CURL-CVE-2016-8625

Source
https://curl.se/docs/CVE-2016-8625.html
Import Source
https://curl.se/docs/CURL-CVE-2016-8625.json
JSON Data
https://api.test.osv.dev/v1/vulns/CURL-CVE-2016-8625
Aliases
Published
2016-11-02T08:00:00Z
Modified
2024-06-07T13:53:51Z
Summary
IDNA 2003 makes curl use wrong host
Details

When curl is built with libidn to handle International Domain Names (IDNA), it translates them to puny code for DNS resolving using the IDNA 2003 standard, while IDNA 2008 is the modern and up-to-date IDNA standard.

This misalignment causes problems with for example domains using the German ß character (known as the Unicode Character LATIN SMALL LETTER SHARP S) which is used at times in the .de TLD and is translated differently in the two IDNA standards, leading to users potentially and unknowingly issuing network transfer requests to the wrong host.

For example, straße.de is translated into strasse.de using IDNA 2003 but is translated into xn--strae-oqa.de using IDNA 2008. Needless to say, those hostnames could very well resolve to different addresses and be two completely independent servers. IDNA 2008 is mandatory for .de domains.

curl is not alone with this problem, as there is currently a big flux in the world of network user-agents about which IDNA version to support and use.

This name problem exists for DNS-using protocols in curl, but only when built to use libidn.

Database specific
{
    "URL": "https://curl.se/docs/CVE-2016-8625.json",
    "severity": "High",
    "last_affected": "7.50.3",
    "affects": "both",
    "package": "curl",
    "www": "https://curl.se/docs/CVE-2016-8625.html",
    "CWE": {
        "id": "CWE-838",
        "desc": "Inappropriate Encoding for Output Context"
    }
}
References
Credits
    • Christian Heimes - FINDER
    • Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
7.12.0
Fixed
7.51.0
Type
GIT
Repo
https://github.com/curl/curl.git
Events

Affected versions

7.*

7.12.0
7.12.1
7.12.2
7.12.3
7.13.0
7.13.1
7.13.2
7.14.0
7.14.1
7.15.0
7.15.1
7.15.2
7.15.3
7.15.4
7.15.5
7.16.0
7.16.1
7.16.2
7.16.3
7.16.4
7.17.0
7.17.1
7.18.0
7.18.1
7.18.2
7.19.0
7.19.1
7.19.2
7.19.3
7.19.4
7.19.5
7.19.6
7.19.7
7.20.0
7.20.1
7.21.0
7.21.1
7.21.2
7.21.3
7.21.4
7.21.5
7.21.6
7.21.7
7.22.0
7.23.0
7.23.1
7.24.0
7.25.0
7.26.0
7.27.0
7.28.0
7.28.1
7.29.0
7.30.0
7.31.0
7.32.0
7.33.0
7.34.0
7.35.0
7.36.0
7.37.0
7.37.1
7.38.0
7.39.0
7.40.0
7.41.0
7.42.0
7.42.1
7.43.0
7.44.0
7.45.0
7.46.0
7.47.0
7.47.1
7.48.0
7.49.0
7.49.1
7.50.0
7.50.1
7.50.2
7.50.3

Database specific

{
    "vanir_signatures": [
        {
            "digest": {
                "function_hash": "174707309018740579847585398681361666454",
                "length": 1818.0
            },
            "id": "CURL-CVE-2016-8625-22916ce9",
            "source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece",
            "signature_type": "Function",
            "signature_version": "v1",
            "target": {
                "file": "lib/version.c",
                "function": "curl_version"
            },
            "deprecated": false
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "106940897945940263967681651881448855257",
                    "224488160554700619449532988931567203964",
                    "60750270840504114423546171229521216670",
                    "298007208585740018789356568677979232928",
                    "296606225063916437587263770504086735360",
                    "62900199437057870118399755726589580575",
                    "122551299612156071207198746895469961077",
                    "144099976039404157316371091961393731477",
                    "66751271439434682905219896855015665369",
                    "157815284444529977609475668713188290878",
                    "309125739369004304376955781393601866138",
                    "324000450922087974052788690887999305607",
                    "33925217263778598797535908837316171555",
                    "147007445759798186927401212848469372819",
                    "117265488726301465847420257900678750572",
                    "239942527546626596047193656593420923150",
                    "236020665165906940480717321785972499682",
                    "8604105010094428473221647047334637470",
                    "282256443532778423183732992357483822119",
                    "333314340030581266807199700106028052646",
                    "283519095321983707431608877643894824816",
                    "294215122729160706549973137903885638247",
                    "161495214916603931603616111531028049611",
                    "25135640974977968240981777904376222546",
                    "10552689394458749810967460969613694914",
                    "174915049832835750462089881168445565752",
                    "239906012544903045321187248537246509820",
                    "216135967756244221326184694439420891461",
                    "108517675442716300046349155519731743842",
                    "51519864449191512432357379353904191826",
                    "293782732941594426977708607879332640244",
                    "165563194166945537337889948717621525279",
                    "333334863327219688619373414422368649546",
                    "24390373080522249634500040340559210394",
                    "287248030817542618502577282721856665663",
                    "289202022179551851832623140854093070940",
                    "267787503231936274283865300195348380669",
                    "140637981720876131002509827078235251299",
                    "30348787857951223731770588132036727898",
                    "248009412624482433407571305146952352967",
                    "235178159688623216152403549235127809924",
                    "8545746994094101583926772304486926892",
                    "284951061695319933188985506753620676207",
                    "76830069563012839590267031317759512505",
                    "103894263447601482953594485391135223043",
                    "57073310203431144147786422192043456644",
                    "181065428705123721631625894304390777270",
                    "80879262536792066722646228300035457841",
                    "184914865177630377594351218661619057487",
                    "131209784950504652813594269636954659640",
                    "220320397425604547042160679334694311802",
                    "244891989539331607887375754714328573866",
                    "4882974987395688070512699448086822778",
                    "66009737159969283542365688506578496535",
                    "69864869891680462828267138635911205640",
                    "221935764194996374435512256862614964926",
                    "332705414063166836483579238260540468361",
                    "273656200090358574117510359412479537095",
                    "239229967520383279690072108423835064545",
                    "211034785792519465129981814258383218839",
                    "315935957348810459937184121997315885362",
                    "211633432065995115769326563563719916626",
                    "196397321600486593314860436525799679834",
                    "284714330458267238828627172749552970358",
                    "122566548638211469377023377004460364086",
                    "121639131181195574709024329931975588585",
                    "254545062050604992626040066953871620526",
                    "131429042537791155086645096967697290500",
                    "312931041103922441815218888643937905398",
                    "178566762246786001874454429807768248066",
                    "228209083930520838675114703718803227453",
                    "68315060903692389589546319494391532686",
                    "159968115524889923107770953949843270450",
                    "19475019811471883740395264094329146897",
                    "224032582449815835375802615237396904161",
                    "76013151997880805280481765997624901256",
                    "149212346911938931930957699715526174",
                    "248428533153162455058980715003209789277",
                    "39320095912504689254491073280258227060",
                    "273674276716969170611779894881398848775",
                    "163328463023362055283102266717479533251",
                    "54986620579111497791130347366224364811",
                    "314377425821850393294929277245510527724",
                    "142452628829358285695855973945609526378",
                    "177263933007676927610322569204610974711",
                    "206793510088701665538163557459098885919",
                    "119302723806996030941582083965243726394",
                    "83349471186095744340450971251426922338"
                ]
            },
            "id": "CURL-CVE-2016-8625-22f8754c",
            "source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece",
            "signature_type": "Line",
            "signature_version": "v1",
            "target": {
                "file": "lib/url.c"
            },
            "deprecated": false
        },
        {
            "digest": {
                "function_hash": "8224137302278049904787697911029847458",
                "length": 1127.0
            },
            "id": "CURL-CVE-2016-8625-2d36634f",
            "source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece",
            "signature_type": "Function",
            "signature_version": "v1",
            "target": {
                "file": "lib/version.c",
                "function": "curl_version_info"
            },
            "deprecated": false
        },
        {
            "digest": {
                "function_hash": "218157414627815975943895844684314524591",
                "length": 276.0
            },
            "id": "CURL-CVE-2016-8625-47f0c1f1",
            "source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece",
            "signature_type": "Function",
            "signature_version": "v1",
            "target": {
                "file": "lib/url.c",
                "function": "free_fixed_hostname"
            },
            "deprecated": false
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "178346760639395230677114141215138479730",
                    "92514211531754666209310300418718272740",
                    "297687927986317032242523210545522702846",
                    "269598123464451360721154267444726542112",
                    "233862290137993350484257721081712642736",
                    "163193343118312970757595433482307291237",
                    "164572580648006087463087281773281093324",
                    "324925140790876143553663415069562513446",
                    "81127827135526416579700444909592292534",
                    "260447364267161798488982642230370178155",
                    "242048229728988292374420514247100862205",
                    "211378814549810599707287423771694966322",
                    "200078792374692183658629107143251669351",
                    "298103307979614460275209770137999448011",
                    "125277390936039347487973487423265236722",
                    "328090928926682092979080053965885525613",
                    "331979036523829522690116641119143183828",
                    "250716793834477736672710575470577295457",
                    "76054306692410491737879603435831683013",
                    "262375895210773567962769995692447896554",
                    "201363071534120285332972747566967440458",
                    "171518422354236738419428829582084799770",
                    "142014206286026566778552900986080655307"
                ]
            },
            "id": "CURL-CVE-2016-8625-5dace70f",
            "source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece",
            "signature_type": "Line",
            "signature_version": "v1",
            "target": {
                "file": "lib/easy.c"
            },
            "deprecated": false
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "284235874481078054617351735415376782338",
                    "33142220432548756560304948522550550896",
                    "213792348622385919483969037146957464926",
                    "144182110449740891424009054307655782046",
                    "95498247698712307068901334476315162087",
                    "167772228006685471024967521469515039909",
                    "145028150220712457734838289666629871079",
                    "238893884445280986791220541254018453772",
                    "257014732661376201040409201126720195820",
                    "130977636227091256146437115813544105024",
                    "157088391711125666816236695525848460007",
                    "122500614675436533953189698183686671513",
                    "209429142826217991363065618912446397186",
                    "39823496755220543405143365978272927556",
                    "88366244247141401406993050355545908752",
                    "56548629672832729116724211869521285038"
                ]
            },
            "id": "CURL-CVE-2016-8625-70db4e08",
            "source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece",
            "signature_type": "Line",
            "signature_version": "v1",
            "target": {
                "file": "lib/version.c"
            },
            "deprecated": false
        },
        {
            "digest": {
                "function_hash": "335717493846926478303003654248916604307",
                "length": 235.0
            },
            "id": "CURL-CVE-2016-8625-71281cbc",
            "source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece",
            "signature_type": "Function",
            "signature_version": "v1",
            "target": {
                "file": "lib/easy.c",
                "function": "idna_init"
            },
            "deprecated": false
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "329247926648802052241290660095680377239",
                    "1472959229266969191805437161599162041",
                    "324734342524636903955733107365673203101",
                    "291822660088739866274588488251207551455",
                    "24739328025516578637503288894359600133",
                    "185389710692878662607305115600983440888",
                    "134663362963790377001439498401543456834",
                    "100694170238719098737167691087541581679",
                    "24211920735205078117730512307674150319",
                    "160319323349602535565348421211845028349",
                    "245383140580955335688432618948541562408",
                    "239034110045223037314015597723716256249",
                    "143250701011028931986280997837314708946",
                    "263024226422903720467342800791246746259",
                    "334188970252521907803449080491923662199",
                    "43880254774290060562905499824127299587",
                    "225183040878008691486882475776939776004",
                    "191872213324000247080300810918357855132",
                    "157413206056456419128449764443972271016",
                    "171023339980020616080666446118139602304",
                    "168524767458176547708938431031518667305",
                    "118800066184642786171729882726850374635",
                    "328690288633462267301486597166324700892",
                    "273294471420538395315279804988609073179",
                    "334048632770114549890665066920679407218",
                    "67902105451158441519968676771948163980",
                    "304374708235075913973264869421092353581",
                    "43644193117185238510825628649641563897",
                    "336005362794817895409159983728810935601",
                    "212586116351014321165910127364318853758",
                    "117922196394398517964100260106552716555",
                    "169935763271104471564177357017281589363",
                    "232090777670187700737473344705634977541",
                    "157227431009934577794386298237620187818",
                    "261253230066531624734563972813498369212",
                    "303842060979394390023969693062558822019",
                    "210025770513544701108185352740526472536",
                    "136736042948365580579218819195025697614",
                    "307042520353155769282818876014560220326",
                    "236190414303849999340421653464879382549",
                    "69912978159481624123984151233177803604",
                    "5534645084554837387710648226103767044",
                    "261387854142075439095722680440316700037",
                    "253208791903915321343513424966430920608",
                    "72846585777661321745450114423157127237",
                    "219767626184243137757590965641914162132",
                    "309720034483755982015146196437946422462",
                    "100140769371689818365073003841340676308",
                    "158243714789215877917276699817100571489",
                    "150841405212356811712028618533996074622",
                    "175582642382737295705131183225434384247",
                    "263370395987459233888242471167842299888",
                    "328863968135984026639242251186948439623",
                    "36453259033188928718534741256499088104",
                    "121497379059091852585400663444488380543",
                    "10742768904463458086831220520597100062",
                    "177945593345078899157964381617766848649",
                    "65173939241312815406981894675569768977",
                    "124968947441902669789310674519097435342",
                    "138607000266540641389329296711927502879",
                    "299803611629543420201241012790149025062",
                    "276645058442744087481456078035456142936",
                    "157114327104045828455716291742272298677",
                    "113044942253259834386908455636229294681",
                    "73802316072166662585338782758910968504",
                    "148643417508131460604669066047054238346",
                    "43234821883197169746693716608273344698",
                    "243287555775683566926943510970668229258",
                    "142606261741529191910337354254194457135",
                    "124904938226802088577256688334654038967",
                    "163347706831398352533593792785679871063",
                    "90821527265462701879169151521373488018",
                    "327621207942027311826768659865547778756",
                    "111195992400352771018934814997831495725",
                    "94944453034706984746788340037538379956",
                    "322812130556646243320826610929262863406",
                    "1693490248469916777100476336181503340",
                    "252773358917783117816565403881200672797"
                ]
            },
            "id": "CURL-CVE-2016-8625-7a294070",
            "source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece",
            "signature_type": "Line",
            "signature_version": "v1",
            "target": {
                "file": "lib/strerror.c"
            },
            "deprecated": false
        },
        {
            "digest": {
                "function_hash": "283972505964696467161665606429613169790",
                "length": 1442.0
            },
            "id": "CURL-CVE-2016-8625-83ae749a",
            "source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece",
            "signature_type": "Function",
            "signature_version": "v1",
            "target": {
                "file": "lib/strerror.c",
                "function": "Curl_idn_strerror"
            },
            "deprecated": false
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "89981056729323208107644540964856378874",
                    "145043199987126059407156445575034399190",
                    "263344072972619151861600283188391105041",
                    "326070157056122830654798075520750102844"
                ]
            },
            "id": "CURL-CVE-2016-8625-b0a871ba",
            "source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece",
            "signature_type": "Line",
            "signature_version": "v1",
            "target": {
                "file": "lib/curl_setup.h"
            },
            "deprecated": false
        },
        {
            "digest": {
                "function_hash": "163590447899760112234252748201219611967",
                "length": 1203.0
            },
            "id": "CURL-CVE-2016-8625-d65b69ef",
            "source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece",
            "signature_type": "Function",
            "signature_version": "v1",
            "target": {
                "file": "lib/url.c",
                "function": "fix_hostname"
            },
            "deprecated": false
        },
        {
            "digest": {
                "function_hash": "164705252766334852033985086342671517397",
                "length": 9573.0
            },
            "id": "CURL-CVE-2016-8625-ed96a5ae",
            "source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece",
            "signature_type": "Function",
            "signature_version": "v1",
            "target": {
                "file": "lib/url.c",
                "function": "create_conn"
            },
            "deprecated": false
        },
        {
            "digest": {
                "function_hash": "101244559059502590250906969154261701223",
                "length": 697.0
            },
            "id": "CURL-CVE-2016-8625-f57cd2da",
            "source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece",
            "signature_type": "Function",
            "signature_version": "v1",
            "target": {
                "file": "lib/url.c",
                "function": "tld_check_name"
            },
            "deprecated": false
        },
        {
            "digest": {
                "function_hash": "171980070403381245404751961445082524011",
                "length": 1441.0
            },
            "id": "CURL-CVE-2016-8625-f7dd3934",
            "source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece",
            "signature_type": "Function",
            "signature_version": "v1",
            "target": {
                "file": "lib/easy.c",
                "function": "global_init"
            },
            "deprecated": false
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "330878096391839067750528583489023678789",
                    "302828481496764205694326295209619364390",
                    "224867628573565401674693297208452602606",
                    "294602228532648439691806958133906809609"
                ]
            },
            "id": "CURL-CVE-2016-8625-fc747ea3",
            "source": "https://github.com/curl/curl.git/commit/9c91ec778104ae3b744b39444d544e82d5ee9ece",
            "signature_type": "Line",
            "signature_version": "v1",
            "target": {
                "file": "lib/strerror.h"
            },
            "deprecated": false
        }
    ]
}