Bug 18671

Summary: wget new security issues CVE-2016-4971 and CVE-2016-7098
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, lewyssmith, marja11, nicolas.salguero, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/692024/
Whiteboard: MGA5-64-OK advisory
Source RPM: wget-1.15-5.mga5.src.rpm CVE:
Status comment:
Attachments: Patch from Ubuntu for wget 1.15

Description David Walser 2016-06-09 23:23:26 CEST 
Wget 1.18 has been released today (June 9).  It fixes a security issue, which is listed in the NEWS file.  Here is the full entry for 1.18:

* By default, on server redirects to a FTP resource, use the original
  URL to get the local file name. Close CVE-2016-4971.  This
  introduces a backward-incompatibility for HTTP->FTP redirects and
  any script that relies on the old  behaviour must use
  --trust-server-names.

* Check the HSTS file is not world-writable before using it.

* Parse <img srcset> attributes on a recursive download.

* Fix problem with SNI server names having trailing dot(s)

* New options --bind-dns-address and --dns-servers.

* When Wget is built with libiconv, it now converts non-ASCII URIs to
  the locale's codeset when it creates files.  The encoding of the
  remote files and URIs is taken from --remote-encoding, defaulting to
  UTF-8.  The result is that non-ASCII URIs and files downloaded via
  HTTP/HTTPS and FTP will have names on the local filesystem that
  correspond to their remote names.


The wget 1.18 update is checked into Cauldron SVN.  Mageia 5 is probably also affected.
David Walser 2016-06-09 23:23:32 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2016-06-10 11:43:07 CEST 
Assigning to all packagers collectively, since there is no maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2016-06-11 00:19:43 CEST 
wget-1.18-1.mga6 uploaded for Cauldron.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 3 David Walser 2016-06-20 19:30:25 CEST 
Fedora has issued an advisory for this on June 18:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J5ZK7PPOISSBFIAIJP6AV6CDYCCBTL6G/

URL: (none) => http://lwn.net/Vulnerabilities/692024/

Comment 4 David Walser 2016-06-22 01:03:46 CEST 
Ubuntu has issued an advisory for this on June 20:
http://www.ubuntu.com/usn/usn-3012-1

They have backported patches.
Comment 5 Philippe Makowski 2016-06-24 01:10:14 CEST 
Created attachment 8061 [details]
Patch from Ubuntu for wget 1.15

Will try to take care of this one

CC: (none) => makowski.mageia

Philippe Makowski 2016-06-24 01:10:43 CEST

Assignee: pkg-bugs => makowski.mageia

Comment 6 Philippe Makowski 2016-06-26 18:35:30 CEST 
If i apply the Ubuntu patch, build fail with :

gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC=\"/etc/wgetrc\" -DLOCALEDIR=\"/usr/share/locale\" -I.  -I../lib -I../lib   -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fPIC -MT iri.o -MD -MP -MF .deps/iri.Tpo -c -o iri.o iri.c
iri.c: In function 'idn_encode':
iri.c:268:23: error: 'utf8_encoded' undeclared (first use in this function)
   if (!_utf8_is_valid(utf8_encoded ? utf8_encoded : host))
                       ^
iri.c:268:23: note: each undeclared identifier is reported only once for each function it appears in

And I don't understand why

Assignee: makowski.mageia => pkg-bugs

Comment 7 Nicolas Salguero 2016-07-01 12:03:41 CEST 
Hi,

The problem does not come from that patch but from wget-1.15-CVE-2015-2059.patch.  If you remove that patch, the compilation succeeds but I had an error on test Test-ftp-iri-fallback.px when I tried to build the new package locally.

Best regards,

Nico.

CC: (none) => nicolas.salguero

Comment 8 David Walser 2016-07-11 13:27:06 CEST 
Details on this one are finally public:
http://openwall.com/lists/oss-security/2016/07/09/5
Philippe Makowski 2016-07-11 16:05:05 CEST

CC: makowski.mageia => (none)

Comment 9 David Walser 2016-07-22 01:37:18 CEST 
Philippe, the build error is because of a patch I had added in SVN to mitigate a security issue in libidn that has since been fixed.  I dropped that patch.  Now wget builds, but fails with a test suite failure:
http://pkgsubmit.mageia.org/uploads/failure/5/core/updates_testing/20160721232654.luigiwalser.duvel.11832/log/wget-1.15-5.1.mga5/build.0.20160721232702.log

I wonder if this is actually related to libidn, since it seems to fail on a file with a UTF-8 character in its file name.

Future advisory below.

Advisory:
========================

Updated wget package fixes security vulnerability:

GNU wget before 1.18 allows remote servers to write to arbitrary files by
redirecting a request from HTTP to a crafted FTP resource (CVE-2016-4971).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4971
http://www.ubuntu.com/usn/usn-3012-1
========================

Updated packages in core/updates_testing:
========================
wget-1.15-5.1.mga5

from wget-1.15-5.1.mga5.src.rpm
Comment 10 David Walser 2016-07-23 04:03:51 CEST 
Test-ftp-iri-fallback is the one that fails, and there are other tests using the same file name that pass, so I doubt it's a libidn issue.  It fails the same way with 1.32 or 1.33.
Comment 11 David Walser 2016-09-12 22:15:33 CEST 
openSUSE has issued an advisory on September 10:
https://lists.opensuse.org/opensuse-updates/2016-09/msg00044.html

They fixed a new security issue, CVE-2016-7098:
http://lwn.net/Vulnerabilities/700395/

They also issued an advisory for CVE-2016-4971 on September 9:
https://lists.opensuse.org/opensuse-updates/2016-09/msg00041.html

Their patch only differs from ours in one place, but I tried building with their patch and we get the same test failure as before.

Summary: wget new security issue CVE-2016-4971 => wget new security issues CVE-2016-4971 and CVE-2016-7098

Comment 12 David Walser 2016-09-13 01:54:38 CEST 
CVE-2016-7098 fixed in Cauldron and patch committed in Mageia 5 SVN.

I noticed that openSUSE has make check disabled.  Maybe we should do the same.
Comment 13 Nicolas Salguero 2016-09-22 09:37:54 CEST 
Given that OpenSUSE disabled make check and that we already did that in Cauldron, I did it in Mga5 too.

Suggested advisory:
========================

The updated wget package fixes security vulnerabilities:

GNU wget before 1.18 allows remote servers to write to arbitrary files by
redirecting a request from HTTP to a crafted FTP resource (CVE-2016-4971).

Fixed a potential race condition by creating files with .tmp ext and making them accessible to the current user only (CVE-2016-7098).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4971
http://www.ubuntu.com/usn/usn-3012-1
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7098
https://lists.opensuse.org/opensuse-updates/2016-09/msg00044.html
========================

Updated packages in core/updates_testing:
========================
i586:
wget-1.15-5.1.mga5.i586.rpm

x86_64:
wget-1.15-5.1.mga5.x86_64.rpm

Source RPMs:
wget-1.15-5.1.mga5.src.rpm

Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
Source RPM: wget-1.17.1-2.mga6.src.rpm => wget-1.15-5.mga5.src.rpm

Comment 14 Lewis Smith 2016-09-23 21:06:57 CEST 
Testing M5 x64
Updated wget to:  wget-1.15-5.1.mga5

There may be simpler tests, but this one really hammers wget; it downloads the entire (& brilliant) Inkscape manual for local viewing.

 $ mkdir Inkscape
 $ cd Inkscape/
 $ wget -nH --cut-dirs=2 -r -k -p -np http://tavmjong.free.fr/INKSCAPE/MANUAL/html/index.html
 -nH          No Header [tavmjong.free.fr/]
 --cut-dirs=2 Cuts the 2 leading directories [INKSCAPE/MANUAL/]
 -r           Recursive
 -k           Adjust all links for local (off-line) viewing
 -p           Load all Page requisites, pages are 'complete'
 -np          No Parent, do not ascend into parent directory, descend only

This creates 2 sub-directories: html, images. html/index.html is the entry point. Point a browser to it '.../Inkscape/html/index.html' and browse the manual, here & there, especially near the end, to make sure it is all there.

 $ chdir ..
 $ rmdir -rf Inkscape      [but if you use Inkscape - keep it!]

This update OK.

CC: (none) => lewyssmith
Whiteboard: (none) => MGA5-64-OK

Comment 15 Lewis Smith 2016-09-23 21:10:29 CEST 
(In reply to Lewis Smith from comment #14)
>  $ rmdir -rf Inkscape      [but if you use Inkscape - keep it!]
OOPS! Should be
 $ rm -rf Inkscape
Dave Hodgins 2016-09-28 04:00:42 CEST

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 16 Mageia Robot 2016-09-28 08:00:15 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0323.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED