Bug#829130: marked as done (jessie-pu: package wget/1.16-1+deb8u1)
Your message dated Sat, 17 Sep 2016 13:08:06 +0100
with message-id <1474114086.2011.126.ca...@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 8.6
has caused the Debian Bug report #829130,
regarding jessie-pu: package wget/1.16-1+deb8u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
829130: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829130
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Hi stable release managers,
wget in stable is affected by CVE-2016-4971, an issue where wget does
not correctly handle filenames when beeing redirected from a HTTP to a
FTP URL. We think that this does not necessarly need a DSA, but still
would be good to be fixed in stable. I thus have prepared a debdiff,
attached. Bug in BTS is #827003.
The debdiff contains an increasing debian/wget.debhelper.log.
If you allow me to, I can prepare a new debdiff, to clean this up as
well, by using dh_prep instead of dh_clean -k for the build target.
Would that be fine?
But attached the debdiff without that packaging change.
Regards,
Salvatore
diff -Nru wget-1.16/debian/changelog wget-1.16/debian/changelog
--- wget-1.16/debian/changelog 2014-10-27 11:41:18.0 +0100
+++ wget-1.16/debian/changelog 2016-06-30 21:24:14.0 +0200
@@ -1,3 +1,11 @@
+wget (1.16-1+deb8u1) jessie; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2016-4971: Lack of filename checking allows arbitrary file upload via
+FTP redirect (Closes: #827003)
+
+ -- Salvatore Bonaccorso Thu, 30 Jun 2016 21:18:47 +0200
+
wget (1.16-1) unstable; urgency=medium
* new upstream release from 2014-10-27
diff -Nru wget-1.16/debian/patches/ftp-understand-trust-server-names-on-a-HTTP-FTP-redi.patch wget-1.16/debian/patches/ftp-understand-trust-server-names-on-a-HTTP-FTP-redi.patch
--- wget-1.16/debian/patches/ftp-understand-trust-server-names-on-a-HTTP-FTP-redi.patch 1970-01-01 01:00:00.0 +0100
+++ wget-1.16/debian/patches/ftp-understand-trust-server-names-on-a-HTTP-FTP-redi.patch 2016-06-30 21:24:14.0 +0200
@@ -0,0 +1,270 @@
+Description: ftp: understand --trust-server-names on a HTTP->FTP redirect
+ If not --trust-server-names is used, FTP will also get the destination
+ file name from the original url specified by the user instead of the
+ redirected url. Closes CVE-2016-4971.
+Origin: backport, http://git.savannah.gnu.org/cgit/wget.git/commit/?id=e996e322ffd42aaa051602da182d03178d0f13e1
+Bug-Debian: https://bugs.debian.org/827003
+Forwarded: not-needed
+Author: Giuseppe Scrivano
+Reviewed-by: Salvatore Bonaccorso
+Last-Update: 2016-06-30
+Applied-Upstream: 1.18
+---
+
+--- a/src/ftp.c
b/src/ftp.c
+@@ -235,14 +235,15 @@ print_length (wgint size, wgint start, b
+ logputs (LOG_VERBOSE, !authoritative ? _(" (unauthoritative)\n") : "\n");
+ }
+
+-static uerr_t ftp_get_listing (struct url *, ccon *, struct fileinfo **);
++static uerr_t ftp_get_listing (struct url *, struct url *, ccon *, struct fileinfo **);
+
+ /* Retrieves a file with denoted parameters through opening an FTP
+connection to the server. It always closes the data connection,
+and closes the control connection in case of error. If warc_tmp
+is non-NULL, the downloaded data will be written there as well. */
+ static uerr_t
+-getftp (struct url *u, wgint passed_expected_bytes, wgint *qtyread,
++getftp (struct url *u, struct url *original_url,
++wgint passed_expected_bytes, wgint *qtyread,
+ wgint restval, ccon *con, int count, wgint *last_expected_bytes,
+ FILE *warc_tmp)
+ {
+@@ -992,7 +993,7 @@ Error in server response, closing contro
+ {
+ bool exists = false;
+ struct fileinfo *f;
+- uerr_t _res = ftp_get_listing (u, con, &f);
++ uerr_t _res = ftp_get_listing (u, original_url, con, &f);
+ /* Set the DO_RETR command flag again, because it gets unset when
+ calling ftp_get_listing() and would otherwise cause an assertion
+ failure earlier on when this function gets repeatedly called
+@@ -1536,7 +1537,8 @@ Error in server response, closing contro
+This loop either gets commands from con, or (if ON_YOUR_OWN is
+set), makes them up to retrieve the file given by the URL. */
+ static uerr_t
+-ftp_loop_internal (struct url *u, struct fileinfo *f, ccon *con, char **local_file)
++ftp_loop_internal (struct url *u, struct url *original_url, struct fileinfo *f,
++ cco
Processed: Re: Bug#829130: marked as done (jessie-pu: package wget/1.16-1+deb8u1)
Processing control commands:
> reopen -1
Bug #829130 {Done: Noël Köthe } [release.debian.org]
jessie-pu: package wget/1.16-1+deb8u1
'reopen' may be inappropriate when a bug has been closed with a version;
all fixed versions will be cleared, and you may need to re-add them.
Bug reopened
No longer marked as fixed in versions wget/1.16-1+deb8u1.
--
829130: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829130
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
Bug#829130: marked as done (jessie-pu: package wget/1.16-1+deb8u1)
Control: reopen -1 On Fri, 2016-07-08 at 11:51 +, Debian Bug Tracking System wrote: > wget (1.16-1+deb8u1) jessie; urgency=medium > . >* added patch for CVE-2016-4971. closes: #827003, #829130 Apologies for not having spotted it before, but please don't do that. The release.debian.org bug is closed once a point release occurs and the package is actually in stable, not by your upload. Regards, Adam
Bug#829130: marked as done (jessie-pu: package wget/1.16-1+deb8u1)
Your message dated Fri, 08 Jul 2016 11:47:09 +
with message-id
and subject line Bug#829130: fixed in wget 1.16-1+deb8u1
has caused the Debian Bug report #829130,
regarding jessie-pu: package wget/1.16-1+deb8u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
829130: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829130
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Hi stable release managers,
wget in stable is affected by CVE-2016-4971, an issue where wget does
not correctly handle filenames when beeing redirected from a HTTP to a
FTP URL. We think that this does not necessarly need a DSA, but still
would be good to be fixed in stable. I thus have prepared a debdiff,
attached. Bug in BTS is #827003.
The debdiff contains an increasing debian/wget.debhelper.log.
If you allow me to, I can prepare a new debdiff, to clean this up as
well, by using dh_prep instead of dh_clean -k for the build target.
Would that be fine?
But attached the debdiff without that packaging change.
Regards,
Salvatore
diff -Nru wget-1.16/debian/changelog wget-1.16/debian/changelog
--- wget-1.16/debian/changelog 2014-10-27 11:41:18.0 +0100
+++ wget-1.16/debian/changelog 2016-06-30 21:24:14.0 +0200
@@ -1,3 +1,11 @@
+wget (1.16-1+deb8u1) jessie; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2016-4971: Lack of filename checking allows arbitrary file upload via
+FTP redirect (Closes: #827003)
+
+ -- Salvatore Bonaccorso Thu, 30 Jun 2016 21:18:47 +0200
+
wget (1.16-1) unstable; urgency=medium
* new upstream release from 2014-10-27
diff -Nru wget-1.16/debian/patches/ftp-understand-trust-server-names-on-a-HTTP-FTP-redi.patch wget-1.16/debian/patches/ftp-understand-trust-server-names-on-a-HTTP-FTP-redi.patch
--- wget-1.16/debian/patches/ftp-understand-trust-server-names-on-a-HTTP-FTP-redi.patch 1970-01-01 01:00:00.0 +0100
+++ wget-1.16/debian/patches/ftp-understand-trust-server-names-on-a-HTTP-FTP-redi.patch 2016-06-30 21:24:14.0 +0200
@@ -0,0 +1,270 @@
+Description: ftp: understand --trust-server-names on a HTTP->FTP redirect
+ If not --trust-server-names is used, FTP will also get the destination
+ file name from the original url specified by the user instead of the
+ redirected url. Closes CVE-2016-4971.
+Origin: backport, http://git.savannah.gnu.org/cgit/wget.git/commit/?id=e996e322ffd42aaa051602da182d03178d0f13e1
+Bug-Debian: https://bugs.debian.org/827003
+Forwarded: not-needed
+Author: Giuseppe Scrivano
+Reviewed-by: Salvatore Bonaccorso
+Last-Update: 2016-06-30
+Applied-Upstream: 1.18
+---
+
+--- a/src/ftp.c
b/src/ftp.c
+@@ -235,14 +235,15 @@ print_length (wgint size, wgint start, b
+ logputs (LOG_VERBOSE, !authoritative ? _(" (unauthoritative)\n") : "\n");
+ }
+
+-static uerr_t ftp_get_listing (struct url *, ccon *, struct fileinfo **);
++static uerr_t ftp_get_listing (struct url *, struct url *, ccon *, struct fileinfo **);
+
+ /* Retrieves a file with denoted parameters through opening an FTP
+connection to the server. It always closes the data connection,
+and closes the control connection in case of error. If warc_tmp
+is non-NULL, the downloaded data will be written there as well. */
+ static uerr_t
+-getftp (struct url *u, wgint passed_expected_bytes, wgint *qtyread,
++getftp (struct url *u, struct url *original_url,
++wgint passed_expected_bytes, wgint *qtyread,
+ wgint restval, ccon *con, int count, wgint *last_expected_bytes,
+ FILE *warc_tmp)
+ {
+@@ -992,7 +993,7 @@ Error in server response, closing contro
+ {
+ bool exists = false;
+ struct fileinfo *f;
+- uerr_t _res = ftp_get_listing (u, con, &f);
++ uerr_t _res = ftp_get_listing (u, original_url, con, &f);
+ /* Set the DO_RETR command flag again, because it gets unset when
+ calling ftp_get_listing() and would otherwise cause an assertion
+ failure earlier on when this function gets repeatedly called
+@@ -1536,7 +1537,8 @@ Error in server response, closing contro
+This loop either gets commands from con, or (if ON_YOUR_OWN is
+set), makes them up to retrieve the file given by the URL. */
+ static uerr_t
+-ftp_loop_internal (struct url *u, struct fileinfo *f, ccon *con, char **local_file)
++ftp_loop_internal (struct url *u, struct url *original_url, struct fileinfo *f,
++ ccon *con, char **local_file)
+ {
+ int coun
