Out-of-bounds read in wget and curl using CVE-2015-2059

[Gustavo Grieco <gustavo.grieco () gmail com>]

Hello!

As you probably know, CVE-2015-2059 was't fixed yet
(https://bugzilla.redhat.com/show_bug.cgi?id=1197796). Unfortunately
many applications are using libidn without validating its UTF-8
inputs. Recently wget
(http://git.savannah.gnu.org/cgit/wget.git/commit/?id=77f5a27e6506970c00b96570b6783c49582eacd7)
and curl (http://curl.haxx.se/mail/lib-2015-06/0143.html) applied some
mitigations.

After reading the previous oss-security related threads i'm still
unsure if these issues deserve individual CVEs or they are just
consequences of CVE-2015-2059.
A quick and dirty demo of this memory leak is available here:
https://gist.github.com/neuromancer/cfba1dae769db0551963

Regards,
Gustavo.