Re: wget for sarge update

To: debian-release@lists.debian.org
Subject: Re: wget for sarge update
From: Florian Weimer <fw@deneb.enyo.de>
Date: Wed, 06 Oct 2004 23:54:30 +0200
Message-id: <[🔎] 87fz4r342x.fsf@deneb.enyo.de>
In-reply-to: <[🔎] 20041006163950.GF17611@riva.ucam.org> (Colin Watson's message of "Wed, 6 Oct 2004 17:39:50 +0100")
References: <[🔎] 1096721953.1934.63.camel@p4.domain.lan> <[🔎] 20041006163950.GF17611@riva.ucam.org>

* Colin Watson:

> On Sat, Oct 02, 2004 at 02:59:13PM +0200, Noèl Köthe wrote:
>> wget <= 1.9.1-4 (which is in sarge and frozen) had a security problem
>> (#261755) which is fixed in -6 and -7 (right now in incoming). -5 had
>> the first fixing patch but was not multibyte aware (#271931).
>> Jan Minar <jjminar fastmail.fm> wrote the fixing patches (Thanks!).
>> Upstream author doesn't respond to this and other things/mails since
>> weeks so right now he is MIA.:(
>
>   <mdz> Kamion: I think it's silly
>   <mdz> Jan Minar has filed a bunch of similar bugs
>   <mdz> I'm waiting for the one against cat(1)
>   <mdz> where it will allow arbitrary characters to be displayed on the terminal
>
> Is this really a security issue?

I don't think programs should print data received from untrusted
sources without properly quoting control characters (or replacing
them).  However, I don't think this should get the honor of a
last-minute fix, especially if it hasn't been approved by upstream.

Does the patch change a common code path?  (The potential memory leak
I criticized earlier apparently has been fixed.)

Reply to:

References:
- wget for sarge update
  - From: Noèl Köthe <noel@debian.org>
- Re: wget for sarge update
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: OOImpress unusable : Thanks for fixing the bugs quickly
Next by Date: Re: Bug#275265: [INTL: he] updated hebrew translation for dictionaries-common
Previous by thread: Re: wget for sarge update
Next by thread: which KDE for sarge?
Index(es):
- Date
- Thread