[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: curl security issue? - [SECURITY NOTICE] libidn with bad UTF8 input

* Patrick Schleizer:

> Are you aware of this already?
> [SECURITY NOTICE] libidn with bad UTF8 input
> http://curl.haxx.se/mail/lib-2015-06/0143.html
> Haven’t found anything related on debian.org mailing lists and/or curl's
> changelog.

We are aware of it.  This will be fixed in libidn because libidn
upstream has relented and added additional hardening to the critical
string processing functions.

It is often not clear where to fix such interpretation conflicts, but
if most applications do not enforce the precondition and the
precondition is not clearly specified (which is the case with UTF-8,
as there are three or more different iterations), then we lean towards
fixing the library.

Reply to: