Upstream has released version 1.19.5 on May 6: http://lists.gnu.org/archive/html/bug-wget/2018-05/msg00020.html It fixes several security issues found by fuzzing as well as an additional issue that was assigned a CVE. Mageia 5 and Mageia 6 are also affected.
Status comment: (none) => Fixed upstream in 1.19.5Whiteboard: (none) => MGA6TOO, MGA5TOO
More details on the CVE issue: http://openwall.com/lists/oss-security/2018/05/06/1
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => lists.jjorge
wget 1.19.5 pushed to MGA6 testing. Suggested advisory : Wget 1.19.5 fixes several security issues found by fuzzing as well as an additional issue that was assigned the CVE CVE-2018-0494. Ref: http://openwall.com/lists/oss-security/2018/05/06/1 SRPM: wget-1.19.5-1.mga6.srpm RPMS : wget-1.19.5-1.mga6.x86_64.rpm wget-1.19.5-1.mga6.i586.rpm
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOCC: (none) => lists.jjorgeVersion: Cauldron => 6Status: NEW => ASSIGNEDAssignee: lists.jjorge => qa-bugs
Patched Mageia 5 build added (just for the CVE): wget-1.15-5.4.mga5 from wget-1.15-5.4.mga5.src.rpm Debian has issued an advisory for this on May 8: https://www.debian.org/security/2018/dsa-4195 Advisory: ======================== Updated wget package fixes security vulnerability: Harry Sintonen discovered that wget does not properly handle '\r\n' from continuation lines while parsing the Set-Cookie HTTP header. A malicious web server could use this flaw to inject arbitrary cookies to the cookie jar file, adding new or replacing existing cookie values (CVE-2018-0494). The Mageia 6 package has been updated to version 1.19.5, which fixes this issue as well as other possible security issues found by fuzzing. The Mageia 5 package has been patched to fix CVE-2018-0494. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0494 https://www.debian.org/security/2018/dsa-4195
Tested a simple http download.
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
Testing M5/64: wget-1.15-5.4.mga5 This reference from c3 provides a thorough explanation and PoC (which is far too heavy for us, involving setting up a special web server): http://openwall.com/lists/oss-security/2018/05/06/1 So just checking it still works. Tried Len's example: https://bugs.mageia.org/show_bug.cgi?id=21947#c2 $ wget http://www.dd-wrt.com/wiki/index.php/Supported_Devices#Read_Me_First.21 The resulting local page is large & complete (if crudely formatted), but only the within-page links work - what you might expect with no wget qualifiers. Compare the original browsed directly. More rigorous: https://bugs.mageia.org/show_bug.cgi?id=18671#c14 $ mkdir Inkscape $ cd Inkscape $ wget -nH --cut-dirs=2 -r -k -p -np http://tavmjong.free.fr/INKSCAPE/MANUAL/html/index.html -nH No Header [tavmjong.free.fr/] --cut-dirs=2 Cuts the 2 leading directories [INKSCAPE/MANUAL/] -r Recursive -k Adjust all links for local (off-line) viewing -p Load all Page requisites, pages are 'complete' -np No Parent, do not ascend into parent directory, descend only This creates 2 sub-directories: html, images. html/index.html is the entry point. Point a browser to it and browse the manual, here & there, especially near the end, to make sure it is all there, images included. $ cd .. $ rm -rf Inkscape OKing for M5. Advisory from comments 4 and 3.
Keywords: (none) => advisory, validated_updateWhiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0244.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED