libidn2 underscore stripping problem

DoneSubmitted by Leo Famulari.
Details
3 participants
  • Leo Famulari
  • Ludovic Courtès
  • Marius Bakke
Owner
unassigned
Severity
normal
L
L
Leo Famulari wrote on 24 Jul 2017 21:52
(address . bug-guix@gnu.org)
20170724195231.GA28842@jasmine.lan
It was recently reported that libidn2 can cause issues for domains whosenames contain underscores, and maybe some other characters, too. Itmatters to us because we build GnuTLS with libidn2.
I'm not sure yet what the solution is for us. Help wanted!
Original report:https://github.com/systemd/systemd/issues/6426
libidn2 discussion:https://gitlab.com/libidn/libidn2/issues/30
Upstream fix:https://gitlab.com/libidn/libidn2/commit/a5cbc16efd02adb78d2d082b21c3ac4d3fa88d2e
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAll2T/sACgkQJkb6MLrKfwjT6w//W3ZS+CXy6gbTfZptKubwpU86JVjxbf3Btc59Dl7o4MrA1fH3j1hJxUcDep3RanJSKT4bqqKj4H3Ehv+RWnBQv67O9gTzXlxG3v1Tb6aFThHomsS9QJI1fXdVuzCrVJm97GjAi7RVtoIyqdRDsXR10wgvacFQ+ZXief8rJqf8+Egchj4wZvYf1phZtawxGrnhDo4ojQgSox+WipoUgAaiaIyOF9xvPKS7rXM5pKqz84wELMdw+oc+W3vKJ4bExzibCONHhMIg5WYElHvMibTVrxUX2JIHyV84E9WLVYdf99hoA+ypOGlM58+psNFS1hM9t+kUgGtXLdwGEq88aUqOyaIBrcolZy3ikreIwjpLxGCbATrtNQaMBC563dPy68i9ioRgh4C3pnUe5LOvmC4QxRixcofzNK4XYoYQk/Gsvp3Lem7OOrsGorWYEtH1/0NwDn7ltlIlZR5SsO/wDC/KjRp2dlTZ+sp8RnjxNmPQjpZOpMlnb0KYE9C5Izs5/EWS8m7q6p1nKJkUsI2kyH/CXe5TUMHhvPd7iMMUVayn/GbCkZkheVX/dRNXUyIBscVxMUzGzynnBu0SVF6bhkTyr2P4C+29Tx3qXEzDAN6twAD3bOyNc9WrcaPw/JjpFerAmh14dfw3WBZOHBMyhbJafFuvpkr1ISvb5hVkCVnDrMo==IFyl-----END PGP SIGNATURE-----

M
M
Marius Bakke wrote on 25 Jul 2017 22:22
87inigjmhg.fsf@fastmail.com
Leo Famulari <leo@famulari.name> writes:
Toggle quote (15 lines)> It was recently reported that libidn2 can cause issues for domains whose> names contain underscores, and maybe some other characters, too. It> matters to us because we build GnuTLS with libidn2.>> I'm not sure yet what the solution is for us. Help wanted!>> Original report:> https://github.com/systemd/systemd/issues/6426>> libidn2 discussion:> https://gitlab.com/libidn/libidn2/issues/30>> Upstream fix:> https://gitlab.com/libidn/libidn2/commit/a5cbc16efd02adb78d2d082b21c3ac4d3fa88d2e
The commit refers to TR46 which is a Unicode standards document:
http://unicode.org/reports/tr46/#STD3_Rules
It appears the new IDNA processing rules disallow use of underscores indomain names, which is in direct conflict with e.g. RFC2782[0].
Part of the confusion comes from the fact that underscores are indeeddisallowed in *hostnames* (as in A and AAAA records)[1].
So if libidn2 enforces STD3 compliance on *all* domain types (how can itdistinguish?), that is not good.
I'm not sure if it's worth grafting it until we have a real-world usecase however. Though we could consider swallowing the ~2300 rebuilds inthe next staging round for the new version which contains the fix.
[0] https://tools.ietf.org/html/rfc2782[1] https://tools.ietf.org/html/rfc1123#section-2
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAll3qGwACgkQoqBt8qM6VPrqnQf/bHEkXs934ylvwVHnDv++34TGXcy1guig8ilOUmZ8byUIZRNrs2cMD4fi/Co4tUCJTfYpeLerQOdxsGGXcidpNrzOn9TJd932KbCVbxG8F6NgBGdOyj8YWK/qMgh4gzY4M5d36PLj29bcOlaXPlnXdq2CaWQPLhNCdlo7nB9cVflcyvVX+E1Yhodu3XNxtvNbhH1T8Fp1AIDwBZzkjsqNiURSyLZTznEBun8eVssLV3w3CWqAaAbiAMsnZ0lW0SrQHblaOvMLa77ZKrMkNvRaRTcdehizbAKo29d+PhijZ2nFazFtuGqwnw5N569FifVjY41e2RDMpexXZQhC0fWYhg===5Lli-----END PGP SIGNATURE-----
L
L
Ludovic Courtès wrote on 3 Aug 2017 00:01
control message for bug #27809
(address . control@debbugs.gnu.org)
87h8xpsk6y.fsf@gnu.org
tags 27809 security
L
L
Leo Famulari wrote on 26 Feb 2019 00:30
Re: bug#27809: libidn2 underscore stripping problem
(address . 27809-done@debbugs.gnu.org)
20190225233013.GA16467@jasmine.lan
Leo Famulari <leo@famulari.name> writes:
Toggle quote (15 lines)> It was recently reported that libidn2 can cause issues for domains whose> names contain underscores, and maybe some other characters, too. It> matters to us because we build GnuTLS with libidn2.>> I'm not sure yet what the solution is for us. Help wanted!>> Original report:> https://github.com/systemd/systemd/issues/6426>> libidn2 discussion:> https://gitlab.com/libidn/libidn2/issues/30>> Upstream fix:> https://gitlab.com/libidn/libidn2/commit/a5cbc16efd02adb78d2d082b21c3ac4d3fa88d2e
This commit was contained in libidn2 2.0.3, and we currently have 2.0.5.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlx0eoUACgkQJkb6MLrKfwgAbhAAnvUifFW5laA67XcsyfMeXqw5FyoiyQjPe4ymaFoG6/Ivzktrm4DV9HwolAcIrxARtd+Lo3EJlW3B0r2ZfbtsYtKBi/nf6byoP8xqsuorYmegxOTHq6IkrBr+e4VQRwFj248CIjFrla2s5xb5FOTSTREKNKZu77Mp/L3SqLjTMyfc/DGuwdgCS3nafsUhJ5JtkkSNE+ZEQ9fTa+Zeyt9TvPaHnG+8MCrgxwHT54ThyAalLOJwM9kBt4Dm0NAQzt5F18HwYlCPlbreUy2N+cScvBtLq+ULCQJF8jJMze7W9xd4xn7csi1XmqX1+XngTJ+4+ulSS5PV04yQtKTRw2BlZVL35iFuSBAChPBbSDqG0LSr3uIxSKIwr/VGnZrAmZluLjEF8yd/mBx8Ii8rT5ce3HMEl1TZkU9W9vq+emGn/KKj63uedyD3BEPYKJwzGuomwAMRoC14H99KBDvTXLu35gZ7GO3vfYXts3XiSHoTgjgXIIcWz75l3JxidA7OLTFoGOU4MU+Dti1fN7Nw7it+YBwztLvfK5Pv2gT9YJVAqJAn5tWLMVFPVJHGcpGbCWCXEOwIj3CqiWL6Kf54CgMqJ0ogcP0qLl8eV+DGI7rot/EAUkqUxGRuyaiMFawwv1WcSxMaAjMHqQTVEM4Ulbh82dzQV/kUF9xFBn7mf3qq1CI==v4UC-----END PGP SIGNATURE-----

Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 27809@debbugs.gnu.org