| Summary: | wget new security issue CVE-2018-0494 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | lists.jjorge, marja11, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5TOO MGA6-64-OK MGA5-64-OK | ||
| Source RPM: | wget-1.19.4-1.mga7.src.rpm | CVE: | |
| Status comment: | Fixed upstream in 1.19.5 | ||
|
Description
David Walser
2018-05-08 16:00:41 CEST
David Walser
2018-05-08 16:01:01 CEST
Status comment:
(none) =>
Fixed upstream in 1.19.5 More details on the CVE issue: http://openwall.com/lists/oss-security/2018/05/06/1 Assigning to the registered maintainer. CC:
(none) =>
marja11 wget 1.19.5 pushed to MGA6 testing. Suggested advisory : Wget 1.19.5 fixes several security issues found by fuzzing as well as an additional issue that was assigned the CVE CVE-2018-0494. Ref: http://openwall.com/lists/oss-security/2018/05/06/1 SRPM: wget-1.19.5-1.mga6.srpm RPMS : wget-1.19.5-1.mga6.x86_64.rpm wget-1.19.5-1.mga6.i586.rpm Whiteboard:
MGA6TOO, MGA5TOO =>
MGA5TOO Patched Mageia 5 build added (just for the CVE): wget-1.15-5.4.mga5 from wget-1.15-5.4.mga5.src.rpm Debian has issued an advisory for this on May 8: https://www.debian.org/security/2018/dsa-4195 Advisory: ======================== Updated wget package fixes security vulnerability: Harry Sintonen discovered that wget does not properly handle '\r\n' from continuation lines while parsing the Set-Cookie HTTP header. A malicious web server could use this flaw to inject arbitrary cookies to the cookie jar file, adding new or replacing existing cookie values (CVE-2018-0494). The Mageia 6 package has been updated to version 1.19.5, which fixes this issue as well as other possible security issues found by fuzzing. The Mageia 5 package has been patched to fix CVE-2018-0494. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0494 https://www.debian.org/security/2018/dsa-4195 Tested a simple http download. Whiteboard:
MGA5TOO =>
MGA5TOO MGA6-64-OK Testing M5/64: wget-1.15-5.4.mga5 This reference from c3 provides a thorough explanation and PoC (which is far too heavy for us, involving setting up a special web server): http://openwall.com/lists/oss-security/2018/05/06/1 So just checking it still works. Tried Len's example: https://bugs.mageia.org/show_bug.cgi?id=21947#c2 $ wget http://www.dd-wrt.com/wiki/index.php/Supported_Devices#Read_Me_First.21 The resulting local page is large & complete (if crudely formatted), but only the within-page links work - what you might expect with no wget qualifiers. Compare the original browsed directly. More rigorous: https://bugs.mageia.org/show_bug.cgi?id=18671#c14 $ mkdir Inkscape $ cd Inkscape $ wget -nH --cut-dirs=2 -r -k -p -np http://tavmjong.free.fr/INKSCAPE/MANUAL/html/index.html -nH No Header [tavmjong.free.fr/] --cut-dirs=2 Cuts the 2 leading directories [INKSCAPE/MANUAL/] -r Recursive -k Adjust all links for local (off-line) viewing -p Load all Page requisites, pages are 'complete' -np No Parent, do not ascend into parent directory, descend only This creates 2 sub-directories: html, images. html/index.html is the entry point. Point a browser to it and browse the manual, here & there, especially near the end, to make sure it is all there, images included. $ cd .. $ rm -rf Inkscape OKing for M5. Advisory from comments 4 and 3. Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0244.html Resolution:
(none) =>
FIXED |