Your message dated Sat, 06 May 2017 14:44:18 +0100
with message-id <[email protected]>
and subject line Closing bugs for updates included in 8.8
has caused the Debian Bug report #858130,
regarding jessie-pu: package wget/1.16-1+deb8u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
858130: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858130
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: [email protected]
Usertags: pu
Hello,
wget 1.16-1+deb8u2 fixes CVE-2017-6508 (no-dsa) with the upstream patch.
https://security-tracker.debian.org/tracker/CVE-2017-6508
The update is included in sid and unblocked for stretch (#858118) today.
I prepared the jessie upload with pbuilder and the debdiff is:
$ debdiff wget_1.16-1+deb8u1.dsc wget_1.16-1+deb8u2.dsc
dpkg-source: Warnung: unsigniertes Quellpaket wird extrahiert
(/home/nk/debian/wget/wget-jessie/wget_1.16-1+deb8u2.dsc)
diff -Nru wget-1.16/debian/changelog wget-1.16/debian/changelog
--- wget-1.16/debian/changelog 2016-07-05 16:21:21.000000000 +0200
+++ wget-1.16/debian/changelog 2017-03-18 15:39:29.000000000 +0100
@@ -1,3 +1,9 @@
+wget (1.16-1+deb8u2) jessie; urgency=medium
+
+ * added upstream patch to fix CVE-2017-6508 closes: Bug#857073
+
+ -- Noël Köthe <[email protected]> Sat, 18 Mar 2017 15:39:29 +0100
+
wget (1.16-1+deb8u1) jessie; urgency=medium
* added patch for CVE-2016-4971. closes: #827003, #829130
diff -Nru wget-1.16/debian/patches/CVE-2017-6508.patch
wget-1.16/debian/patches/CVE-2017-6508.patch
--- wget-1.16/debian/patches/CVE-2017-6508.patch 1970-01-01
01:00:00.000000000 +0100
+++ wget-1.16/debian/patches/CVE-2017-6508.patch 2017-03-18
15:39:29.000000000 +0100
@@ -0,0 +1,32 @@
+commit 4d729e322fae359a1aefaafec1144764a54e8ad4
+Author: Tim Rühsen <[email protected]>
+Date: Mon Mar 6 10:04:22 2017 +0100
+
+ Fix CRLF injection in Wget host part
+
+ * src/url.c (url_parse): Reject control characters in host part of URL
+
+ Reported-by: Orange Tsai
+
+diff --git a/src/url.c b/src/url.c
+index 8f8ff0b8..7d36b27d 100644
+--- a/src/url.c
++++ b/src/url.c
+@@ -925,6 +925,17 @@ url_parse (const char *url, int *error, struct iri *iri,
bool percent_encode)
+ url_unescape (u->host);
+ host_modified = true;
+
++ /* check for invalid control characters in host name */
++ for (p = u->host; *p; p++)
++ {
++ if (c_iscntrl(*p))
++ {
++ url_free(u);
++ error_code = PE_INVALID_HOST_NAME;
++ goto error;
++ }
++ }
++
+ /* Apply IDNA regardless of iri->utf8_encode status */
+ if (opt.enable_iri && iri)
+ {
diff -Nru wget-1.16/debian/patches/series wget-1.16/debian/patches/series
--- wget-1.16/debian/patches/series 2016-06-30 17:21:45.000000000 +0200
+++ wget-1.16/debian/patches/series 2017-03-18 15:39:29.000000000 +0100
@@ -2,4 +2,4 @@
wget-doc-remove-usr-local-in-wget.texi
wget-passive_ftp-default
wget-CVE-2016-4971.patch
-
+CVE-2017-6508.patch
If this is OK for you I would upload it.
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Version: 8.8
Hi,
Each of these bugs refers to an update that was included in today's
jessie point release. Thanks!
Regards,
Adam
--- End Message ---
