Top White Papers
Release Digest: GNU, June 27, 2004Jun 28, 2004, 05:00 (0 Talkback[s])
GNU Libidn 0.5.0 alpha
Hello. This release add some code to detect the "problem sequences" discussed in UTC's public review issue #29. To perhaps explain this in less obfuscated terms, here follow some paragraphs from the manual:
A deficiency in the specification of Unicode Normalization Forms has been found. The consequence is that some strings can be normalized into different strings by different implementations. In other words, two different implementations may return different output for the same input (because the interpretation of the specification is ambiguous). Further, an implementation invoked again on the one of the output strings may return a different string (because one of the interpretation of the ambiguous specification make normalization non-idempotent). Fortunately, only a select few character sequence exhibit this problem, and none of them are expected to occur in natural languages (due to different linguistic uses of the involved characters).
A full discussion of the problem may be found at
The PR29 functions below allow you to detect the problem sequence. So when would you want to use these functions? For most applications, such as those using Nameprep for IDN, this is likely only to be an interoperability problem. Thus, you may not want to care about it, as the character sequences will rarely occur naturally. However, if you are using a profile, such as SASLPrep, to process authentication tokens; authorization tokens; or passwords, there is a real danger that attackers may try to use the peculiarities in these strings to attack parts of your system. As only a small number of strings, and no naturally occurring strings, exhibit this problem, the conservative approach of rejecting the strings is recommended. If this approach is not used, you should instead verify that all parts of your system, that process the tokens and passwords, use a NFKC implementation that produce the same output for the same input.
GNU Libidn is an implementation of the Stringprep, Punycode and IDNA specifications defined by the IETF Internationalized Domain Names (IDN) working group, used for internationalized domain names. The library contains a generic Stringprep implementation that does Unicode 3.2 NFKC normalization, mapping and prohibitation of characters, and bidirectional character handling. Profiles for Nameprep, iSCSI, SASL and XMPP are included. Punycode and ASCII Compatible Encoding (ACE) via IDNA are supported. A mechanism to define Top-Level Domain (TLD) specific validation tables, and to compare strings against those tables, is included. Default tables for some TLDs are also included.
Here are the compressed sources:
Here are GPG detached signatures:
Here are the build reports for various platforms: http://josefsson.org/autobuild/libidn.html
Here are the MD5 and SHA1 signatures:
Noteworthy changes since version 0.4.9 (the last version announced here):
Greetings! You can find the release notes here:
Over the next few days, we will be uploading binaries requested by various users for convenience to ftp.gnu.org/. Shortly thereafter, goals and priorities for 2.7.0 will be discussed and planned. Closing the remaining ansi compliance issues will be foremost on the list in any case. Feedback to firstname.lastname@example.org of course most appreciated.
0 Talkback[s] (click to add your comment)