upload wget
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello.
Please upload wget. Debdiff is attached. I have tested new build with
this (https://sintonen.fi/advisories/gnu-wget-cookie-injection.txt)
POC and looks OK.
https://mentors.debian.net/debian/pool/main/w/wget/wget_1.13.4-3+deb7u6.
dsc
- --abhijith
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlr0pBYACgkQhj1N8u2c
KO830hAAkjUbq5psnL4rB3pYyFP2rqwLcuMqybXIl/4KBCmneOYEJhhBJhk6dpxV
932crVCSDMSZNXLUz4NQA49FM2GIATtBoQ/8y0vy/43vqV36nx8pmfSk/NmRBd8V
usfUeHqHo/lwKbIL/NW8aNGsj2TR95jFR6oplSHJsHVQvPNPfJK6/FPpC7QJ8HLK
9VdUMOXTCXI8MC42uldkpUwsw3FMOTkTTsIbO5bZuNvXz7milpgklXe8P5MkWFxI
fWMyEnHytJjKaqwp2yZTzFZEgGAr8KCTtQTqvpAuyXMHeSh7/xYeTgf7k5MVwvRq
2dV4v+tlTI7KUArP1OLQfH7c65sh5RS9bwTLCMj/h8te5WW8111YfFnLZHK4/Z9S
+3lnrTL8kz8gJ3ufx0BbZbfmtuy9z+ladITIWNZBo4/QgMMW73hZLP9Ep4u3ickp
FD1YnBz0qIdM98GEJqcbiXXyiIRfKvCbc+ZkRUV5hofmZPI8kCer0Dg0tGDH51/E
sCsSXttrBP3foWZGCyZt3owa0jBQrcZe7uUNe5pzUCrFQalBrC/SDz8Kb060BSQw
sIYo808txDktCH1f+5hgdePYGNhtevY4rwhBbp8Faesqurg8TM3wRzl3wkgSLwU9
eG++9k5+qVJAVAzP5RrTETLDpuDk3NwLu65RUaJHfj1T3P1UzEw=
=YNRq
-----END PGP SIGNATURE-----
diff -Nru wget-1.13.4/debian/changelog wget-1.13.4/debian/changelog
--- wget-1.13.4/debian/changelog 2017-10-27 17:00:14.000000000 +0000
+++ wget-1.13.4/debian/changelog 2018-05-10 19:18:07.000000000 +0000
@@ -1,3 +1,11 @@
+wget (1.13.4-3+deb7u6) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the Debian LTS Team.
+ * CVE-2018-0494: Fix cookie injection vulnerability in the resp_new
+ function in http.c. (Closes: #898076)
+
+ -- Abhijith PA <abhijith@disroot.org> Fri, 11 May 2018 00:48:07 +0530
+
wget (1.13.4-3+deb7u5) wheezy-security; urgency=high
* Non-maintainer upload by the Debian LTS Team
diff -Nru wget-1.13.4/debian/patches/CVE-2018-0494.patch wget-1.13.4/debian/patches/CVE-2018-0494.patch
--- wget-1.13.4/debian/patches/CVE-2018-0494.patch 1970-01-01 00:00:00.000000000 +0000
+++ wget-1.13.4/debian/patches/CVE-2018-0494.patch 2018-05-10 19:18:07.000000000 +0000
@@ -0,0 +1,52 @@
+Description: CVE-2018-0494
+ wget prone to a cookie injection vulnerability in the resp_new function in
+ http.c via a \r\n sequence in a continuation line. This patch tries to
+ carefully handle control characters.
+
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://git.savannah.gnu.org/cgit/wget.git/commit/?id=1fc9c95ec144499e69dc8ec76dbe07799d7d82cd
+Bug-Debian: https://bugs.debian.org/898076
+Last-Update: 2018-05-10
+
+Index: wget-1.13.4/src/http.c
+===================================================================
+--- wget-1.13.4.orig/src/http.c
++++ wget-1.13.4/src/http.c
+@@ -583,9 +583,9 @@ struct response {
+ resp_header_*. */
+
+ static struct response *
+-resp_new (const char *head)
++resp_new (char *head)
+ {
+- const char *hdr;
++ char *hdr;
+ int count, size;
+
+ struct response *resp = xnew0 (struct response);
+@@ -614,15 +614,22 @@ resp_new (const char *head)
+ break;
+
+ /* Find the end of HDR, including continuations. */
+- do
++ for (;;)
+ {
+- const char *end = strchr (hdr, '\n');
++ char *end = strchr (hdr, '\n');
+ if (end)
+ hdr = end + 1;
+ else
+ hdr += strlen (hdr);
++
++ if (*hdr != ' ' && *hdr != '\t')
++ break;
++
++ // continuation, transform \r and \n into spaces
++ *end = ' ';
++ if (end > head && end[-1] == '\r')
++ end[-1] = ' ';
+ }
+- while (*hdr == ' ' || *hdr == '\t');
+ }
+ DO_REALLOC (resp->headers, size, count + 1, const char *);
+ resp->headers[count] = NULL;
diff -Nru wget-1.13.4/debian/patches/series wget-1.13.4/debian/patches/series
--- wget-1.13.4/debian/patches/series 2017-10-27 17:00:14.000000000 +0000
+++ wget-1.13.4/debian/patches/series 2018-05-10 19:18:07.000000000 +0000
@@ -11,3 +11,4 @@
CVE-2017-13089.patch
CVE-2017-13090.patch
+CVE-2018-0494.patch
Reply to: