Bug#858118: marked as done (unblock: wget/1.18-5)

To: Ivo De Decker <ivodd@respighi.debian.org>
Subject: Bug#858118: marked as done (unblock: wget/1.18-5)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sat, 18 Mar 2017 22:15:05 +0000
Message-id: <[🔎] handler.858118.D858118.148987520228055.ackdone@bugs.debian.org>
References: <E1cpMb9-0003wu-KE@respighi.debian.org> <[🔎] 148984981197.1132.1574117622108551938.reportbug@pro.example.org>

Your message dated Sat, 18 Mar 2017 22:13:19 +0000
with message-id <E1cpMb9-0003wu-KE@respighi.debian.org>
and subject line unblock wget
has caused the Debian Bug report #858118,
regarding unblock: wget/1.18-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
858118: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858118
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: wget/1.18-5
From: Noël Köthe <noel@debian.org>
Date: Sat, 18 Mar 2017 16:10:11 +0100
Message-id: <[🔎] 148984981197.1132.1574117622108551938.reportbug@pro.example.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package wget

wget has a security problem CVE-2017-6508 #857073
https://security-tracker.debian.org/tracker/CVE-2017-6508

I fixed it in unstable but unstable already has the new upstream
version 1.19.1. To fix this problem in stretch I fixed only this
problem with the wget package 1.18-5

The debdiff:

$ debdiff wget_1.18-4.1.dsc wget_1.18-5.dsc 
dpkg-source: Warnung: unsigniertes Quellpaket wird extrahiert (/home/nk/debian/wget/wget-stretch/wget_1.18-5.dsc)
diff -Nru wget-1.18/debian/changelog wget-1.18/debian/changelog
--- wget-1.18/debian/changelog	2017-02-25 16:58:53.000000000 +0100
+++ wget-1.18/debian/changelog	2017-03-18 15:12:55.000000000 +0100
@@ -1,3 +1,9 @@
+wget (1.18-5) testing-proposed-updates; urgency=medium
+
+  * applied upstream patch to fix CVE-2017-6508 closes: Bug#857073
+
+ -- Noël Köthe <noel@debian.org>  Sat, 18 Mar 2017 15:12:55 +0100
+
 wget (1.18-4.1) testing-proposed-updates; urgency=medium
 
   * Non-maintainer upload.
diff -Nru wget-1.18/debian/patches/CVE-2017-6508.patch wget-1.18/debian/patches/CVE-2017-6508.patch
--- wget-1.18/debian/patches/CVE-2017-6508.patch	1970-01-01 01:00:00.000000000 +0100
+++ wget-1.18/debian/patches/CVE-2017-6508.patch	2017-03-18 15:12:55.000000000 +0100
@@ -0,0 +1,32 @@
+commit 4d729e322fae359a1aefaafec1144764a54e8ad4
+Author: Tim Rühsen <tim.ruehsen@gmx.de>
+Date:   Mon Mar 6 10:04:22 2017 +0100
+
+    Fix CRLF injection in Wget host part
+    
+    * src/url.c (url_parse): Reject control characters in host part of URL
+    
+    Reported-by: Orange Tsai
+
+diff --git a/src/url.c b/src/url.c
+index 8f8ff0b8..7d36b27d 100644
+--- a/src/url.c
++++ b/src/url.c
+@@ -925,6 +925,17 @@ url_parse (const char *url, int *error, struct iri *iri, bool percent_encode)
+       url_unescape (u->host);
+       host_modified = true;
+ 
++      /* check for invalid control characters in host name */
++      for (p = u->host; *p; p++)
++        {
++          if (c_iscntrl(*p))
++            {
++              url_free(u);
++              error_code = PE_INVALID_HOST_NAME;
++              goto error;
++            }
++        }
++
+       /* Apply IDNA regardless of iri->utf8_encode status */
+       if (opt.enable_iri && iri)
+         {
diff -Nru wget-1.18/debian/patches/series wget-1.18/debian/patches/series
--- wget-1.18/debian/patches/series	2016-09-26 15:07:33.000000000 +0200
+++ wget-1.18/debian/patches/series	2017-03-18 15:12:55.000000000 +0100
@@ -4,3 +4,4 @@
 wget-doc-CRLs.patch
 wget-openssl1.1.0.patch
 CVE-2016-7098.patch
+CVE-2017-6508.patch

If this is OK for you release-team I can upload it to testing-proposed-updates.

Thanks for your release work and greeting from the credativ BSP.;)

unblock wget/1.18-5

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---

--- Begin Message ---

To: 858118-done@bugs.debian.org

Subject: unblock wget

From: Ivo De Decker <ivodd@respighi.debian.org>

Date: Sat, 18 Mar 2017 22:13:19 +0000

Message-id: <E1cpMb9-0003wu-KE@respighi.debian.org>
Unblocked wget.
--- End Message ---

Reply to:

References:
- Bug#858118: unblock: wget/1.18-5
  - From: Noël Köthe <noel@debian.org>

Prev by Date: Bug#858147: marked as done (unblock: qpid-proton/0.14.0-5)
Next by Date: Bug#858148: marked as done (unblock: glance/2:13.0.0-3)
Previous by thread: Bug#858118: unblock: wget/1.18-5
Next by thread: Bug#858124: RM: npm/1.4.21+ds-3
Index(es):
- Date
- Thread