Wget 1.18 has been released today (June 9). It fixes a security issue, which is listed in the NEWS file. Here is the full entry for 1.18: * By default, on server redirects to a FTP resource, use the original URL to get the local file name. Close CVE-2016-4971. This introduces a backward-incompatibility for HTTP->FTP redirects and any script that relies on the old behaviour must use --trust-server-names. * Check the HSTS file is not world-writable before using it. * Parse <img srcset> attributes on a recursive download. * Fix problem with SNI server names having trailing dot(s) * New options --bind-dns-address and --dns-servers. * When Wget is built with libiconv, it now converts non-ASCII URIs to the locale's codeset when it creates files. The encoding of the remote files and URIs is taken from --remote-encoding, defaulting to UTF-8. The result is that non-ASCII URIs and files downloaded via HTTP/HTTPS and FTP will have names on the local filesystem that correspond to their remote names. The wget 1.18 update is checked into Cauldron SVN. Mageia 5 is probably also affected.
Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since there is no maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
wget-1.18-1.mga6 uploaded for Cauldron.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
Fedora has issued an advisory for this on June 18: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J5ZK7PPOISSBFIAIJP6AV6CDYCCBTL6G/
URL: (none) => http://lwn.net/Vulnerabilities/692024/
Ubuntu has issued an advisory for this on June 20: http://www.ubuntu.com/usn/usn-3012-1 They have backported patches.
Created attachment 8061 [details] Patch from Ubuntu for wget 1.15 Will try to take care of this one
CC: (none) => makowski.mageia
Assignee: pkg-bugs => makowski.mageia
If i apply the Ubuntu patch, build fail with : gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC=\"/etc/wgetrc\" -DLOCALEDIR=\"/usr/share/locale\" -I. -I../lib -I../lib -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fPIC -MT iri.o -MD -MP -MF .deps/iri.Tpo -c -o iri.o iri.c iri.c: In function 'idn_encode': iri.c:268:23: error: 'utf8_encoded' undeclared (first use in this function) if (!_utf8_is_valid(utf8_encoded ? utf8_encoded : host)) ^ iri.c:268:23: note: each undeclared identifier is reported only once for each function it appears in And I don't understand why
Assignee: makowski.mageia => pkg-bugs
Hi, The problem does not come from that patch but from wget-1.15-CVE-2015-2059.patch. If you remove that patch, the compilation succeeds but I had an error on test Test-ftp-iri-fallback.px when I tried to build the new package locally. Best regards, Nico.
CC: (none) => nicolas.salguero
Details on this one are finally public: http://openwall.com/lists/oss-security/2016/07/09/5
CC: makowski.mageia => (none)
Philippe, the build error is because of a patch I had added in SVN to mitigate a security issue in libidn that has since been fixed. I dropped that patch. Now wget builds, but fails with a test suite failure: http://pkgsubmit.mageia.org/uploads/failure/5/core/updates_testing/20160721232654.luigiwalser.duvel.11832/log/wget-1.15-5.1.mga5/build.0.20160721232702.log I wonder if this is actually related to libidn, since it seems to fail on a file with a UTF-8 character in its file name. Future advisory below. Advisory: ======================== Updated wget package fixes security vulnerability: GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource (CVE-2016-4971). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4971 http://www.ubuntu.com/usn/usn-3012-1 ======================== Updated packages in core/updates_testing: ======================== wget-1.15-5.1.mga5 from wget-1.15-5.1.mga5.src.rpm
Test-ftp-iri-fallback is the one that fails, and there are other tests using the same file name that pass, so I doubt it's a libidn issue. It fails the same way with 1.32 or 1.33.
openSUSE has issued an advisory on September 10: https://lists.opensuse.org/opensuse-updates/2016-09/msg00044.html They fixed a new security issue, CVE-2016-7098: http://lwn.net/Vulnerabilities/700395/ They also issued an advisory for CVE-2016-4971 on September 9: https://lists.opensuse.org/opensuse-updates/2016-09/msg00041.html Their patch only differs from ours in one place, but I tried building with their patch and we get the same test failure as before.
Summary: wget new security issue CVE-2016-4971 => wget new security issues CVE-2016-4971 and CVE-2016-7098
CVE-2016-7098 fixed in Cauldron and patch committed in Mageia 5 SVN. I noticed that openSUSE has make check disabled. Maybe we should do the same.
Given that OpenSUSE disabled make check and that we already did that in Cauldron, I did it in Mga5 too. Suggested advisory: ======================== The updated wget package fixes security vulnerabilities: GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource (CVE-2016-4971). Fixed a potential race condition by creating files with .tmp ext and making them accessible to the current user only (CVE-2016-7098). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4971 http://www.ubuntu.com/usn/usn-3012-1 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7098 https://lists.opensuse.org/opensuse-updates/2016-09/msg00044.html ======================== Updated packages in core/updates_testing: ======================== i586: wget-1.15-5.1.mga5.i586.rpm x86_64: wget-1.15-5.1.mga5.x86_64.rpm Source RPMs: wget-1.15-5.1.mga5.src.rpm
Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsSource RPM: wget-1.17.1-2.mga6.src.rpm => wget-1.15-5.mga5.src.rpm
Testing M5 x64 Updated wget to: wget-1.15-5.1.mga5 There may be simpler tests, but this one really hammers wget; it downloads the entire (& brilliant) Inkscape manual for local viewing. $ mkdir Inkscape $ cd Inkscape/ $ wget -nH --cut-dirs=2 -r -k -p -np http://tavmjong.free.fr/INKSCAPE/MANUAL/html/index.html -nH No Header [tavmjong.free.fr/] --cut-dirs=2 Cuts the 2 leading directories [INKSCAPE/MANUAL/] -r Recursive -k Adjust all links for local (off-line) viewing -p Load all Page requisites, pages are 'complete' -np No Parent, do not ascend into parent directory, descend only This creates 2 sub-directories: html, images. html/index.html is the entry point. Point a browser to it '.../Inkscape/html/index.html' and browse the manual, here & there, especially near the end, to make sure it is all there. $ chdir .. $ rmdir -rf Inkscape [but if you use Inkscape - keep it!] This update OK.
CC: (none) => lewyssmithWhiteboard: (none) => MGA5-64-OK
(In reply to Lewis Smith from comment #14) > $ rmdir -rf Inkscape [but if you use Inkscape - keep it!] OOPS! Should be $ rm -rf Inkscape
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK => MGA5-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0323.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED