[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] [bug #45236] Memory disclosure in wget using incomplete U
Re: [Bug-wget] [bug #45236] Memory disclosure in wget using incomplete UTF-8 sequences
Tue, 02 Jun 2015 23:43:56 +0200
On 02/06/15 12:50, Ander Juaristi wrote:
IMHO it should be fixed by libidn. I would wait for a fix from them. We
may revisit this when we are approaching a release if they still haven't
produced a fix.
On 06/02/2015 10:36 AM, anonymous wrote:
We discovered a vulnerability in the parsing and processing of
domain names performed by the GNU IDN library in wget.
It affects systems using the UTF-8 locales and allows to read bytes
allocated buffers, using incomplete UTF-8 sequences.
The cause of this issue was already reported in March
but the corresponding GNU developers haven't decided if they want to
API or every affected program should validate their UTF-8 inputs.
I can reproduce this in the latest Git snapshot.
The out-of-bound memory reads happen at function idna_to_ascii_8z()
when passed invalid UTF-8 sequences, so as you point out,
it's a libidn issue. The concrete action happens at iri.c line 239.
I see a patch was proposed in the libidn mailing list at Mon, 4 May 2015:
However, the last commit on the libidn Git is dated three months ago,
so the patch doesn't seem to have been applied.
Maybe we should validate UTF-8 sequences on our own?