GNU bug report logs -
#27809
libidn2 underscore stripping problem
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Mon, 24 Jul 2017 19:53:02 UTC
Severity: normal
Tags: security
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 27809 in the body.
You can then email your comments to 27809 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org
:
bug#27809
; Package
guix
.
(Mon, 24 Jul 2017 19:53:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>
:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org
.
(Mon, 24 Jul 2017 19:53:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
It was recently reported that libidn2 can cause issues for domains whose
names contain underscores, and maybe some other characters, too. It
matters to us because we build GnuTLS with libidn2.
I'm not sure yet what the solution is for us. Help wanted!
Original report:
https://github.com/systemd/systemd/issues/6426
libidn2 discussion:
https://gitlab.com/libidn/libidn2/issues/30
Upstream fix:
https://gitlab.com/libidn/libidn2/commit/a5cbc16efd02adb78d2d082b21c3ac4d3fa88d2e
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org
:
bug#27809
; Package
guix
.
(Tue, 25 Jul 2017 20:23:03 GMT)
Full text and
rfc822 format available.
Message #8 received at 27809 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:
> It was recently reported that libidn2 can cause issues for domains whose
> names contain underscores, and maybe some other characters, too. It
> matters to us because we build GnuTLS with libidn2.
>
> I'm not sure yet what the solution is for us. Help wanted!
>
> Original report:
> https://github.com/systemd/systemd/issues/6426
>
> libidn2 discussion:
> https://gitlab.com/libidn/libidn2/issues/30
>
> Upstream fix:
> https://gitlab.com/libidn/libidn2/commit/a5cbc16efd02adb78d2d082b21c3ac4d3fa88d2e
The commit refers to TR46 which is a Unicode standards document:
http://unicode.org/reports/tr46/#STD3_Rules
It appears the new IDNA processing rules disallow use of underscores in
domain names, which is in direct conflict with e.g. RFC2782[0].
Part of the confusion comes from the fact that underscores are indeed
disallowed in *hostnames* (as in A and AAAA records)[1].
So if libidn2 enforces STD3 compliance on *all* domain types (how can it
distinguish?), that is not good.
I'm not sure if it's worth grafting it until we have a real-world use
case however. Though we could consider swallowing the ~2300 rebuilds in
the next staging round for the new version which contains the fix.
[0] https://tools.ietf.org/html/rfc2782
[1] https://tools.ietf.org/html/rfc1123#section-2
[signature.asc (application/pgp-signature, inline)]
Added tag(s) security.
Request was from
ludo <at> gnu.org (Ludovic Courtès)
to
control <at> debbugs.gnu.org
.
(Wed, 02 Aug 2017 22:02:02 GMT)
Full text and
rfc822 format available.
Reply sent
to
Leo Famulari <leo <at> famulari.name>
:
You have taken responsibility.
(Mon, 25 Feb 2019 23:31:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Famulari <leo <at> famulari.name>
:
bug acknowledged by developer.
(Mon, 25 Feb 2019 23:31:02 GMT)
Full text and
rfc822 format available.
Message #15 received at 27809-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:
> It was recently reported that libidn2 can cause issues for domains whose
> names contain underscores, and maybe some other characters, too. It
> matters to us because we build GnuTLS with libidn2.
>
> I'm not sure yet what the solution is for us. Help wanted!
>
> Original report:
> https://github.com/systemd/systemd/issues/6426
>
> libidn2 discussion:
> https://gitlab.com/libidn/libidn2/issues/30
>
> Upstream fix:
> https://gitlab.com/libidn/libidn2/commit/a5cbc16efd02adb78d2d082b21c3ac4d3fa88d2e
This commit was contained in libidn2 2.0.3, and we currently have 2.0.5.
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Tue, 26 Mar 2019 11:24:03 GMT)
Full text and
rfc822 format available.
This bug report was last modified 5 years and 33 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.