From: "H.J. Lu" <hjl.tools@gmail.com>
To: Florian Weimer <fweimer@redhat.com>
Cc: GNU C Library <libc-alpha@sourceware.org>
Subject: Re: [PATCH COMMITTED] Switch IDNA implementation to libidn2 [BZ #19728] [BZ #19729] [BZ #22247]
Date: Wed, 23 May 2018 09:44:39 -0700 [thread overview]
Message-ID: <CAMe9rOroY25YVfHtz1WUwkE_yQYrdj=5NBX0MareEendtRBYyQ@mail.gmail.com> (raw)
In-Reply-To: <20180523132942.17F52402B59C6@oldenburg.str.redhat.com>
On Wed, May 23, 2018 at 6:29 AM, Florian Weimer <fweimer@redhat.com> wrote:
> This provides an implementation of the IDNA2008 standard and fixes
> CVE-2016-6261, CVE-2016-6263, CVE-2017-14062.
>
> 2018-05-23 Florian Weimer <fweimer@redhat.com>
>
> [BZ #19728]
> [BZ #19729]
> [BZ #22247]
> CVE-2016-6261
> CVE-2016-6263
> CVE-2017-14062
> Switch to extern IDNA implementation (libidn2).
> * libidn: Remove subdirectory.
> * LICENSES: Do not mention licensing conditions for the removed
> libidn code.
> * config.h.in (HAVE_LIBIDN): Remove.
> * include/dlfcn.h (__libc_dlopen): Update comment.
> * include/idna.h: Remove file.
> * inet/Makefile (routines): Add idna.
> (tests-static, tests-internal): Add tst-idna_name_classify.
> (LOCALES): Generate locales for tests.
> (tst-idna_name_classify.out): Depend on generated locales.
> * inet/idna_name_classify.c: New file.
> * inet/tst-idna_name_classify.c: Likewise.
> * inet/net-internal.h (__idna_to_dns_encoding)
> (__idna_from_dns_encoding): Declare.
> * inet/net-internal.h (enum idna_name_classification): Define.
> (__idna_name_classify): Declare.
> * inet/Versions (GLIBC_PRIVATE): Add __idna_to_dns_encoding,
> __idna_from_dns_encoding.
> * inet/getnameinfo.c (DEPRECATED_NI_IDN): Define.
> (gni_host_inet_name): Call __idna_from_dns_encoding. Use punycode
> name as a fallback in case of encoding errors.
> (getnameinfo): Use DEPRECATED_NI_IDN.
> * inet/idna.c: New file.
> * nscd/gai.c: Do not include <libidn/idn-stub.c>.
> * resolv/Makefile (tests): Add tst-resolv-ai_idn,
> tst-resolv-ai_idn-latin1, tst-resolv-ai_idn-nolibidn2.
> (modules-names): Add tst-no-libidn2.
> (extra-test-objs): Add tst-no-libidn2.os.
> (LDFLAGS-tst-no-libidn2.so): Set soname.
> (LOCALES): Set, and generate locales.
> (tst-resolv-ai_idn): Link with -ldl -lresolv -lpthread.
> (tst-resolv-ai_idn-latin1): Likewise.
> (tst-resolv-ai_idn-nolibidn2): Likewise.
> (tst-resolv-ai_idn.out): Depend on locales.
> (tst-resolv-ai_idn-latin1.out): Depend on locales.
> (tst-resolv-ai_idn-nolibidn2.out): Depend on locales and
> tst-no-libidn2.so.
> * resolv/netdb.h (AI_IDN_ALLOW_UNASSIGNED)
> (AI_IDN_USE_STD3_ASCII_RULES, NI_IDN_ALLOW_UNASSIGNED)
> (NI_IDN_USE_STD3_ASCII_RULES): Deprecate.
> * resolv/tst-resolv-ai_idn.c: New file.
> * resolv/tst-resolv-ai_idn-latin1.c: Likewise.
> * resolv/tst-resolv-ai_idn-nolibidn2.c: Likewise.
> * resolv/tst-no-libidn2.c: Likewise.
> * support/support_format_addrinfo.c (format_ai_flags): Do not
> handle AI_IDN_ALLOW_UNASSIGNED, AI_IDN_USE_STD3_ASCII_RULES.
> * sysdeps/posix/getaddrinfo.c (DEPRECATED_AI_IDN): Define.
> (gaih_inet): Call __idna_to_dns_encoding and
> __idna_from_dns_encoding, and use the original (punycode) name if
> __idna_from_dns_encoding fails due to an encoding error.
> (getaddrinfo): Use DEPRECATED_AI_IDN.
> * sysdeps/unix/inet/Subdirs (libidn): Remove.
> * sysdeps/unix/inet/configure: Remove file.
> * sysdeps/unix/inet/configure.ac: Likewise.
>
On Fedora 28, I got
FAIL: resolv/tst-resolv-ai_idn
FAIL: resolv/tst-resolv-ai_idn-latin1
[hjl@gnu-hsw-1 build-x86_64-linux]$ cat resolv/tst-resolv-ai_idn.out
error: addrinfo comparison failure
query: nämchen_zwo.example:80 AF_INET/0x40
--- expected
+++ actual
@@ -1,2 +1 @@
-flags: AI_IDN
-address: STREAM/TCP 192.0.2.120 80
+error: Parameter string not correctly encoded
error: addrinfo comparison failure
query: nämchen_zwo.example:80 AF_INET/0x42
--- expected
+++ actual
@@ -1,3 +1 @@
-flags: AI_CANONNAME AI_IDN
-canonname: xn--nmchen_zwo-q5a.example
-address: STREAM/TCP 192.0.2.120 80
+error: Parameter string not correctly encoded
error: addrinfo comparison failure
query: nämchen_zwo.example:80 AF_INET/0xc2
--- expected
+++ actual
@@ -1,3 +1 @@
-flags: AI_CANONNAME AI_IDN AI_CANONIDN
-canonname: nämchen_zwo.example
-address: STREAM/TCP 192.0.2.120 80
+error: Parameter string not correctly encoded
error: addrinfo comparison failure
query: With.idn-cname.nämchen.example:80 AF_INET/0x40
--- expected
+++ actual
@@ -1,2 +1,2 @@
flags: AI_IDN
-address: STREAM/TCP 192.0.2.119 80
+address: STREAM/TCP 192.0.2.87 80
error: addrinfo comparison failure
query: With.idn-cname.nämchen.example:80 AF_INET/0x42
--- expected
+++ actual
@@ -1,3 +1,3 @@
flags: AI_CANONNAME AI_IDN
canonname: xn--anderes-nmchen-eib.example
-address: STREAM/TCP 192.0.2.119 80
+address: STREAM/TCP 192.0.2.87 80
error: addrinfo comparison failure
query: With.idn-cname.nämchen.example:80 AF_INET/0xc2
--- expected
+++ actual
@@ -1,3 +1,3 @@
flags: AI_CANONNAME AI_IDN AI_CANONIDN
canonname: anderes-nämchen.example
-address: STREAM/TCP 192.0.2.119 80
+address: STREAM/TCP 192.0.2.87 80
error: 6 test failures
[hjl@gnu-hsw-1 build-x86_64-linux]$
--
H.J.
next prev parent reply other threads:[~2018-05-23 16:44 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-23 13:29 [PATCH COMMITTED] Switch IDNA implementation to libidn2 [BZ #19728] [BZ #19729] [BZ #22247] Florian Weimer
2018-05-23 16:44 ` H.J. Lu [this message]
2018-05-23 16:55 ` Florian Weimer
2018-05-23 17:12 ` Adhemerval Zanella
2018-05-23 17:38 ` Carlos O'Donell
2018-05-23 17:51 ` Adhemerval Zanella
2018-05-23 17:53 ` Carlos O'Donell
2018-05-23 19:33 ` Florian Weimer
2018-05-23 20:34 ` Adhemerval Zanella
2018-05-23 20:35 ` Adhemerval Zanella
2019-01-21 9:10 ` Andreas Schwab
2019-01-21 9:30 ` Florian Weimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/libc/involved.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAMe9rOroY25YVfHtz1WUwkE_yQYrdj=5NBX0MareEendtRBYyQ@mail.gmail.com' \
--to=hjl.tools@gmail.com \
--cc=fweimer@redhat.com \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).