Bugzilla – Bug 1005649
VUL-2: CVE-2016-8625: curl: IDNA 2003 makes curl use wrong host
Last modified: 2017-04-25 11:01:28 UTC
IDNA 2003 makes curl use wrong host =================================== Project cURL Security Advisory, November 2, 2016 - [Permalink](https://curl.haxx.se/docs/adv_20161102K.html) VULNERABILITY ------------- When curl is built with libidn to handle International Domain Names (IDNA), it translates them to puny code for DNS resolving using the IDNA 2003 standard, while IDNA 2008 is the modern and up-to-date IDNA standard. This misalignment causes problems with for example domains using the German ß character (known as the Unicode Character 'LATIN SMALL LETTER SHARP S') which is used at times in the .de TLD and is translated differently in the two IDNA standards, leading to users potentially and unknowingly issuing network transfer requests to the wrong host. For example, `straße.de` is translated into `strasse.de` using IDNA 2003 but is translated into `xn--strae-oqa.de` using IDNA 2008. Needless to say, those host names could very well resolve to different addresses and be two completely independent servers. IDNA 2008 is mandatory for .de domains. curl is not alone with this problem, as there's currently a big flux in the world of network user-agents about which IDNA version to support and use. This name problem exists for DNS-using protocols in curl, but only when built to use libidn. We are not aware of any exploit of this flaw. INFO ---- The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2016-XXXX to this issue. AFFECTED VERSIONS ----------------- This flaw exists in the following curl versions. - Affected versions: curl 7.12.0 to and including 7.50.3 - Not affected versions: curl < 7.12.0 and curl >= 7.51.0 libcurl is used by many applications, but not always advertised as such! THE SOLUTION ------------ In version 7.51.0, the parser function is fixed. A [patch for CVE-2016-XXXX](https://curl.haxx.se/s3c/K.patch) is available. RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl and libcurl to version 7.51.0 B - Apply the patch to your version and rebuild TIME LINE --------- It was first reported to the curl project on October 11 by Christian Heimes. We contacted distros@openwall on October 19. curl 7.51.0 was released on November 2 2016, coordinated with the publication of this advisory. CREDITS ------- Thanks to Christian Heimes
From: Daniel Stenberg We intend to publish the advisories, the patches and announce the new release (7.51.0) with all of these problems fixed on November 2nd. CRD: 2016-11-02
bugbot adjusting priority
SUSE Security Team statement: This issue may affect curl in some specific scenarios, as well as other utilities using libidn. There is no compatible way to address this general issue without risking regressions for customers due to incompatibilities due between IDNA2003 and IDNA2008. The recommended work-around is to not allow IDN domain names cross a security boundary in such a way that information not normally accessible to the entity specifying this name may retrieve them by tricking the host to connect to an unintended peer. SUSE Security Team has proposed full IDNA2008 support to be implemented in a future service pack.
The upstream switch to libidn2 isn't considered a proper solution any more, it looks like libidn2 isn't complete: https://curl.haxx.se/mail/lib-2016-11/0033.html Upstream now suggests building curl without IDN support to mitigate this issue.
Do we have an update as to what the current recommended workaround/fix is for this issue?
There's no fix/workaround available. Upstream now suggests disabling IDN support during build (https://curl.haxx.se/mail/lib-2016-11/0033.html), but we can't do that for SLE, because such a change will hurt users that rely on the IDN in their setups.
upstream moved on to work more on IDNA2008 support https://github.com/curl/curl/commit/0bc24d6f9d15a2cc5898cae4f214487200e78f44 https://github.com/curl/curl/commit/f30cbcac11f5a627992f0c48cff91135808fa70f https://github.com/curl/curl/commit/ba315745f7f4ddfedd0763833c22f019817535cb https://github.com/curl/curl/commit/ee357664df9bbb301e3bc1070a855e6b13303a5d https://github.com/curl/curl/commit/7d6e3f8cfa5c8de1ecb4ab63ed0c0660cce7acdc https://github.com/curl/curl/commit/b135cd255b6aa7d051ea906693bf67580153ed76 and libidn2 has received upstream releases. https://build.opensuse.org/request/show/451459 Certainly something we should use for TW and SLE 13. https://build.opensuse.org/request/show/454837
Fixed in Factory fate#321897. Updated libidn2 to version 2.0.1, see sr#490955. We have also checked that both curl and wget use IDNA2008 correctly in Factory. Reassigning bug to security-team.
Done. Fixed in next major release.