Bugzilla – Bug 1005649
VUL-2: CVE-2016-8625: curl: IDNA 2003 makes curl use wrong host
Last modified: 2017-04-25 11:01:28 UTC
IDNA 2003 makes curl use wrong host
Project cURL Security Advisory, November 2, 2016 -
When curl is built with libidn to handle International Domain Names (IDNA), it
translates them to puny code for DNS resolving using the IDNA 2003 standard,
while IDNA 2008 is the modern and up-to-date IDNA standard.
This misalignment causes problems with for example domains using the German ß
character (known as the Unicode Character 'LATIN SMALL LETTER SHARP S') which
is used at times in the .de TLD and is translated differently in the two IDNA
standards, leading to users potentially and unknowingly issuing network
transfer requests to the wrong host.
For example, `straße.de` is translated into `strasse.de` using IDNA 2003 but
is translated into `xn--strae-oqa.de` using IDNA 2008. Needless to say, those
host names could very well resolve to different addresses and be two
completely independent servers. IDNA 2008 is mandatory for .de domains.
curl is not alone with this problem, as there's currently a big flux in the
world of network user-agents about which IDNA version to support and use.
This name problem exists for DNS-using protocols in curl, but only when built
to use libidn.
We are not aware of any exploit of this flaw.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2016-XXXX to this issue.
This flaw exists in the following curl versions.
- Affected versions: curl 7.12.0 to and including 7.50.3
- Not affected versions: curl < 7.12.0 and curl >= 7.51.0
libcurl is used by many applications, but not always advertised as such!
In version 7.51.0, the parser function is fixed.
A [patch for CVE-2016-XXXX](https://curl.haxx.se/s3c/K.patch) is available.
We suggest you take one of the following actions immediately, in order of
A - Upgrade curl and libcurl to version 7.51.0
B - Apply the patch to your version and rebuild
It was first reported to the curl project on October 11 by Christian Heimes.
We contacted distros@openwall on October 19.
curl 7.51.0 was released on November 2 2016, coordinated with the publication
of this advisory.
Thanks to Christian Heimes
From: Daniel Stenberg
We intend to publish the advisories, the patches and announce the new
release (7.51.0) with all of these problems fixed on November 2nd.
bugbot adjusting priority
SUSE Security Team statement:
This issue may affect curl in some specific scenarios, as well as other utilities using libidn. There is no compatible way to address this general issue without risking regressions for customers due to incompatibilities due between IDNA2003 and IDNA2008.
The recommended work-around is to not allow IDN domain names cross a security boundary in such a way that information not normally accessible to the entity specifying this name may retrieve them by tricking the host to connect to an unintended peer.
SUSE Security Team has proposed full IDNA2008 support to be implemented in a future service pack.
The upstream switch to libidn2 isn't considered a proper solution any more, it looks like libidn2 isn't complete:
Upstream now suggests building curl without IDN support to mitigate this issue.
Do we have an update as to what the current recommended workaround/fix is for this issue?
There's no fix/workaround available.
Upstream now suggests disabling IDN support during build (https://curl.haxx.se/mail/lib-2016-11/0033.html), but we can't do that for SLE, because such a change will hurt users that rely on the IDN in their setups.
upstream moved on to work more on IDNA2008 support
and libidn2 has received upstream releases.
Certainly something we should use for TW and SLE 13.
Fixed in Factory fate#321897. Updated libidn2 to version 2.0.1, see sr#490955. We have also checked that both curl and wget use IDNA2008 correctly in Factory.
Reassigning bug to security-team.
Done. Fixed in next major release.