Hi all libcurl users.

Here's a little problem many of us need to be aware of!

PROBLEM

  A recent security review of libcurl showed that a remote attacker can
  abuse libcurl's support for international domain names to disclose
  memory of a libcurl application or cause other unintended behaviors by
  passing in a malformed unicode string in the URL parameter.

  Despite that this issue has been known several months already, there is
  no fix implemented in libidn yet. We have also decided that libcurl is
  not responsible for scanning for invalid unicode, making every libcurl
  application that is not validating the input encoding of the domain
  names possibly vulnerable to this issue.

  This problem affects libcurl built to use libidn for IDN support.

  A summary of this issue with examples of vulnerable code in PHP and C
  is available at [1].

FIX

  While there have been patches floating around for this problem, none
  seem to have been adopted by the libidn project nor is being
  implemented by distributions shipping libidn.

RECOMMENDATION

  Rebuild libcurl with libidn support disabled.

  Starting now, libcurl will build with libidn disabled by default until
  this situation has been changed to satisfaction.

OTHER APPLICATIONS

  Other applications using libidn are or may be vulnerable to this
  problem too.

CREDITS

  Reported by: Gustavo Grieco and Feist Josselin

REFERENCES

  [1] = https://blog.thijsalkema.de/me/blog//blog/2015/04/17/validate-the-encoding-before-passing-strings-to-libcurl-or-glibc/

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html