On 06/02/2015 10:36 AM, anonymous wrote:
Hello,
We discovered a vulnerability in the parsing and processing of
international
domain names performed by the GNU IDN library in wget.
It affects systems using the UTF-8 locales and allows to read bytes
outside
allocated buffers, using incomplete UTF-8 sequences.
The cause of this issue was already reported in March
(https://bugzilla.redhat.com/show_bug.cgi?id=1197796)
but the corresponding GNU developers haven't decided if they want to
fix their
API or every affected program should validate their UTF-8 inputs.
Hi,
I can reproduce this in the latest Git snapshot.
The out-of-bound memory reads happen at function idna_to_ascii_8z()
when passed invalid UTF-8 sequences, so as you point out,
it's a libidn issue. The concrete action happens at iri.c line 239.
I see a patch was proposed in the libidn mailing list at Mon, 4 May 2015:
http://lists.gnu.org/archive/html/help-libidn/2015-05/msg00002.html
However, the last commit on the libidn Git is dated three months ago,
so the patch doesn't seem to have been applied.
Maybe we should validate UTF-8 sequences on our own?