Re: curl security issue? - [SECURITY NOTICE] libidn with bad UTF8 input

To: Patrick Schleizer <adrelanos@riseup.net>
Cc: "debian-security\@lists.debian.org" <debian-security@lists.debian.org>, security@debian.org, ghedo@debian.org, Whonix-devel <whonix-devel@whonix.org>
Subject: Re: curl security issue? - [SECURITY NOTICE] libidn with bad UTF8 input
From: Florian Weimer <fw@deneb.enyo.de>
Date: Sat, 18 Jul 2015 11:41:29 +0200
Message-id: <[🔎] 87380lssza.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 55944BBD.4050707@riseup.net> (Patrick Schleizer's message of "Wed, 01 Jul 2015 20:21:17 +0000")
References: <[🔎] 55944BBD.4050707@riseup.net>

* Patrick Schleizer:

> Are you aware of this already?
>
> [SECURITY NOTICE] libidn with bad UTF8 input
>
> http://curl.haxx.se/mail/lib-2015-06/0143.html
>
> Haven’t found anything related on debian.org mailing lists and/or curl's
> changelog.

We are aware of it.  This will be fixed in libidn because libidn
upstream has relented and added additional hardening to the critical
string processing functions.

It is often not clear where to fix such interpretation conflicts, but
if most applications do not enforce the precondition and the
precondition is not clearly specified (which is the case with UTF-8,
as there are three or more different iterations), then we lean towards
fixing the library.

Reply to:

References:
- curl security issue? - [SECURITY NOTICE] libidn with bad UTF8 input
  - From: Patrick Schleizer <adrelanos@riseup.net>

Prev by Date: Re: curl security issue? - [SECURITY NOTICE] libidn with bad UTF8 input
Next by Date: Your call IM1507-4183 has been logged
Previous by thread: Re: curl security issue? - [SECURITY NOTICE] libidn with bad UTF8 input
Next by thread: Your call IM1507-4183 has been logged
Index(es):
- Date
- Thread