[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] [bug #45236] Memory disclosure in wget using incomplete U
Re: [Bug-wget] [bug #45236] Memory disclosure in wget using incomplete UTF-8 sequences
Tue, 02 Jun 2015 12:50:07 +0200
Thunderbird on Linux
On 06/02/2015 10:36 AM, anonymous wrote:
We discovered a vulnerability in the parsing and processing of international
domain names performed by the GNU IDN library in wget.
It affects systems using the UTF-8 locales and allows to read bytes outside
allocated buffers, using incomplete UTF-8 sequences.
The cause of this issue was already reported in March
but the corresponding GNU developers haven't decided if they want to fix their
API or every affected program should validate their UTF-8 inputs.
I can reproduce this in the latest Git snapshot.
The out-of-bound memory reads happen at function idna_to_ascii_8z() when passed
invalid UTF-8 sequences, so as you point out,
it's a libidn issue. The concrete action happens at iri.c line 239.
I see a patch was proposed in the libidn mailing list at Mon, 4 May 2015:
However, the last commit on the libidn Git is dated three months ago, so the
patch doesn't seem to have been applied.
Maybe we should validate UTF-8 sequences on our own?