--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package wget/1.16-1+deb8u2
- From: Noël Köthe <noel@debian.org>
- Date: Sat, 18 Mar 2017 18:44:55 +0100
- Message-id: <148985909588.24088.12457009829292747150.reportbug@pro.example.org>
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hello,
wget 1.16-1+deb8u2 fixes CVE-2017-6508 (no-dsa) with the upstream patch.
https://security-tracker.debian.org/tracker/CVE-2017-6508
The update is included in sid and unblocked for stretch (#858118) today.
I prepared the jessie upload with pbuilder and the debdiff is:
$ debdiff wget_1.16-1+deb8u1.dsc wget_1.16-1+deb8u2.dsc
dpkg-source: Warnung: unsigniertes Quellpaket wird extrahiert (/home/nk/debian/wget/wget-jessie/wget_1.16-1+deb8u2.dsc)
diff -Nru wget-1.16/debian/changelog wget-1.16/debian/changelog
--- wget-1.16/debian/changelog 2016-07-05 16:21:21.000000000 +0200
+++ wget-1.16/debian/changelog 2017-03-18 15:39:29.000000000 +0100
@@ -1,3 +1,9 @@
+wget (1.16-1+deb8u2) jessie; urgency=medium
+
+ * added upstream patch to fix CVE-2017-6508 closes: Bug#857073
+
+ -- Noël Köthe <noel@debian.org> Sat, 18 Mar 2017 15:39:29 +0100
+
wget (1.16-1+deb8u1) jessie; urgency=medium
* added patch for CVE-2016-4971. closes: #827003, #829130
diff -Nru wget-1.16/debian/patches/CVE-2017-6508.patch wget-1.16/debian/patches/CVE-2017-6508.patch
--- wget-1.16/debian/patches/CVE-2017-6508.patch 1970-01-01 01:00:00.000000000 +0100
+++ wget-1.16/debian/patches/CVE-2017-6508.patch 2017-03-18 15:39:29.000000000 +0100
@@ -0,0 +1,32 @@
+commit 4d729e322fae359a1aefaafec1144764a54e8ad4
+Author: Tim Rühsen <tim.ruehsen@gmx.de>
+Date: Mon Mar 6 10:04:22 2017 +0100
+
+ Fix CRLF injection in Wget host part
+
+ * src/url.c (url_parse): Reject control characters in host part of URL
+
+ Reported-by: Orange Tsai
+
+diff --git a/src/url.c b/src/url.c
+index 8f8ff0b8..7d36b27d 100644
+--- a/src/url.c
++++ b/src/url.c
+@@ -925,6 +925,17 @@ url_parse (const char *url, int *error, struct iri *iri, bool percent_encode)
+ url_unescape (u->host);
+ host_modified = true;
+
++ /* check for invalid control characters in host name */
++ for (p = u->host; *p; p++)
++ {
++ if (c_iscntrl(*p))
++ {
++ url_free(u);
++ error_code = PE_INVALID_HOST_NAME;
++ goto error;
++ }
++ }
++
+ /* Apply IDNA regardless of iri->utf8_encode status */
+ if (opt.enable_iri && iri)
+ {
diff -Nru wget-1.16/debian/patches/series wget-1.16/debian/patches/series
--- wget-1.16/debian/patches/series 2016-06-30 17:21:45.000000000 +0200
+++ wget-1.16/debian/patches/series 2017-03-18 15:39:29.000000000 +0100
@@ -2,4 +2,4 @@
wget-doc-remove-usr-local-in-wget.texi
wget-passive_ftp-default
wget-CVE-2016-4971.patch
-
+CVE-2017-6508.patch
If this is OK for you I would upload it.
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---