Bug#858118: unblock: wget/1.18-5

To: Noël Köthe <noel@debian.org>, kibi@debian.org
Cc: 858118@bugs.debian.org
Subject: Bug#858118: unblock: wget/1.18-5
From: Ivo De Decker <ivodd@debian.org>
Date: Sat, 18 Mar 2017 19:45:25 +0100
Message-id: <[🔎] 20170318184525.GA6141@ugent.be>
Reply-to: Ivo De Decker <ivodd@debian.org>, 858118@bugs.debian.org
In-reply-to: <[🔎] 148984981197.1132.1574117622108551938.reportbug@pro.example.org>
References: <[🔎] 148984981197.1132.1574117622108551938.reportbug@pro.example.org>

Hi,

On Sat, Mar 18, 2017 at 04:10:11PM +0100, Noël Köthe wrote:
> I fixed it in unstable but unstable already has the new upstream
> version 1.19.1. To fix this problem in stretch I fixed only this
> problem with the wget package 1.18-5
> 
> The debdiff:

The package was uploaded to t-p-u and I approved it, but it also needs an
unblock-udeb (diff below).

Cheers,

Ivo

> $ debdiff wget_1.18-4.1.dsc wget_1.18-5.dsc 
> dpkg-source: Warnung: unsigniertes Quellpaket wird extrahiert (/home/nk/debian/wget/wget-stretch/wget_1.18-5.dsc)
> diff -Nru wget-1.18/debian/changelog wget-1.18/debian/changelog
> --- wget-1.18/debian/changelog	2017-02-25 16:58:53.000000000 +0100
> +++ wget-1.18/debian/changelog	2017-03-18 15:12:55.000000000 +0100
> @@ -1,3 +1,9 @@
> +wget (1.18-5) testing-proposed-updates; urgency=medium
> +
> +  * applied upstream patch to fix CVE-2017-6508 closes: Bug#857073
> +
> + -- Noël Köthe <noel@debian.org>  Sat, 18 Mar 2017 15:12:55 +0100
> +
>  wget (1.18-4.1) testing-proposed-updates; urgency=medium
>  
>    * Non-maintainer upload.
> diff -Nru wget-1.18/debian/patches/CVE-2017-6508.patch wget-1.18/debian/patches/CVE-2017-6508.patch
> --- wget-1.18/debian/patches/CVE-2017-6508.patch	1970-01-01 01:00:00.000000000 +0100
> +++ wget-1.18/debian/patches/CVE-2017-6508.patch	2017-03-18 15:12:55.000000000 +0100
> @@ -0,0 +1,32 @@
> +commit 4d729e322fae359a1aefaafec1144764a54e8ad4
> +Author: Tim Rühsen <tim.ruehsen@gmx.de>
> +Date:   Mon Mar 6 10:04:22 2017 +0100
> +
> +    Fix CRLF injection in Wget host part
> +    
> +    * src/url.c (url_parse): Reject control characters in host part of URL
> +    
> +    Reported-by: Orange Tsai
> +
> +diff --git a/src/url.c b/src/url.c
> +index 8f8ff0b8..7d36b27d 100644
> +--- a/src/url.c
> ++++ b/src/url.c
> +@@ -925,6 +925,17 @@ url_parse (const char *url, int *error, struct iri *iri, bool percent_encode)
> +       url_unescape (u->host);
> +       host_modified = true;
> + 
> ++      /* check for invalid control characters in host name */
> ++      for (p = u->host; *p; p++)
> ++        {
> ++          if (c_iscntrl(*p))
> ++            {
> ++              url_free(u);
> ++              error_code = PE_INVALID_HOST_NAME;
> ++              goto error;
> ++            }
> ++        }
> ++
> +       /* Apply IDNA regardless of iri->utf8_encode status */
> +       if (opt.enable_iri && iri)
> +         {
> diff -Nru wget-1.18/debian/patches/series wget-1.18/debian/patches/series
> --- wget-1.18/debian/patches/series	2016-09-26 15:07:33.000000000 +0200
> +++ wget-1.18/debian/patches/series	2017-03-18 15:12:55.000000000 +0100
> @@ -4,3 +4,4 @@
>  wget-doc-CRLs.patch
>  wget-openssl1.1.0.patch
>  CVE-2016-7098.patch
> +CVE-2017-6508.patch
>

Reply to:

Follow-Ups:
- Bug#858118: unblock: wget/1.18-5
  - From: Cyril Brulebois <kibi@debian.org>
- Bug#858118: unblock: wget/1.18-5
  - From: Cyril Brulebois <kibi@debian.org>

References:
- Bug#858118: unblock: wget/1.18-5
  - From: Noël Köthe <noel@debian.org>

Prev by Date: Bug#858130: jessie-pu: package wget/1.16-1+deb8u2
Next by Date: Bug#858118: unblock: wget/1.18-5
Previous by thread: Processed: Re: unblock: wget/1.18-5
Next by thread: Bug#858118: unblock: wget/1.18-5
Index(es):
- Date
- Thread