Bug 20613

Summary: wget new security issue CVE-2017-6508
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, lists.jjorge, marja11, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-64-OK advisory MGA5-32-OK
Source RPM: wget-1.19.1-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-04-01 03:03:01 CEST 
openSUSE has issued an advisory today (March 31):
https://lists.opensuse.org/opensuse-updates/2017-03/msg00113.html
David Walser 2017-04-01 03:03:10 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-04-01 15:08:56 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 José Jorge 2017-04-02 22:08:13 CEST 
I have registered as maintainer, so I'll take this one.

Status: NEW => ASSIGNED
CC: (none) => lists.jjorge

Comment 3 José Jorge 2017-04-02 22:27:21 CEST 
Pushed to cauldron.
Comment 4 José Jorge 2017-04-02 22:51:23 CEST 
Same patch used for 1.15 version in MGA5

Suggested Advisory :

Wget till version 1.19.1 does not ensure no control characters are used in the url. This security update reject control characters in host part of URL.

Ref : https://nvd.nist.gov/vuln/detail/CVE-2017-6508


RPMS: only one i586 x86_64 and SRPM in core/updates_testing

wget-1.15-5.2.mga5

Version: Cauldron => 5
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 5 Dave Hodgins 2017-04-03 22:56:01 CEST 
Mageia 5 x86_64.
From http://lists.gnu.org/archive/html/bug-wget/2017-03/msg00018.html
Before the update ...
$ wget 'http://127.0.0.1%0d%0aCookie%3a hi%0a/'
--2017-04-03 16:47:06--  http://[127.0.0.1%0D%0Acookie:%20hi%0A]/
Resolving 127.0.0.1\r\ncookie: hi\n (127.0.0.1\r\ncookie: hi\n)... 127.0.0.1
Connecting to 127.0.0.1
cookie: hi
 (127.0.0.1
cookie: hi
)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 400 Bad Request
2017-04-03 16:47:06 ERROR 400: Bad Request.

With the update ...
$ wget 'http://127.0.0.1%0d%0aCookie%3a hi%0a/'
http://127.0.0.1%0d%0aCookie%3a hi%0a/: Invalid host name.

CC: (none) => davidwhodgins
Whiteboard: (none) => MGA5-64-OK advisory

Dave Hodgins 2017-04-03 23:00:18 CEST

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK advisory => MGA5-64-OK advisory MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2017-04-04 08:45:03 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0104.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED