[gnutls-devel] libidn + 3.4.1 = cves?

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Mon May 4 15:50:23 CEST 2015

 It seems that libidn cannot currently handle untrusted input [1].
According to thread in [0] libidn expects the input to be checked
before. However, we have no way to do that in gnutls, so most probably
we need to (1) disable libidn support by default in 3.4.x - i.e.,
internationalized dns names and correct comparison of them, (2) switch
to some other library, (3) wait until the issue (assigned
CVE-2015-2059) is resolved upstream.

I'm currently leaning towards (3), and take action before 3.4.x
becomes stable. Any suggestions on comments on the issue?


[0]. http://permalink.gmane.org/gmane.comp.gnu.libidn.general/555
[1]. http://permalink.gmane.org/gmane.comp.gnu.libidn.general/573

More information about the Gnutls-devel mailing list