Bug 1005649 - (CVE-2016-8625) VUL-2: CVE-2016-8625: curl: IDNA 2003 makes curl use wrong host
VUL-2: CVE-2016-8625: curl: IDNA 2003 makes curl use wrong host
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2016-10-19 14:48 UTC by Johannes Segitz
Modified: 2017-04-25 11:01 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-10-19 14:48:37 UTC
IDNA 2003 makes curl use wrong host

Project cURL Security Advisory, November 2, 2016 -


When curl is built with libidn to handle International Domain Names (IDNA), it
translates them to puny code for DNS resolving using the IDNA 2003 standard,
while IDNA 2008 is the modern and up-to-date IDNA standard.

This misalignment causes problems with for example domains using the German ß
character (known as the Unicode Character 'LATIN SMALL LETTER SHARP S') which
is used at times in the .de TLD and is translated differently in the two IDNA
standards, leading to users potentially and unknowingly issuing network
transfer requests to the wrong host.

For example, `straße.de` is translated into `strasse.de` using IDNA 2003 but
is translated into `xn--strae-oqa.de` using IDNA 2008. Needless to say, those
host names could very well resolve to different addresses and be two
completely independent servers. IDNA 2008 is mandatory for .de domains.

curl is not alone with this problem, as there's currently a big flux in the
world of network user-agents about which IDNA version to support and use.

This name problem exists for DNS-using protocols in curl, but only when built
to use libidn.

We are not aware of any exploit of this flaw.


The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2016-XXXX to this issue.


This flaw exists in the following curl versions.

- Affected versions: curl 7.12.0 to and including 7.50.3
- Not affected versions: curl < 7.12.0 and curl >= 7.51.0

libcurl is used by many applications, but not always advertised as such!


In version 7.51.0, the parser function is fixed.

A [patch for CVE-2016-XXXX](https://curl.haxx.se/s3c/K.patch) is available.


We suggest you take one of the following actions immediately, in order of

  A - Upgrade curl and libcurl to version 7.51.0

  B - Apply the patch to your version and rebuild


It was first reported to the curl project on October 11 by Christian Heimes.

We contacted distros@openwall on October 19.

curl 7.51.0 was released on November 2 2016, coordinated with the publication
of this advisory.


Thanks to Christian Heimes
Comment 1 Johannes Segitz 2016-10-19 14:49:07 UTC
From: Daniel Stenberg
We intend to publish the advisories, the patches and announce the new
release (7.51.0) with all of these problems fixed on November 2nd.

CRD: 2016-11-02
Comment 2 Swamp Workflow Management 2016-10-19 22:05:38 UTC
bugbot adjusting priority
Comment 10 Andreas Stieger 2016-10-25 12:02:59 UTC
SUSE Security Team statement:

This issue may affect curl in some specific scenarios, as well as other utilities using libidn. There is no compatible way to address this general issue without risking regressions for customers due to incompatibilities due between IDNA2003 and IDNA2008.

The recommended work-around is to not allow IDN domain names cross a security boundary in such a way that information not normally accessible to the entity specifying this name may retrieve them by tricking the host to connect to an unintended peer.

SUSE Security Team has proposed full IDNA2008 support to be implemented in a future service pack.
Comment 11 Vítězslav Čížek 2016-11-02 09:34:07 UTC
The upstream switch to libidn2 isn't considered a proper solution any more, it looks like libidn2 isn't complete:

Upstream now suggests building curl without IDN support to mitigate this issue.
Comment 12 Marcus Daw 2016-12-29 18:04:39 UTC
Do we have an update as to what the current recommended workaround/fix is for this issue?
Comment 13 Vítězslav Čížek 2017-01-02 13:40:46 UTC
There's no fix/workaround available.
Upstream now suggests disabling IDN support during build (https://curl.haxx.se/mail/lib-2016-11/0033.html), but we can't do that for SLE, because such a change will hurt users that rely on the IDN in their setups.
Comment 15 Pedro Monreal Gonzalez 2017-04-25 10:05:13 UTC
Fixed in Factory fate#321897. Updated libidn2 to version 2.0.1, see sr#490955. We have also checked that both curl and wget use IDNA2008 correctly in Factory.

Reassigning bug to security-team.
Comment 16 Andreas Stieger 2017-04-25 11:01:28 UTC
Done. Fixed in next major release.