cURL / Mailing Lists / curl-users / Single Mail

curl-users

[SECURITY ADVISORY] IDNA 2003 makes curl use wrong host

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 2 Nov 2016 08:13:26 +0100 (CET)

IDNA 2003 makes curl use wrong host
===================================

Project cURL Security Advisory, November 2, 2016 -
[Permalink](https://curl.haxx.se/docs/adv_20161102K.html)

VULNERABILITY
-------------

When curl is built with libidn to handle International Domain Names (IDNA), it
translates them to puny code for DNS resolving using the IDNA 2003 standard,
while IDNA 2008 is the modern and up-to-date IDNA standard.

This misalignment causes problems with for example domains using the German ß
character (known as the Unicode Character 'LATIN SMALL LETTER SHARP S') which
is used at times in the .de TLD and is translated differently in the two IDNA
standards, leading to users potentially and unknowingly issuing network
transfer requests to the wrong host.

For example, `straße.de` is translated into `strasse.de` using IDNA 2003 but
is translated into `xn--strae-oqa.de` using IDNA 2008. Needless to say, those
host names could very well resolve to different addresses and be two
completely independent servers. IDNA 2008 is mandatory for .de domains.

curl is not alone with this problem, as there's currently a big flux in the
world of network user-agents about which IDNA version to support and use.

This name problem exists for DNS-using protocols in curl, but only when built
to use libidn.

We are not aware of any exploit of this flaw.

INFO

----
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2016-8625 to this issue.
AFFECTED VERSIONS
-----------------
This flaw exists in the following curl versions.
- Affected versions: curl 7.12.0 to and including 7.50.3
- Not affected versions: curl < 7.12.0 and curl >= 7.51.0
libcurl is used by many applications, but not always advertised as such!
THE SOLUTION
------------
In version 7.51.0, the parser function is fixed.
A [patch for CVE-2016-8625](https://curl.haxx.se/CVE-2016-8625.patch) is
available.
RECOMMENDATIONS
---------------
We suggest you take one of the following actions immediately, in order of
preference:
  A - Upgrade curl and libcurl to version 7.51.0
  B - Apply the patch to your version and rebuild
TIME LINE
---------
It was first reported to the curl project on October 11 by Christian Heimes.
We contacted distros_at_openwall on October 19.
curl 7.51.0 was released on November 2 2016, coordinated with the publication
of this advisory.
CREDITS
-------
Thanks to Christian Heimes
-- 
  / daniel.haxx.se

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ: https://curl.haxx.se/docs/faq.html
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-11-02