bug-wget
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] the libidn problem

From: Ángel González
Subject: Re: [Bug-wget] the libidn problem
Date: Mon, 06 Jul 2015 01:47:33 +0200
User-agent: Thunderbird 
On 02/07/15 13:43, Giuseppe Scrivano wrote:

This is the reply I got:

http://lists.gnu.org/archive/html/help-libidn/2015-07/msg00000.html

I don't like much the "You need to pass valid UTF-8 to libidn" in there.

However, the rationale for giving them  CVE-2015-2059  
<https://access.redhat.com/security/cve/CVE-2015-2059>  is quite clear:

the documentation says "This function will not read or write to
characters outside that size" rather than "If the input is valid
UTF-8, then this function will not read or write to characters outside
that size."


https://bugzilla.redhat.com/show_bug.cgi?id=1197796#c0


wrt the actual check, what we need is the u8_check() function (originally from 
libunistring), which is available as a gnulib module.



Otherwise, if we were to disable libidn, I would use a that configure check that 
tested if it's vulnerable toCVE-2015-2059  
<https://access.redhat.com/security/cve/CVE-2015-2059>.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]