[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] the libidn problem
From: |
Ángel González |
Subject: |
Re: [Bug-wget] the libidn problem |
Date: |
Mon, 06 Jul 2015 01:47:33 +0200 |
User-agent: |
Thunderbird |
On 02/07/15 13:43, Giuseppe Scrivano wrote:
This is the reply I got:
http://lists.gnu.org/archive/html/help-libidn/2015-07/msg00000.html
I don't like much the "You need to pass valid UTF-8 to libidn" in there.
However, the rationale for giving them CVE-2015-2059
<https://access.redhat.com/security/cve/CVE-2015-2059> is quite clear:
the documentation says "This function will not read or write to
characters outside that size" rather than "If the input is valid
UTF-8, then this function will not read or write to characters outside
that size."
https://bugzilla.redhat.com/show_bug.cgi?id=1197796#c0
wrt the actual check, what we need is the u8_check() function (originally from
libunistring), which is available as a gnulib module.
Otherwise, if we were to disable libidn, I would use a that configure check that
tested if it's vulnerable toCVE-2015-2059
<https://access.redhat.com/security/cve/CVE-2015-2059>.