Re: [Bug-wget] [bug #45236] Memory disclosure in wget using incomplete UTF-8 sequences

[Ángel González]

On 02/06/15 12:50, Ander Juaristi wrote:
> On 06/02/2015 10:36 AM, anonymous wrote:
> > Hello,
> >
> > We discovered a vulnerability in the parsing and processing of 
> > international
> > domain names performed by the GNU IDN library in wget.
> > It affects systems using the UTF-8 locales and allows to read bytes 
> > outside
> > allocated buffers, using incomplete UTF-8 sequences.
> > The cause of this issue was already reported in March
> > (https://bugzilla.redhat.com/show_bug.cgi?id=1197796)
> > but the corresponding GNU developers haven't decided if they want to 
> > fix their
> > API or every affected program should validate their UTF-8 inputs.
> Hi,
>
> I can reproduce this in the latest Git snapshot.
>
> The out-of-bound memory reads happen at function idna_to_ascii_8z() 
> when passed invalid UTF-8 sequences, so as you point out,
> it's a libidn issue. The concrete action happens at iri.c line 239.
>
> I see a patch was proposed in the libidn mailing list at Mon, 4 May 2015:
>
>     http://lists.gnu.org/archive/html/help-libidn/2015-05/msg00002.html
>
> However, the last commit on the libidn Git is dated three months ago, 
> so the patch doesn't seem to have been applied.
>
> Maybe we should validate UTF-8 sequences on our own?
IMHO it should be fixed by libidn. I would wait for a fix from them. We 
may revisit this when we are approaching a release if they still haven't 
produced a fix.