8 sequences.
The cause of this issue was already reported in March
(https://bugzilla.redhat.com/show_bug.cgi?id=1197796)
but the corresponding GNU developers haven't decided if they want to fix their
API or every affected program should validate their UTF-8 inputs.
Hi,
I can reproduce this in the latest Git snapshot.
The out-of-bound memory reads happen at function idna_to_ascii_8z() when passed
invalid UTF-8 sequences, so as you point out,
it's a libidn issue. The concrete action happens at iri.c line 239.
I see a patch was proposed in the libidn mailing list at Mon, 4 May 2015:
http://lists.gnu.org/archive/html/help-libidn/2015-05/msg00002.html
However, the last commit on the libidn Git is dated three months ago, so the
patch doesn't seem to have been applied.
Maybe we should validate UTF-8 sequences on our own?
--
Regards,
- AJ