Bug 33327

Summary: wget new security issue CVE-2024-38428
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: brtians1, fri, mageia, marja11, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-32-OK MGA9-64-OK
Source RPM: wget-1.21.4-1.mga9.src.rpm CVE: CVE-2024-38428
Status comment:

Description Nicolas Salguero 2024-06-24 16:34:56 CEST 
SUSE has issued an advisory on June 24:
https://lists.suse.com/pipermail/sle-updates/2024-June/035703.html

The fix is: https://git.savannah.gnu.org/cgit/wget.git/commit/?id=ed0c7c7e0e8f7298352646b2fd6e06a11e242ace

Mageia 9 is also affected.
Nicolas Salguero 2024-06-24 16:35:37 CEST

Status comment: (none) => Patch available from upstream
Source RPM: (none) => wget-1.21.4-1.mga9.src.rpm
CVE: (none) => CVE-2024-38428
Whiteboard: (none) => MGA9TOO

Nicolas Salguero 2024-06-24 16:41:17 CEST

Status comment: Patch available from upstream => Patch available from openSUSE and upstream

Comment 1 Marja Van Waes 2024-06-25 16:39:45 CEST 
Assigning to all packagers collectively, because wget has no registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2024-06-26 11:44:18 CEST 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent. (CVE-2024-38428)

References:
https://lists.suse.com/pipermail/sle-updates/2024-June/035703.html
========================

Updated package in core/updates_testing:
========================
wget-1.21.4-1.1.mga9

from SRPM:
wget-1.21.4-1.1.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 9
Status comment: Patch available from openSUSE and upstream => (none)

Comment 3 PC LX 2024-06-26 19:26:05 CEST 
Installed and tested without issues.

Tested:
- http 1, 1.1 and 2;
- https with CA signed and self signed certificates;
- IPv4 and IPv6;
- ftp and ftps;
- user and password authentication.

All seems to work correctly.



System: Mageia 9, x86_64, AMD Ryzen 5 5600G with Radeon Graphics.



$ uname -a
Linux jupiter 6.6.28-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Wed Apr 17 17:19:36 UTC 2024 x86_64 GNU/Linux
$ rpm -q wget
wget-1.21.4-1.1.mga9

CC: (none) => mageia

Comment 4 Brian Rockwell 2024-06-26 19:28:35 CEST 
installed update

- ran updates through our gui utility against an ftp site, confirming the utility was using wget.   No issues.  All updates were successful.

CC: (none) => brtians1

Comment 5 Morgan Leijström 2024-06-26 19:56:59 CEST 
mga9-64 OK here

§ Downloaded files from an internet server, HTTPS

§ used drakrpm configured to use wget to install an app...


IMO, this need to be tested on 32 bit as well.

@Brian, what arch in comment 4?

CC: (none) => fri

Comment 6 katnatek 2024-06-26 20:30:47 CEST 
RH mageia 9 i586

rpm -q wget
wget-1.21.4-1.1.mga9

uninstall application am reinstall with urpmi --debug 
the output confirm the use of wget, the url of repository is https type

Works OK
katnatek 2024-06-26 20:38:12 CEST

Keywords: (none) => advisory

Comment 7 Brian Rockwell 2024-06-26 21:25:15 CEST 
(In reply to Morgan Leijström from comment #5)
> mga9-64 OK here
> 
> § Downloaded files from an internet server, HTTPS
> 
> § used drakrpm configured to use wget to install an app...
> 
> 
> IMO, this need to be tested on 32 bit as well.
> 
> @Brian, what arch in comment 4?

64-bit.  Good point - I'll test 32-bit later today.
Comment 8 Brian Rockwell 2024-06-26 22:45:25 CEST 
MGA9-32, Mate

$ uname -a
Linux localhost 6.6.28-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Wed Apr 17 18:40:36 UTC 2024 i686 GNU/Linux


updated wget

used it to install audacious and play some music.

Working

Whiteboard: (none) => MGA9-32-OK

Comment 9 Brian Rockwell 2024-06-26 22:45:50 CEST 
(In reply to Brian Rockwell from comment #8)
> MGA9-32, Mate
> 
> $ uname -a
> Linux localhost 6.6.28-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Wed Apr 17
> 18:40:36 UTC 2024 i686 GNU/Linux
> 
> 
> updated wget
> 
> used it to install audacious and play some music.
> 
> Working

Note - I used wget against HTTP this time.
Comment 10 Brian Rockwell 2024-06-27 17:27:04 CEST 
I think this is good to move.

Whiteboard: MGA9-32-OK => MGA9-32-OK MGA9-64-OK

Comment 11 Morgan Leijström 2024-06-27 17:58:37 CEST 
Validating

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 12 Mageia Robot 2024-06-27 19:13:04 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0240.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED