Your message dated Sat, 15 Mar 2025 09:44:44 +0000
with message-id <[email protected]>
and subject line Close 1099428
has caused the Debian Bug report #1099428,
regarding bookworm-pu: package wget/1.21.3-1+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1099428: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099428
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:wget
[ Reason ]
Fix CVE-2024-38428 and trivial packaging update.
[ Impact ]
The CVE is not be fixed. Users would face risk of info leak.
[ Tests ]
dh_auto_test has passed, and it has been tested manually by me.
[ Risks ]
Changes are backported from upstream and minimal.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Replace obselete B-D pkg-config to pkgconf.
* Backport a patch from upstream that properly re-implement userinfo parsing in
src/url.c.
[ Other info ]
I did not backport fix to CVE-2024-10524 since, as Ubuntu developer said, this
patch might be a breaking change to wget behavior.
diff -Nru wget-1.21.3/debian/changelog wget-1.21.3/debian/changelog
--- wget-1.21.3/debian/changelog 2022-03-30 01:40:59.000000000 +0800
+++ wget-1.21.3/debian/changelog 2025-03-03 21:32:32.000000000 +0800
@@ -1,3 +1,11 @@
+wget (1.21.3-1+deb12u1) bookworm; urgency=medium
+
+ * d/control: replace obsolete B-D pkg-config with pkgconf.
+ * Backport patch to fix mishandling of semicolons in userinfo
+ (closes: CVE-2024-38428).
+
+ -- Shengqi Chen <[email protected]> Mon, 03 Mar 2025 21:32:32 +0800
+
wget (1.21.3-1) unstable; urgency=medium
* new upstream from 2022-02-26
diff -Nru wget-1.21.3/debian/control wget-1.21.3/debian/control
--- wget-1.21.3/debian/control 2022-03-30 01:40:59.000000000 +0800
+++ wget-1.21.3/debian/control 2025-03-03 21:32:32.000000000 +0800
@@ -2,7 +2,7 @@
Section: web
Priority: standard
Maintainer: Noël Köthe <[email protected]>
-Build-Depends: debhelper-compat (= 13), pkg-config, gettext, texinfo,
libidn2-dev, uuid-dev, libpsl-dev, libpcre2-dev, libgnutls28-dev (>= 3.3.15-5),
automake, libssl-dev (>= 0.9.8k), zlib1g-dev, dh-strip-nondeterminism
+Build-Depends: debhelper-compat (= 13), pkgconf, gettext, texinfo,
libidn2-dev, uuid-dev, libpsl-dev, libpcre2-dev, libgnutls28-dev (>= 3.3.15-5),
automake, libssl-dev (>= 0.9.8k), zlib1g-dev, dh-strip-nondeterminism
Standards-Version: 4.6.0
Homepage: https://www.gnu.org/software/wget/
diff -Nru wget-1.21.3/debian/patches/CVE-2024-38428.patch
wget-1.21.3/debian/patches/CVE-2024-38428.patch
--- wget-1.21.3/debian/patches/CVE-2024-38428.patch 1970-01-01
08:00:00.000000000 +0800
+++ wget-1.21.3/debian/patches/CVE-2024-38428.patch 2025-03-03
21:30:39.000000000 +0800
@@ -0,0 +1,75 @@
+From ed0c7c7e0e8f7298352646b2fd6e06a11e242ace Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <[email protected]>
+Date: Sun, 2 Jun 2024 12:40:16 +0200
+Subject: Properly re-implement userinfo parsing (rfc2396)
+
+* src/url.c (url_skip_credentials): Properly re-implement userinfo parsing
(rfc2396)
+
+The reason why the implementation is based on RFC 2396, an outdated standard,
+is that the whole file is based on that RFC, and mixing standard here might be
+dangerous.
+---
+ src/url.c | 40 ++++++++++++++++++++++++++++++++++------
+ 1 file changed, 34 insertions(+), 6 deletions(-)
+
+diff --git a/src/url.c b/src/url.c
+index 69e948b..07c3bc8 100644
+--- a/src/url.c
++++ b/src/url.c
+@@ -41,6 +41,7 @@ as that of the covered work. */
+ #include "url.h"
+ #include "host.h" /* for is_valid_ipv6_address */
+ #include "c-strcase.h"
++#include "c-ctype.h"
+
+ #ifdef HAVE_ICONV
+ # include <iconv.h>
+@@ -526,12 +527,39 @@ scheme_leading_string (enum url_scheme scheme)
+ static const char *
+ url_skip_credentials (const char *url)
+ {
+- /* Look for '@' that comes before terminators, such as '/', '?',
+- '#', or ';'. */
+- const char *p = (const char *)strpbrk (url, "@/?#;");
+- if (!p || *p != '@')
+- return url;
+- return p + 1;
++ /*
++ * This whole file implements https://www.rfc-editor.org/rfc/rfc2396 .
++ * RFC 2396 is outdated since 2005 and needs a rewrite or a thorough
re-visit.
++ *
++ * The RFC says
++ * server = [ [ userinfo "@" ] hostport ]
++ * userinfo = *( unreserved | escaped | ";" | ":" | "&" | "=" | "+" |
"$" | "," )
++ * unreserved = alphanum | mark
++ * mark = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")"
++ */
++ static const char *allowed = "-_.!~*'();:&=+$,";
++
++ for (const char *p = url; *p; p++)
++ {
++ if (c_isalnum(*p))
++ continue;
++
++ if (strchr(allowed, *p))
++ continue;
++
++ if (*p == '%' && c_isxdigit(p[1]) && c_isxdigit(p[2]))
++ {
++ p += 2;
++ continue;
++ }
++
++ if (*p == '@')
++ return p + 1;
++
++ break;
++ }
++
++ return url;
+ }
+
+ /* Parse credentials contained in [BEG, END). The region is expected
+--
+cgit v1.1
+
diff -Nru wget-1.21.3/debian/patches/series wget-1.21.3/debian/patches/series
--- wget-1.21.3/debian/patches/series 2022-03-29 17:54:56.000000000 +0800
+++ wget-1.21.3/debian/patches/series 2025-03-03 21:30:39.000000000 +0800
@@ -1,3 +1,4 @@
wget-doc-remove-usr-local-in-sample.wgetrc
wget-doc-remove-usr-local-in-wget.texi
wget-passive_ftp-default
+CVE-2024-38428.patch
--- End Message ---
--- Begin Message ---
Version: 12.10
This update has been released as part of 12.10. Thank you for your contribution.
--- End Message ---
