Your message dated Sat, 18 Mar 2017 22:13:19 +0000
with message-id <[email protected]>
and subject line unblock wget
has caused the Debian Bug report #858118,
regarding unblock: wget/1.18-5
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
858118: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858118
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package wget
wget has a security problem CVE-2017-6508 #857073
https://security-tracker.debian.org/tracker/CVE-2017-6508
I fixed it in unstable but unstable already has the new upstream
version 1.19.1. To fix this problem in stretch I fixed only this
problem with the wget package 1.18-5
The debdiff:
$ debdiff wget_1.18-4.1.dsc wget_1.18-5.dsc
dpkg-source: Warnung: unsigniertes Quellpaket wird extrahiert
(/home/nk/debian/wget/wget-stretch/wget_1.18-5.dsc)
diff -Nru wget-1.18/debian/changelog wget-1.18/debian/changelog
--- wget-1.18/debian/changelog 2017-02-25 16:58:53.000000000 +0100
+++ wget-1.18/debian/changelog 2017-03-18 15:12:55.000000000 +0100
@@ -1,3 +1,9 @@
+wget (1.18-5) testing-proposed-updates; urgency=medium
+
+ * applied upstream patch to fix CVE-2017-6508 closes: Bug#857073
+
+ -- Noël Köthe <[email protected]> Sat, 18 Mar 2017 15:12:55 +0100
+
wget (1.18-4.1) testing-proposed-updates; urgency=medium
* Non-maintainer upload.
diff -Nru wget-1.18/debian/patches/CVE-2017-6508.patch
wget-1.18/debian/patches/CVE-2017-6508.patch
--- wget-1.18/debian/patches/CVE-2017-6508.patch 1970-01-01
01:00:00.000000000 +0100
+++ wget-1.18/debian/patches/CVE-2017-6508.patch 2017-03-18
15:12:55.000000000 +0100
@@ -0,0 +1,32 @@
+commit 4d729e322fae359a1aefaafec1144764a54e8ad4
+Author: Tim Rühsen <[email protected]>
+Date: Mon Mar 6 10:04:22 2017 +0100
+
+ Fix CRLF injection in Wget host part
+
+ * src/url.c (url_parse): Reject control characters in host part of URL
+
+ Reported-by: Orange Tsai
+
+diff --git a/src/url.c b/src/url.c
+index 8f8ff0b8..7d36b27d 100644
+--- a/src/url.c
++++ b/src/url.c
+@@ -925,6 +925,17 @@ url_parse (const char *url, int *error, struct iri *iri,
bool percent_encode)
+ url_unescape (u->host);
+ host_modified = true;
+
++ /* check for invalid control characters in host name */
++ for (p = u->host; *p; p++)
++ {
++ if (c_iscntrl(*p))
++ {
++ url_free(u);
++ error_code = PE_INVALID_HOST_NAME;
++ goto error;
++ }
++ }
++
+ /* Apply IDNA regardless of iri->utf8_encode status */
+ if (opt.enable_iri && iri)
+ {
diff -Nru wget-1.18/debian/patches/series wget-1.18/debian/patches/series
--- wget-1.18/debian/patches/series 2016-09-26 15:07:33.000000000 +0200
+++ wget-1.18/debian/patches/series 2017-03-18 15:12:55.000000000 +0100
@@ -4,3 +4,4 @@
wget-doc-CRLs.patch
wget-openssl1.1.0.patch
CVE-2016-7098.patch
+CVE-2017-6508.patch
If this is OK for you release-team I can upload it to testing-proposed-updates.
Thanks for your release work and greeting from the credativ BSP.;)
unblock wget/1.18-5
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Unblocked wget.
--- End Message ---
