Package: wget
Version: 1.12-1.1
Severity: normal
Tags: patch
User: [email protected]
Usertags: origin-ubuntu maverick ubuntu-patch
In Ubuntu, we've applied the attached patch to achieve the following:
* SECURITY UPDATE: arbitrary file overwrite via 3xx redirect
- debian/patches/CVE-2010-2252.dpatch: don't use server names in
doc/wget.texi, src/{http.*,init.c,main.c,options.h,retr.c}.
- This update changes previous behaviour by ignoring the filename
supplied by the server during redirects. To re-enable previous
behaviour, see the new --trust-server-names option.
- CVE-2010-2252
We thought you might be interested in doing the same.
-- System Information:
Debian Release: squeeze/sid
APT prefers maverick-updates
APT policy: (500, 'maverick-updates'), (500, 'maverick-security'), (500,
'maverick-proposed'), (500, 'maverick')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.35-19-generic (SMP w/2 CPU cores)
Locale: LANG=en_CA.utf8, LC_CTYPE=en_CA.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -u wget-1.12/debian/changelog wget-1.12/debian/changelog
diff -u wget-1.12/debian/patches/00list wget-1.12/debian/patches/00list
--- wget-1.12/debian/patches/00list
+++ wget-1.12/debian/patches/00list
@@ -5,0 +6 @@
+CVE-2010-2252
only in patch2:
unchanged:
--- wget-1.12.orig/debian/patches/CVE-2010-2252.dpatch
+++ wget-1.12/debian/patches/CVE-2010-2252.dpatch
@@ -0,0 +1,162 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+# Description: fix arbitrary file overwrite via 3xx redirect
+# Origin: upstream, http://lists.gnu.org/archive/html/bug-wget/2010-07/msg00076.html
+# Bug: https://savannah.gnu.org/bugs/?29958
+# Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590296
+
+...@dpatch@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' wget-1.12~/doc/wget.texi wget-1.12/doc/wget.texi
+--- wget-1.12~/doc/wget.texi 2010-09-03 09:18:48.000000000 -0400
++++ wget-1.12/doc/wget.texi 2010-09-03 09:19:04.000000000 -0400
+@@ -1487,6 +1487,13 @@
+ @code{Content-Disposition} headers to describe what the name of a
+ downloaded file should be.
+
+...@cindex Trust server names
+...@item --trust-server-names
++
++If this is set to on, on a redirect the last component of the
++redirection URL will be used as the local file name. By default it is
++used the last component in the original URL.
++
+ @cindex authentication
+ @item --auth-no-challenge
+
+@@ -2797,6 +2804,10 @@
+ Turn on recognition of the (non-standard) @samp{Content-Disposition}
+ HTTP header---if set to @samp{on}, the same as @samp{--content-disposition}.
+
+...@item trust_server_names = on/off
++If set to on, use the last component of a redirection URL for the local
++file name.
++
+ @item continue = on/off
+ If set to on, force continuation of preexistent partially retrieved
+ files. See @samp{-c} before setting it.
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' wget-1.12~/src/http.c wget-1.12/src/http.c
+--- wget-1.12~/src/http.c 2009-09-21 23:02:18.000000000 -0400
++++ wget-1.12/src/http.c 2010-09-03 09:19:04.000000000 -0400
+@@ -2410,8 +2410,9 @@
+ /* The genuine HTTP loop! This is the part where the retrieval is
+ retried, and retried, and retried, and... */
+ uerr_t
+-http_loop (struct url *u, char **newloc, char **local_file, const char *referer,
+- int *dt, struct url *proxy, struct iri *iri)
++http_loop (struct url *u, struct url *original_url, char **newloc,
++ char **local_file, const char *referer, int *dt, struct url *proxy,
++ struct iri *iri)
+ {
+ int count;
+ bool got_head = false; /* used for time-stamping and filename detection */
+@@ -2457,7 +2458,8 @@
+ }
+ else if (!opt.content_disposition)
+ {
+- hstat.local_file = url_file_name (u);
++ hstat.local_file =
++ url_file_name (opt.trustservernames ? u : original_url);
+ got_name = true;
+ }
+
+@@ -2497,7 +2499,7 @@
+
+ /* Send preliminary HEAD request if -N is given and we have an existing
+ * destination file. */
+- file_name = url_file_name (u);
++ file_name = url_file_name (opt.trustservernames ? u : original_url);
+ if (opt.timestamping
+ && !opt.content_disposition
+ && file_exists_p (file_name))
+@@ -2852,9 +2854,9 @@
+
+ /* Remember that we downloaded the file for later ".orig" code. */
+ if (*dt & ADDED_HTML_EXTENSION)
+- downloaded_file(FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, hstat.local_file);
++ downloaded_file (FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, hstat.local_file);
+ else
+- downloaded_file(FILE_DOWNLOADED_NORMALLY, hstat.local_file);
++ downloaded_file (FILE_DOWNLOADED_NORMALLY, hstat.local_file);
+
+ ret = RETROK;
+ goto exit;
+@@ -2885,9 +2887,9 @@
+
+ /* Remember that we downloaded the file for later ".orig" code. */
+ if (*dt & ADDED_HTML_EXTENSION)
+- downloaded_file(FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, hstat.local_file);
++ downloaded_file (FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, hstat.local_file);
+ else
+- downloaded_file(FILE_DOWNLOADED_NORMALLY, hstat.local_file);
++ downloaded_file (FILE_DOWNLOADED_NORMALLY, hstat.local_file);
+
+ ret = RETROK;
+ goto exit;
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' wget-1.12~/src/http.h wget-1.12/src/http.h
+--- wget-1.12~/src/http.h 2009-09-04 12:31:54.000000000 -0400
++++ wget-1.12/src/http.h 2010-09-03 09:19:04.000000000 -0400
+@@ -33,8 +33,8 @@
+
+ struct url;
+
+-uerr_t http_loop (struct url *, char **, char **, const char *, int *,
+- struct url *, struct iri *);
++uerr_t http_loop (struct url *, struct url *, char **, char **, const char *,
++ int *, struct url *, struct iri *);
+ void save_cookies (void);
+ void http_cleanup (void);
+ time_t http_atotm (const char *);
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' wget-1.12~/src/init.c wget-1.12/src/init.c
+--- wget-1.12~/src/init.c 2009-09-21 23:02:41.000000000 -0400
++++ wget-1.12/src/init.c 2010-09-03 09:19:04.000000000 -0400
+@@ -243,6 +243,7 @@
+ { "timeout", NULL, cmd_spec_timeout },
+ { "timestamping", &opt.timestamping, cmd_boolean },
+ { "tries", &opt.ntry, cmd_number_inf },
++ { "trustservernames", &opt.trustservernames, cmd_boolean },
+ { "useproxy", &opt.use_proxy, cmd_boolean },
+ { "user", &opt.user, cmd_string },
+ { "useragent", NULL, cmd_spec_useragent },
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' wget-1.12~/src/main.c wget-1.12/src/main.c
+--- wget-1.12~/src/main.c 2009-09-21 23:03:11.000000000 -0400
++++ wget-1.12/src/main.c 2010-09-03 09:19:04.000000000 -0400
+@@ -266,6 +266,7 @@
+ { "timeout", 'T', OPT_VALUE, "timeout", -1 },
+ { "timestamping", 'N', OPT_BOOLEAN, "timestamping", -1 },
+ { "tries", 't', OPT_VALUE, "tries", -1 },
++ { "trust-server-names", 0, OPT_BOOLEAN, "trustservernames", -1 },
+ { "user", 0, OPT_VALUE, "user", -1 },
+ { "user-agent", 'U', OPT_VALUE, "useragent", -1 },
+ { "verbose", 'v', OPT_BOOLEAN, "verbose", -1 },
+@@ -675,6 +676,8 @@
+ N_("\
+ -I, --include-directories=LIST list of allowed directories.\n"),
+ N_("\
++ --trust-server-names use the name specified by the redirection url last component.\n"),
++ N_("\
+ -X, --exclude-directories=LIST list of excluded directories.\n"),
+ N_("\
+ -np, --no-parent don't ascend to the parent directory.\n"),
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' wget-1.12~/src/options.h wget-1.12/src/options.h
+--- wget-1.12~/src/options.h 2009-09-21 23:03:47.000000000 -0400
++++ wget-1.12/src/options.h 2010-09-03 09:19:04.000000000 -0400
+@@ -242,6 +242,7 @@
+ char *encoding_remote;
+ char *locale;
+
++ bool trustservernames;
+ #ifdef __VMS
+ int ftp_stmlf; /* Force Stream_LF format for binary FTP. */
+ #endif /* def __VMS */
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' wget-1.12~/src/retr.c wget-1.12/src/retr.c
+--- wget-1.12~/src/retr.c 2009-09-04 12:31:54.000000000 -0400
++++ wget-1.12/src/retr.c 2010-09-03 09:19:04.000000000 -0400
+@@ -689,7 +689,8 @@
+ #endif
+ || (proxy_url && proxy_url->scheme == SCHEME_HTTP))
+ {
+- result = http_loop (u, &mynewloc, &local_file, refurl, dt, proxy_url, iri);
++ result = http_loop (u, orig_parsed, &mynewloc, &local_file, refurl, dt,
++ proxy_url, iri);
+ }
+ else if (u->scheme == SCHEME_FTP)
+ {