Bug#858118: unblock: wget/1.18-5
Hi,
On Sat, Mar 18, 2017 at 04:10:11PM +0100, Noël Köthe wrote:
> I fixed it in unstable but unstable already has the new upstream
> version 1.19.1. To fix this problem in stretch I fixed only this
> problem with the wget package 1.18-5
>
> The debdiff:
The package was uploaded to t-p-u and I approved it, but it also needs an
unblock-udeb (diff below).
Cheers,
Ivo
> $ debdiff wget_1.18-4.1.dsc wget_1.18-5.dsc
> dpkg-source: Warnung: unsigniertes Quellpaket wird extrahiert (/home/nk/debian/wget/wget-stretch/wget_1.18-5.dsc)
> diff -Nru wget-1.18/debian/changelog wget-1.18/debian/changelog
> --- wget-1.18/debian/changelog 2017-02-25 16:58:53.000000000 +0100
> +++ wget-1.18/debian/changelog 2017-03-18 15:12:55.000000000 +0100
> @@ -1,3 +1,9 @@
> +wget (1.18-5) testing-proposed-updates; urgency=medium
> +
> + * applied upstream patch to fix CVE-2017-6508 closes: Bug#857073
> +
> + -- Noël Köthe <noel@debian.org> Sat, 18 Mar 2017 15:12:55 +0100
> +
> wget (1.18-4.1) testing-proposed-updates; urgency=medium
>
> * Non-maintainer upload.
> diff -Nru wget-1.18/debian/patches/CVE-2017-6508.patch wget-1.18/debian/patches/CVE-2017-6508.patch
> --- wget-1.18/debian/patches/CVE-2017-6508.patch 1970-01-01 01:00:00.000000000 +0100
> +++ wget-1.18/debian/patches/CVE-2017-6508.patch 2017-03-18 15:12:55.000000000 +0100
> @@ -0,0 +1,32 @@
> +commit 4d729e322fae359a1aefaafec1144764a54e8ad4
> +Author: Tim Rühsen <tim.ruehsen@gmx.de>
> +Date: Mon Mar 6 10:04:22 2017 +0100
> +
> + Fix CRLF injection in Wget host part
> +
> + * src/url.c (url_parse): Reject control characters in host part of URL
> +
> + Reported-by: Orange Tsai
> +
> +diff --git a/src/url.c b/src/url.c
> +index 8f8ff0b8..7d36b27d 100644
> +--- a/src/url.c
> ++++ b/src/url.c
> +@@ -925,6 +925,17 @@ url_parse (const char *url, int *error, struct iri *iri, bool percent_encode)
> + url_unescape (u->host);
> + host_modified = true;
> +
> ++ /* check for invalid control characters in host name */
> ++ for (p = u->host; *p; p++)
> ++ {
> ++ if (c_iscntrl(*p))
> ++ {
> ++ url_free(u);
> ++ error_code = PE_INVALID_HOST_NAME;
> ++ goto error;
> ++ }
> ++ }
> ++
> + /* Apply IDNA regardless of iri->utf8_encode status */
> + if (opt.enable_iri && iri)
> + {
> diff -Nru wget-1.18/debian/patches/series wget-1.18/debian/patches/series
> --- wget-1.18/debian/patches/series 2016-09-26 15:07:33.000000000 +0200
> +++ wget-1.18/debian/patches/series 2017-03-18 15:12:55.000000000 +0100
> @@ -4,3 +4,4 @@
> wget-doc-CRLs.patch
> wget-openssl1.1.0.patch
> CVE-2016-7098.patch
> +CVE-2017-6508.patch
>
Reply to: