When curl is built with libidn to handle International Domain Names (IDNA), it translates them to puny code for DNS resolving using the IDNA 2003 standard, while IDNA 2008 is the modern and up-to-date IDNA standard.
This misalignment causes problems with for example domains using the German ß
character (known as the Unicode Character LATIN SMALL LETTER SHARP S
) which
is used at times in the .de
TLD and is translated differently in the two
IDNA standards, leading to users potentially and unknowingly issuing network
transfer requests to the wrong host.
For example, straße.de
is translated into strasse.de
using IDNA 2003 but
is translated into xn--strae-oqa.de
using IDNA 2008. Needless to say, those
hostnames could very well resolve to different addresses and be two
completely independent servers. IDNA 2008 is mandatory for .de
domains.
curl is not alone with this problem, as there is currently a big flux in the world of network user-agents about which IDNA version to support and use.
This name problem exists for DNS-using protocols in curl, but only when built to use libidn.
{ "URL": "https://curl.se/docs/CVE-2016-8625.json", "www": "https://curl.se/docs/CVE-2016-8625.html", "severity": "High", "last_affected": "7.50.3", "affects": "both", "package": "curl", "CWE": { "desc": "Inappropriate Encoding for Output Context", "id": "CWE-838" } }
{ "vanir_signatures": [ { "source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece", "digest": { "length": 1818.0, "function_hash": "174707309018740579847585398681361666454" }, "target": { "file": "lib/version.c", "function": "curl_version" }, "signature_version": "v1", "signature_type": "Function", "deprecated": false, "id": "CURL-CVE-2016-8625-22916ce9" }, { "source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece", "digest": { "line_hashes": [ "106940897945940263967681651881448855257", "224488160554700619449532988931567203964", "60750270840504114423546171229521216670", "298007208585740018789356568677979232928", "296606225063916437587263770504086735360", "62900199437057870118399755726589580575", "122551299612156071207198746895469961077", "144099976039404157316371091961393731477", "66751271439434682905219896855015665369", "157815284444529977609475668713188290878", "309125739369004304376955781393601866138", "324000450922087974052788690887999305607", "33925217263778598797535908837316171555", "147007445759798186927401212848469372819", "117265488726301465847420257900678750572", "239942527546626596047193656593420923150", "236020665165906940480717321785972499682", "8604105010094428473221647047334637470", "282256443532778423183732992357483822119", "333314340030581266807199700106028052646", "283519095321983707431608877643894824816", "294215122729160706549973137903885638247", "161495214916603931603616111531028049611", "25135640974977968240981777904376222546", "10552689394458749810967460969613694914", "174915049832835750462089881168445565752", "239906012544903045321187248537246509820", "216135967756244221326184694439420891461", "108517675442716300046349155519731743842", "51519864449191512432357379353904191826", "293782732941594426977708607879332640244", "165563194166945537337889948717621525279", "333334863327219688619373414422368649546", "24390373080522249634500040340559210394", "287248030817542618502577282721856665663", "289202022179551851832623140854093070940", "267787503231936274283865300195348380669", "140637981720876131002509827078235251299", "30348787857951223731770588132036727898", "248009412624482433407571305146952352967", "235178159688623216152403549235127809924", "8545746994094101583926772304486926892", "284951061695319933188985506753620676207", "76830069563012839590267031317759512505", "103894263447601482953594485391135223043", "57073310203431144147786422192043456644", "181065428705123721631625894304390777270", "80879262536792066722646228300035457841", "184914865177630377594351218661619057487", "131209784950504652813594269636954659640", "220320397425604547042160679334694311802", "244891989539331607887375754714328573866", "4882974987395688070512699448086822778", "66009737159969283542365688506578496535", "69864869891680462828267138635911205640", "221935764194996374435512256862614964926", "332705414063166836483579238260540468361", "273656200090358574117510359412479537095", "239229967520383279690072108423835064545", "211034785792519465129981814258383218839", "315935957348810459937184121997315885362", "211633432065995115769326563563719916626", "196397321600486593314860436525799679834", "284714330458267238828627172749552970358", "122566548638211469377023377004460364086", "121639131181195574709024329931975588585", "254545062050604992626040066953871620526", "131429042537791155086645096967697290500", "312931041103922441815218888643937905398", "178566762246786001874454429807768248066", "228209083930520838675114703718803227453", "68315060903692389589546319494391532686", "159968115524889923107770953949843270450", "19475019811471883740395264094329146897", "224032582449815835375802615237396904161", "76013151997880805280481765997624901256", "149212346911938931930957699715526174", "248428533153162455058980715003209789277", "39320095912504689254491073280258227060", "273674276716969170611779894881398848775", "163328463023362055283102266717479533251", "54986620579111497791130347366224364811", "314377425821850393294929277245510527724", "142452628829358285695855973945609526378", "177263933007676927610322569204610974711", "206793510088701665538163557459098885919", "119302723806996030941582083965243726394", "83349471186095744340450971251426922338" ], "threshold": 0.9 }, "target": { "file": "lib/url.c" }, "signature_version": "v1", "signature_type": "Line", "deprecated": false, "id": "CURL-CVE-2016-8625-22f8754c" }, { "source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece", "digest": { "length": 1127.0, "function_hash": "8224137302278049904787697911029847458" }, "target": { "file": "lib/version.c", "function": "curl_version_info" }, "signature_version": "v1", "signature_type": "Function", "deprecated": false, "id": "CURL-CVE-2016-8625-2d36634f" }, { "source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece", "digest": { "length": 276.0, "function_hash": "218157414627815975943895844684314524591" }, "target": { "file": "lib/url.c", "function": "free_fixed_hostname" }, "signature_version": "v1", "signature_type": "Function", "deprecated": false, "id": "CURL-CVE-2016-8625-47f0c1f1" }, { "source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece", "digest": { "line_hashes": [ "178346760639395230677114141215138479730", "92514211531754666209310300418718272740", "297687927986317032242523210545522702846", "269598123464451360721154267444726542112", "233862290137993350484257721081712642736", "163193343118312970757595433482307291237", "164572580648006087463087281773281093324", "324925140790876143553663415069562513446", "81127827135526416579700444909592292534", "260447364267161798488982642230370178155", "242048229728988292374420514247100862205", "211378814549810599707287423771694966322", "200078792374692183658629107143251669351", "298103307979614460275209770137999448011", "125277390936039347487973487423265236722", "328090928926682092979080053965885525613", "331979036523829522690116641119143183828", "250716793834477736672710575470577295457", "76054306692410491737879603435831683013", "262375895210773567962769995692447896554", "201363071534120285332972747566967440458", "171518422354236738419428829582084799770", "142014206286026566778552900986080655307" ], "threshold": 0.9 }, "target": { "file": "lib/easy.c" }, "signature_version": "v1", "signature_type": "Line", "deprecated": false, "id": "CURL-CVE-2016-8625-5dace70f" }, { "source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece", "digest": { "line_hashes": [ "284235874481078054617351735415376782338", "33142220432548756560304948522550550896", "213792348622385919483969037146957464926", "144182110449740891424009054307655782046", "95498247698712307068901334476315162087", "167772228006685471024967521469515039909", "145028150220712457734838289666629871079", "238893884445280986791220541254018453772", "257014732661376201040409201126720195820", "130977636227091256146437115813544105024", "157088391711125666816236695525848460007", "122500614675436533953189698183686671513", "209429142826217991363065618912446397186", "39823496755220543405143365978272927556", "88366244247141401406993050355545908752", "56548629672832729116724211869521285038" ], "threshold": 0.9 }, "target": { "file": "lib/version.c" }, "signature_version": "v1", "signature_type": "Line", "deprecated": false, "id": "CURL-CVE-2016-8625-70db4e08" }, { "source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece", "digest": { "length": 235.0, "function_hash": "335717493846926478303003654248916604307" }, "target": { "file": "lib/easy.c", "function": "idna_init" }, "signature_version": "v1", "signature_type": "Function", "deprecated": false, "id": "CURL-CVE-2016-8625-71281cbc" }, { "source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece", "digest": { "line_hashes": [ "329247926648802052241290660095680377239", "1472959229266969191805437161599162041", "324734342524636903955733107365673203101", "291822660088739866274588488251207551455", "24739328025516578637503288894359600133", "185389710692878662607305115600983440888", "134663362963790377001439498401543456834", "100694170238719098737167691087541581679", "24211920735205078117730512307674150319", "160319323349602535565348421211845028349", "245383140580955335688432618948541562408", "239034110045223037314015597723716256249", "143250701011028931986280997837314708946", "263024226422903720467342800791246746259", "334188970252521907803449080491923662199", "43880254774290060562905499824127299587", "225183040878008691486882475776939776004", "191872213324000247080300810918357855132", "157413206056456419128449764443972271016", "171023339980020616080666446118139602304", "168524767458176547708938431031518667305", "118800066184642786171729882726850374635", "328690288633462267301486597166324700892", "273294471420538395315279804988609073179", "334048632770114549890665066920679407218", "67902105451158441519968676771948163980", "304374708235075913973264869421092353581", "43644193117185238510825628649641563897", "336005362794817895409159983728810935601", "212586116351014321165910127364318853758", "117922196394398517964100260106552716555", "169935763271104471564177357017281589363", "232090777670187700737473344705634977541", "157227431009934577794386298237620187818", "261253230066531624734563972813498369212", "303842060979394390023969693062558822019", "210025770513544701108185352740526472536", "136736042948365580579218819195025697614", "307042520353155769282818876014560220326", "236190414303849999340421653464879382549", "69912978159481624123984151233177803604", "5534645084554837387710648226103767044", "261387854142075439095722680440316700037", "253208791903915321343513424966430920608", "72846585777661321745450114423157127237", "219767626184243137757590965641914162132", "309720034483755982015146196437946422462", "100140769371689818365073003841340676308", "158243714789215877917276699817100571489", "150841405212356811712028618533996074622", "175582642382737295705131183225434384247", "263370395987459233888242471167842299888", "328863968135984026639242251186948439623", "36453259033188928718534741256499088104", "121497379059091852585400663444488380543", "10742768904463458086831220520597100062", "177945593345078899157964381617766848649", "65173939241312815406981894675569768977", "124968947441902669789310674519097435342", "138607000266540641389329296711927502879", "299803611629543420201241012790149025062", "276645058442744087481456078035456142936", "157114327104045828455716291742272298677", "113044942253259834386908455636229294681", "73802316072166662585338782758910968504", "148643417508131460604669066047054238346", "43234821883197169746693716608273344698", "243287555775683566926943510970668229258", "142606261741529191910337354254194457135", "124904938226802088577256688334654038967", "163347706831398352533593792785679871063", "90821527265462701879169151521373488018", "327621207942027311826768659865547778756", "111195992400352771018934814997831495725", "94944453034706984746788340037538379956", "322812130556646243320826610929262863406", "1693490248469916777100476336181503340", "252773358917783117816565403881200672797" ], "threshold": 0.9 }, "target": { "file": "lib/strerror.c" }, "signature_version": "v1", "signature_type": "Line", "deprecated": false, "id": "CURL-CVE-2016-8625-7a294070" }, { "source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece", "digest": { "length": 1442.0, "function_hash": "283972505964696467161665606429613169790" }, "target": { "file": "lib/strerror.c", "function": "Curl_idn_strerror" }, "signature_version": "v1", "signature_type": "Function", "deprecated": false, "id": "CURL-CVE-2016-8625-83ae749a" }, { "source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece", "digest": { "line_hashes": [ "89981056729323208107644540964856378874", "145043199987126059407156445575034399190", "263344072972619151861600283188391105041", "326070157056122830654798075520750102844" ], "threshold": 0.9 }, "target": { "file": "lib/curl_setup.h" }, "signature_version": "v1", "signature_type": "Line", "deprecated": false, "id": "CURL-CVE-2016-8625-b0a871ba" }, { "source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece", "digest": { "length": 1203.0, "function_hash": "163590447899760112234252748201219611967" }, "target": { "file": "lib/url.c", "function": "fix_hostname" }, "signature_version": "v1", "signature_type": "Function", "deprecated": false, "id": "CURL-CVE-2016-8625-d65b69ef" }, { "source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece", "digest": { "length": 9573.0, "function_hash": "164705252766334852033985086342671517397" }, "target": { "file": "lib/url.c", "function": "create_conn" }, "signature_version": "v1", "signature_type": "Function", "deprecated": false, "id": "CURL-CVE-2016-8625-ed96a5ae" }, { "source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece", "digest": { "length": 697.0, "function_hash": "101244559059502590250906969154261701223" }, "target": { "file": "lib/url.c", "function": "tld_check_name" }, "signature_version": "v1", "signature_type": "Function", "deprecated": false, "id": "CURL-CVE-2016-8625-f57cd2da" }, { "source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece", "digest": { "length": 1441.0, "function_hash": "171980070403381245404751961445082524011" }, "target": { "file": "lib/easy.c", "function": "global_init" }, "signature_version": "v1", "signature_type": "Function", "deprecated": false, "id": "CURL-CVE-2016-8625-f7dd3934" }, { "source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece", "digest": { "line_hashes": [ "330878096391839067750528583489023678789", "302828481496764205694326295209619364390", "224867628573565401674693297208452602606", "294602228532648439691806958133906809609" ], "threshold": 0.9 }, "target": { "file": "lib/strerror.h" }, "signature_version": "v1", "signature_type": "Line", "deprecated": false, "id": "CURL-CVE-2016-8625-fc747ea3" } ] }