Bug#829130: marked as done (jessie-pu: package wget/1.16-1+deb8u1)

[Debian Bug Tracking System]

Your message dated Fri, 08 Jul 2016 11:47:09 +0000
with message-id <e1blufr-00083f...@franck.debian.org>
and subject line Bug#829130: fixed in wget 1.16-1+deb8u1
has caused the Debian Bug report #829130,
regarding jessie-pu: package wget/1.16-1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
829130: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829130
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu

Hi stable release managers,

wget in stable is affected by CVE-2016-4971, an issue where wget does
not correctly handle filenames when beeing redirected from a HTTP to a
FTP URL. We think that this does not necessarly need a DSA, but still
would be good to be fixed in stable. I thus have prepared a debdiff,
attached. Bug in BTS is #827003.

The debdiff contains an increasing debian/wget.debhelper.log.

If you allow me to, I can prepare a new debdiff, to clean this up as
well, by using dh_prep instead of dh_clean -k for the build target.
Would that be fine?

But attached the debdiff without that packaging change.

Regards,
Salvatore

diff -Nru wget-1.16/debian/changelog wget-1.16/debian/changelog
--- wget-1.16/debian/changelog	2014-10-27 11:41:18.000000000 +0100
+++ wget-1.16/debian/changelog	2016-06-30 21:24:14.000000000 +0200
@@ -1,3 +1,11 @@
+wget (1.16-1+deb8u1) jessie; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2016-4971: Lack of filename checking allows arbitrary file upload via
+    FTP redirect (Closes: #827003)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Thu, 30 Jun 2016 21:18:47 +0200
+
 wget (1.16-1) unstable; urgency=medium
 
   * new upstream release from 2014-10-27
diff -Nru wget-1.16/debian/patches/ftp-understand-trust-server-names-on-a-HTTP-FTP-redi.patch wget-1.16/debian/patches/ftp-understand-trust-server-names-on-a-HTTP-FTP-redi.patch
--- wget-1.16/debian/patches/ftp-understand-trust-server-names-on-a-HTTP-FTP-redi.patch	1970-01-01 01:00:00.000000000 +0100
+++ wget-1.16/debian/patches/ftp-understand-trust-server-names-on-a-HTTP-FTP-redi.patch	2016-06-30 21:24:14.000000000 +0200
@@ -0,0 +1,270 @@
+Description: ftp: understand --trust-server-names on a HTTP->FTP redirect
+ If not --trust-server-names is used, FTP will also get the destination
+ file name from the original url specified by the user instead of the
+ redirected url.  Closes CVE-2016-4971.
+Origin: backport, http://git.savannah.gnu.org/cgit/wget.git/commit/?id=e996e322ffd42aaa051602da182d03178d0f13e1
+Bug-Debian: https://bugs.debian.org/827003
+Forwarded: not-needed
+Author: Giuseppe Scrivano <gscri...@redhat.com>
+Reviewed-by: Salvatore Bonaccorso <car...@debian.org>
+Last-Update: 2016-06-30
+Applied-Upstream: 1.18
+---
+
+--- a/src/ftp.c
++++ b/src/ftp.c
+@@ -235,14 +235,15 @@ print_length (wgint size, wgint start, b
+   logputs (LOG_VERBOSE, !authoritative ? _(" (unauthoritative)\n") : "\n");
+ }
+ 
+-static uerr_t ftp_get_listing (struct url *, ccon *, struct fileinfo **);
++static uerr_t ftp_get_listing (struct url *, struct url *, ccon *, struct fileinfo **);
+ 
+ /* Retrieves a file with denoted parameters through opening an FTP
+    connection to the server.  It always closes the data connection,
+    and closes the control connection in case of error.  If warc_tmp
+    is non-NULL, the downloaded data will be written there as well.  */
+ static uerr_t
+-getftp (struct url *u, wgint passed_expected_bytes, wgint *qtyread,
++getftp (struct url *u, struct url *original_url,
++        wgint passed_expected_bytes, wgint *qtyread,
+         wgint restval, ccon *con, int count, wgint *last_expected_bytes,
+         FILE *warc_tmp)
+ {
+@@ -992,7 +993,7 @@ Error in server response, closing contro
+         {
+           bool exists = false;
+           struct fileinfo *f;
+-          uerr_t _res = ftp_get_listing (u, con, &f);
++          uerr_t _res = ftp_get_listing (u, original_url, con, &f);
+           /* Set the DO_RETR command flag again, because it gets unset when
+              calling ftp_get_listing() and would otherwise cause an assertion
+              failure earlier on when this function gets repeatedly called
+@@ -1536,7 +1537,8 @@ Error in server response, closing contro
+    This loop either gets commands from con, or (if ON_YOUR_OWN is
+    set), makes them up to retrieve the file given by the URL.  */
+ static uerr_t
+-ftp_loop_internal (struct url *u, struct fileinfo *f, ccon *con, char **local_file)
++ftp_loop_internal (struct url *u, struct url *original_url, struct fileinfo *f,
++                   ccon *con, char **local_file)
+ {
+   int count, orig_lp;
+   wgint restval, len = 0, qtyread = 0;
+@@ -1560,7 +1562,7 @@ ftp_loop_internal (struct url *u, struct
+   else
+     {
+       /* URL-derived file.  Consider "-O file" name. */
+-      con->target = url_file_name (u, NULL);
++      con->target = url_file_name (opt.trustservernames || !original_url ? u : original_url, NULL);
+       if (!opt.output_document)
+         locf = con->target;
+       else
+@@ -1676,8 +1678,8 @@ ftp_loop_internal (struct url *u, struct
+ 
+       /* If we are working on a WARC record, getftp should also write
+          to the warc_tmp file. */
+-      err = getftp (u, len, &qtyread, restval, con, count, &last_expected_bytes,
+-                    warc_tmp);
++      err = getftp (u, original_url, len, &qtyread, restval, con, count,
++                    &last_expected_bytes, warc_tmp);
+ 
+       if (con->csock == -1)
+         con->st &= ~DONE_CWD;
+@@ -1830,7 +1832,8 @@ Removing file due to --delete-after in f
+ /* Return the directory listing in a reusable format.  The directory
+    is specifed in u->dir.  */
+ static uerr_t
+-ftp_get_listing (struct url *u, ccon *con, struct fileinfo **f)
++ftp_get_listing (struct url *u, struct url *original_url, ccon *con,
++                 struct fileinfo **f)
+ {
+   uerr_t err;
+   char *uf;                     /* url file name */
+@@ -1851,7 +1854,7 @@ ftp_get_listing (struct url *u, ccon *co
+ 
+   con->target = xstrdup (lf);
+   xfree (lf);
+-  err = ftp_loop_internal (u, NULL, con, NULL);
++  err = ftp_loop_internal (u, original_url, NULL, con, NULL);
+   lf = xstrdup (con->target);
+   xfree (con->target);
+   con->target = old_target;
+@@ -1874,8 +1877,9 @@ ftp_get_listing (struct url *u, ccon *co
+   return err;
+ }
+ 
+-static uerr_t ftp_retrieve_dirs (struct url *, struct fileinfo *, ccon *);
+-static uerr_t ftp_retrieve_glob (struct url *, ccon *, int);
++static uerr_t ftp_retrieve_dirs (struct url *, struct url *,
++                                 struct fileinfo *, ccon *);
++static uerr_t ftp_retrieve_glob (struct url *, struct url *, ccon *, int);
+ static struct fileinfo *delelement (struct fileinfo *, struct fileinfo **);
+ static void freefileinfo (struct fileinfo *f);
+ 
+@@ -1887,7 +1891,8 @@ static void freefileinfo (struct fileinf
+    If opt.recursive is set, after all files have been retrieved,
+    ftp_retrieve_dirs will be called to retrieve the directories.  */
+ static uerr_t
+-ftp_retrieve_list (struct url *u, struct fileinfo *f, ccon *con)
++ftp_retrieve_list (struct url *u, struct url *original_url,
++                   struct fileinfo *f, ccon *con)
+ {
+   static int depth = 0;
+   uerr_t err;
+@@ -2046,7 +2051,9 @@ Already have correct symlink %s -> %s\n\
+           else                /* opt.retr_symlinks */
+             {
+               if (dlthis)
+-                err = ftp_loop_internal (u, f, con, NULL);
++                {
++                  err = ftp_loop_internal (u, original_url, f, con, NULL);
++                }
+             } /* opt.retr_symlinks */
+           break;
+         case FT_DIRECTORY:
+@@ -2057,7 +2064,9 @@ Already have correct symlink %s -> %s\n\
+         case FT_PLAINFILE:
+           /* Call the retrieve loop.  */
+           if (dlthis)
+-            err = ftp_loop_internal (u, f, con, NULL);
++            {
++              err = ftp_loop_internal (u, original_url, f, con, NULL);
++            }
+           break;
+         case FT_UNKNOWN:
+           logprintf (LOG_NOTQUIET, _("%s: unknown/unsupported file type.\n"),
+@@ -2122,7 +2131,7 @@ Already have correct symlink %s -> %s\n\
+   /* We do not want to call ftp_retrieve_dirs here */
+   if (opt.recursive &&
+       !(opt.reclevel != INFINITE_RECURSION && depth >= opt.reclevel))
+-    err = ftp_retrieve_dirs (u, orig, con);
++    err = ftp_retrieve_dirs (u, original_url, orig, con);
+   else if (opt.recursive)
+     DEBUGP ((_("Will not retrieve dirs since depth is %d (max %d).\n"),
+              depth, opt.reclevel));
+@@ -2135,7 +2144,8 @@ Already have correct symlink %s -> %s\n\
+    ftp_retrieve_glob on each directory entry.  The function knows
+    about excluded directories.  */
+ static uerr_t
+-ftp_retrieve_dirs (struct url *u, struct fileinfo *f, ccon *con)
++ftp_retrieve_dirs (struct url *u, struct url *original_url,
++                   struct fileinfo *f, ccon *con)
+ {
+   char *container = NULL;
+   int container_size = 0;
+@@ -2185,7 +2195,7 @@ Not descending to %s as it is excluded/n
+       odir = xstrdup (u->dir);  /* because url_set_dir will free
+                                    u->dir. */
+       url_set_dir (u, newdir);
+-      ftp_retrieve_glob (u, con, GLOB_GETALL);
++      ftp_retrieve_glob (u, original_url, con, GLOB_GETALL);
+       url_set_dir (u, odir);
+       xfree (odir);
+ 
+@@ -2244,14 +2254,15 @@ is_invalid_entry (struct fileinfo *f)
+    GLOB_GLOBALL, use globbing; if it's GLOB_GETALL, download the whole
+    directory.  */
+ static uerr_t
+-ftp_retrieve_glob (struct url *u, ccon *con, int action)
++ftp_retrieve_glob (struct url *u, struct url *original_url,
++                   ccon *con, int action)
+ {
+   struct fileinfo *f, *start;
+   uerr_t res;
+ 
+   con->cmd |= LEAVE_PENDING;
+ 
+-  res = ftp_get_listing (u, con, &start);
++  res = ftp_get_listing (u, original_url, con, &start);
+   if (res != RETROK)
+     return res;
+   /* First: weed out that do not conform the global rules given in
+@@ -2347,7 +2358,7 @@ ftp_retrieve_glob (struct url *u, ccon *
+   if (start)
+     {
+       /* Just get everything.  */
+-      res = ftp_retrieve_list (u, start, con);
++      res = ftp_retrieve_list (u, original_url, start, con);
+     }
+   else
+     {
+@@ -2363,7 +2374,7 @@ ftp_retrieve_glob (struct url *u, ccon *
+         {
+           /* Let's try retrieving it anyway.  */
+           con->st |= ON_YOUR_OWN;
+-          res = ftp_loop_internal (u, NULL, con, NULL);
++          res = ftp_loop_internal (u, original_url, NULL, con, NULL);
+           return res;
+         }
+ 
+@@ -2383,8 +2394,8 @@ ftp_retrieve_glob (struct url *u, ccon *
+    of URL.  Inherently, its capabilities are limited on what can be
+    encoded into a URL.  */
+ uerr_t
+-ftp_loop (struct url *u, char **local_file, int *dt, struct url *proxy,
+-          bool recursive, bool glob)
++ftp_loop (struct url *u, struct url *original_url, char **local_file, int *dt,
++          struct url *proxy, bool recursive, bool glob)
+ {
+   ccon con;                     /* FTP connection */
+   uerr_t res;
+@@ -2405,16 +2416,17 @@ ftp_loop (struct url *u, char **local_fi
+   if (!*u->file && !recursive)
+     {
+       struct fileinfo *f;
+-      res = ftp_get_listing (u, &con, &f);
++      res = ftp_get_listing (u, original_url, &con, &f);
+ 
+       if (res == RETROK)
+         {
+           if (opt.htmlify && !opt.spider)
+             {
++              struct url *url_file = opt.trustservernames ? u : original_url;
+               char *filename = (opt.output_document
+                                 ? xstrdup (opt.output_document)
+                                 : (con.target ? xstrdup (con.target)
+-                                   : url_file_name (u, NULL)));
++                                   : url_file_name (url_file, NULL)));
+               res = ftp_index (filename, u, f);
+               if (res == FTPOK && opt.verbose)
+                 {
+@@ -2459,11 +2471,13 @@ ftp_loop (struct url *u, char **local_fi
+           /* ftp_retrieve_glob is a catch-all function that gets called
+              if we need globbing, time-stamping, recursion or preserve
+              permissions.  Its third argument is just what we really need.  */
+-          res = ftp_retrieve_glob (u, &con,
++          res = ftp_retrieve_glob (u, original_url, &con,
+                                    ispattern ? GLOB_GLOBALL : GLOB_GETONE);
+         }
+       else
+-        res = ftp_loop_internal (u, NULL, &con, local_file);
++        {
++          res = ftp_loop_internal (u, original_url, NULL, &con, local_file);
++        }
+     }
+   if (res == FTPOK)
+     res = RETROK;
+--- a/src/ftp.h
++++ b/src/ftp.h
+@@ -152,7 +152,8 @@ enum wget_ftp_fstatus
+ };
+ 
+ struct fileinfo *ftp_parse_ls (const char *, const enum stype);
+-uerr_t ftp_loop (struct url *, char **, int *, struct url *, bool, bool);
++uerr_t ftp_loop (struct url *, struct url *, char **, int *, struct url *,
++                 bool, bool);
+ 
+ uerr_t ftp_index (const char *, struct url *, struct fileinfo *);
+ 
+--- a/src/retr.c
++++ b/src/retr.c
+@@ -803,7 +803,8 @@ retrieve_url (struct url * orig_parsed,
+       if (redirection_count)
+         oldrec = glob = false;
+ 
+-      result = ftp_loop (u, &local_file, dt, proxy_url, recursive, glob);
++      result = ftp_loop (u, orig_parsed, &local_file, dt, proxy_url,
++                         recursive, glob);
+       recursive = oldrec;
+ 
+       /* There is a possibility of having HTTP being redirected to
diff -Nru wget-1.16/debian/patches/series wget-1.16/debian/patches/series
--- wget-1.16/debian/patches/series	2014-10-16 11:32:22.000000000 +0200
+++ wget-1.16/debian/patches/series	2016-06-30 21:24:14.000000000 +0200
@@ -1,4 +1,4 @@
 wget-doc-remove-usr-local-in-sample.wgetrc
 wget-doc-remove-usr-local-in-wget.texi
 wget-passive_ftp-default
-
+ftp-understand-trust-server-names-on-a-HTTP-FTP-redi.patch
diff -Nru wget-1.16/debian/wget.debhelper.log wget-1.16/debian/wget.debhelper.log
--- wget-1.16/debian/wget.debhelper.log	2014-10-27 11:43:02.000000000 +0100
+++ wget-1.16/debian/wget.debhelper.log	2016-06-30 21:25:30.000000000 +0200
@@ -4,3 +4,5 @@
 dh_prep
 dh_prep
 dh_prep
+dh_prep
+dh_prep

--- End Message ---

--- Begin Message ---

Source: wget
Source-Version: 1.16-1+deb8u1

We believe that the bug you reported is fixed in the latest version of
wget, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 829...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Noël Köthe <n...@debian.org> (supplier of updated wget package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 04 Jul 2016 18:37:47 +0200
Source: wget
Binary: wget
Architecture: source amd64
Version: 1.16-1+deb8u1
Distribution: jessie
Urgency: medium
Maintainer: Noël Köthe <n...@debian.org>
Changed-By: Noël Köthe <n...@debian.org>
Description:
 wget       - retrieves files from the web
Closes: 827003 829130
Changes:
 wget (1.16-1+deb8u1) jessie; urgency=medium
 .
   * added patch for CVE-2016-4971. closes: #827003, #829130
     By default, on server redirects to a FTP resource, use the original
     URL to get the local file name. Close CVE-2016-4971.  This
     introduces a backward-incompatibility for HTTP->FTP redirects and
     any script that relies on the old  behaviour must use
     --trust-server-names.
   * debian/rules fixed clean target
Checksums-Sha1:
 b2a8e6770610b072b7be5a15ae6b997ba93bc979 1769 wget_1.16-1+deb8u1.dsc
 e174984149d194ca16ab80ba8ce96444d6355d8c 21696 wget_1.16-1+deb8u1.debian.tar.xz
 1103a7e4f82bebd3fe85ef26cc4200b896355c44 495812 wget_1.16-1+deb8u1_amd64.deb
Checksums-Sha256:
 b3f36055616985f0d92b43ed6f3a51c8bee585ff84a475e93fe9c38eed32e276 1769 
wget_1.16-1+deb8u1.dsc
 39322969ff614d2a7416d5e9695bb87a09bda99a510d26f536ef3bdda7739bcd 21696 
wget_1.16-1+deb8u1.debian.tar.xz
 0982f09bf056fb0be9c2a519a20009c4c7dc8df45e05de983ae2c04e82cd1ab8 495812 
wget_1.16-1+deb8u1_amd64.deb
Files:
 1f560feff1aa55cccf477f82f1babe8b 1769 web important wget_1.16-1+deb8u1.dsc
 eed0d8ba50dec4e0e39b9880124d4121 21696 web important 
wget_1.16-1+deb8u1.debian.tar.xz
 1cca36679c3dad4adec9121c4fab47b4 495812 web important 
wget_1.16-1+deb8u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXe9xPAAoJEGjAeL6I+AzaJSMQAKErAMIbaL3/W2jw3b9apxGP
hXSS9u0KfsC8d2NAaHilMIPgE/3jeCKDKuVJ0NYOcY5pO/BDEw5E2FlCDc+Z6lhi
jp95fauo4qvCntZlFP6hdz8+74P4+YgxH+ObxkWlYhK3BGXOeUn508/27OECJG4r
acCfnSNy1AEvKvdv6N6c58P3UYo1Uh8VMMDGNCMKE6EPXa++epo1TUrVKQCgtZTr
L2+vLWNVy9VDS/808o783ooAivKBxDCvG0Sy1BrkPexpif7UiwABBbrdk3Pdeejy
DeVwJbn7wPD+fmLMeGSpY9KKKEypbkH0BcGlVarwKgeJ7VHqj33JUxLEsG9ZYWgu
mHOede3KF2I9QJzXv4nmr6tp/x82C33diL9OJR/pR9P+HCULIYzWxDXXWPjg0iBG
vaF1t4cp/KGcpauxuJhvmRcQsdEaxfbJ19OxXoUVFuDk7ruywxfhbd/VYTG+5YjI
Cp849tN7N4u49lu6JPs9xyJtAHXuEUM+5GxN69g4D8V6JAgmXn0StA/PUiB9IBQU
7EGhmBtp4nZ5vmQ4T4tSB0BoyHWfbVkn96bIkGbaUtCYzX0X+WoFFkm9LbPUM+qA
sNmLDkY/h6rQoUNDuPpgV5roGxbKdRl3ud59MFJHa3jbymHi3UkeGQTh+rR3fDKO
Ihpg/SwOokVD4xJBfXkp
=n5aZ
-----END PGP SIGNATURE-----

--- End Message ---