14386 – wget new security issue CVE-2014-4877

Bug 14386 - wget new security issue CVE-2014-4877

Summary: wget new security issue CVE-2014-4877

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/618320/
Whiteboard:	MGA3TOO has_procedure advisory mga3-3...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2014-10-27 12:51 CET by David Walser
Modified:	2014-10-28 20:27 CET (History)
CC List:	2 users (show)

See Also:
Source RPM:	wget-1.14-4.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-10-27 12:51:11 CET

A security issue fixed upstream in wget has been announced today (October 27):
http://openwall.com/lists/oss-security/2014/10/27/3

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated wget package fixes security vulnerability:

Wget was susceptible to a symlink attack which could create arbitrary
files, directories or symbolic links and set their permissions when
retrieving a directory recursively through FTP (CVE-2014-4877).

The default settings in wget have been changed such that wget no longer
creates local symbolic links, but rather traverses them and retrieves the
pointed-to file in such a retrieval. The old behaviour can be attained by
passing the --retr-symlinks=no option to the wget command.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4877
https://bugzilla.redhat.com/show_bug.cgi?id=1139181
========================

Updated packages in core/updates_testing:
========================
wget-1.14-2.1.mga3
wget-1.14-4.1.mga4

from SRPMS:
wget-1.14-2.1.mga3.src.rpm
wget-1.14-4.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:

David Walser 2014-10-27 12:51:17 CET

Whiteboard: (none) => MGA3TOO

Comment 1 Oden Eriksson 2014-10-27 14:11:56 CET

FYI. I'm using http://git.savannah.gnu.org/cgit/wget.git/commit/?id=69c45cba4382fcaabe3d86876bd5463dc34f442c as well.

CC: (none) => oe

Comment 2 David Walser 2014-10-27 14:35:41 CET

Thanks, it looks like RedHat is doing the same (they just had a copy-paste error in their bug).  I've added it too.

Same advisory, just bumped the subrel.

Advisory:
========================

Updated wget package fixes security vulnerability:

Wget was susceptible to a symlink attack which could create arbitrary
files, directories or symbolic links and set their permissions when
retrieving a directory recursively through FTP (CVE-2014-4877).

The default settings in wget have been changed such that wget no longer
creates local symbolic links, but rather traverses them and retrieves the
pointed-to file in such a retrieval. The old behaviour can be attained by
passing the --retr-symlinks=no option to the wget command.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4877
https://bugzilla.redhat.com/show_bug.cgi?id=1139181
========================

Updated packages in core/updates_testing:
========================
wget-1.14-2.2.mga3
wget-1.14-4.2.mga4

from SRPMS:
wget-1.14-2.2.mga3.src.rpm
wget-1.14-4.2.mga4.src.rpm

Comment 3 claire robinson 2014-10-27 17:32:09 CET

Testing complete mga4 64

Just testing wget is still able to fetch files via ftp..

$ wget ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/wget-1.14-4.2.mga4.x86_64.rpm
--2014-10-27 16:31:27--  ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/wget-1.14-4.2.mga4.x86_64.rpm
           => âwget-1.14-4.2.mga4.x86_64.rpmâ
Resolving distrib-coffee.ipsl.jussieu.fr (distrib-coffee.ipsl.jussieu.fr)... 134.157.176.20
Connecting to distrib-coffee.ipsl.jussieu.fr (distrib-coffee.ipsl.jussieu.fr)|134.157.176.20|:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD (1) /pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing ... done.
==> SIZE wget-1.14-4.2.mga4.x86_64.rpm ... 507304
==> PASV ... done.    ==> RETR wget-1.14-4.2.mga4.x86_64.rpm ... done.
Length: 507304 (495K) (unauthoritative)

100%[===================================================================================>] 507,304      717KB/s   in 0.7s   

2014-10-27 16:31:28 (717 KB/s) - âwget-1.14-4.2.mga4.x86_64.rpmâ saved [507304]

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok

Comment 4 claire robinson 2014-10-27 17:36:47 CET

Testing complete mga3 32 & 64 and mga4 32

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 5 claire robinson 2014-10-27 17:40:10 CET

Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2014-10-28 12:34:19 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0431.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-10-28 20:27:51 CET

URL: (none) => http://lwn.net/Vulnerabilities/618320/

Note You need to log in before you can comment on or make changes to this bug.