Bug#926888: marked as done (unblock: wget/1.20.1-1.1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Tue, 23 Apr 2019 05:33:00 +0000
with message-id <08d119b2-708f-8091-c0ba-66b3f021259a@thykier.net>
and subject line Re: Bug#926888: unblock: wget/1.20.1-1.1
has caused the Debian Bug report #926888,
regarding unblock: wget/1.20.1-1.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
926888: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926888
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: wget/1.20.1-1.1
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Thu, 11 Apr 2019 22:07:21 +0200
• Message-id: <[🔎] 155501324109.8908.18409104578699147681.reportbug@eldamar.local>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi,

Please unblock package wget

It fixes CVE-2019-5953, #926389 a buffer overflow vulnerability in the
handling of Internationalized Resource Identifiers (IRI), it was
adressed as well in DSA-4425-1 for stretch.

Attached is the debdiff between 1.20.1-1 and 1.20.1-1.1.

unblock wget/1.20.1-1.1

Regards,
Salvatore

diff -Nru wget-1.20.1/debian/changelog wget-1.20.1/debian/changelog
--- wget-1.20.1/debian/changelog	2018-12-27 18:53:18.000000000 +0100
+++ wget-1.20.1/debian/changelog	2019-04-05 15:36:38.000000000 +0200
@@ -1,3 +1,10 @@
+wget (1.20.1-1.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Fix a buffer overflow vulnerability (CVE-2019-5953) (Closes: #926389)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 05 Apr 2019 15:36:38 +0200
+
 wget (1.20.1-1) unstable; urgency=high
 
   * new upstream release 2018-12-26
diff -Nru wget-1.20.1/debian/patches/Fix-a-buffer-overflow-vulnerability.patch wget-1.20.1/debian/patches/Fix-a-buffer-overflow-vulnerability.patch
--- wget-1.20.1/debian/patches/Fix-a-buffer-overflow-vulnerability.patch	1970-01-01 01:00:00.000000000 +0100
+++ wget-1.20.1/debian/patches/Fix-a-buffer-overflow-vulnerability.patch	2019-04-05 15:36:38.000000000 +0200
@@ -0,0 +1,30 @@
+From: Tim Ruehsen <tim.ruehsen@gmx.de>
+Date: Fri, 5 Apr 2019 11:50:44 +0200
+Subject: Fix a buffer overflow vulnerability
+Origin: https://git.savannah.gnu.org/cgit/wget.git/commit/?id=692d5c5215de0db482c252492a92fc424cc6a97c,
+ https://git.savannah.gnu.org/cgit/wget.git/commit/?id=562eacb76a2b64d5dc80a443f0f739bc9ef76c17
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-5953
+Bug-Debian: https://bugs.debian.org/926389
+
+* src/iri.c(do_conversion): Reallocate the output buffer to a larger
+  size if it is already full
+---
+ src/iri.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/src/iri.c
++++ b/src/iri.c
+@@ -189,9 +189,10 @@ do_conversion (const char *tocode, const
+         {
+           tooshort++;
+           done = len;
+-          len = outlen = done + inlen * 2;
+-          s = xrealloc (s, outlen + 1);
+-          *out = s + done;
++          len = done + inlen * 2;
++          s = xrealloc (s, len + 1);
++          *out = s + done - outlen;
++          outlen += inlen * 2;
+         }
+       else /* Weird, we got an unspecified error */
+         {
diff -Nru wget-1.20.1/debian/patches/series wget-1.20.1/debian/patches/series
--- wget-1.20.1/debian/patches/series	2018-12-15 18:07:46.000000000 +0100
+++ wget-1.20.1/debian/patches/series	2019-04-05 15:36:38.000000000 +0200
@@ -1,3 +1,4 @@
 wget-doc-remove-usr-local-in-sample.wgetrc
 wget-doc-remove-usr-local-in-wget.texi
 wget-passive_ftp-default
+Fix-a-buffer-overflow-vulnerability.patch

--- End Message ---

--- Begin Message ---

• To: Cyril Brulebois <kibi@debian.org>, 926888-done@bugs.debian.org
• Cc: Salvatore Bonaccorso <carnil@debian.org>
• Subject: Re: Bug#926888: unblock: wget/1.20.1-1.1
• From: Niels Thykier <niels@thykier.net>
• Date: Tue, 23 Apr 2019 05:33:00 +0000
• Message-id: <08d119b2-708f-8091-c0ba-66b3f021259a@thykier.net>
• In-reply-to: <[🔎] 20190422171952.j7fp4uvmjnreg7ih@mraw.org>
• References: <[🔎] 155501324109.8908.18409104578699147681.reportbug@eldamar.local> <[🔎] b282a35c-dd1e-4b06-4f01-61fc4948a5b0@thykier.net> <[🔎] b282a35c-dd1e-4b06-4f01-61fc4948a5b0@thykier.net> <[🔎] 155501324109.8908.18409104578699147681.reportbug@eldamar.local> <[🔎] 3e2fa6ab-4ef6-f8a8-34ef-45aa22ec8cfa@thykier.net> <[🔎] 20190422171952.j7fp4uvmjnreg7ih@mraw.org>

Cyril Brulebois:
> Hi,
> 
> Niels Thykier <niels@thykier.net> (2019-04-21):
>> On Fri, 12 Apr 2019 07:54:00 +0000 Niels Thykier <niels@thykier.net> wrote:
>>> Control: tags -1 d-i confirmed
>>>
>>> Salvatore Bonaccorso:
>>>> Package: release.debian.org
>>>> Severity: normal
>>>> User: release.debian.org@packages.debian.org
>>>> Usertags: unblock
>>>>
>>>> Hi,
>>>>
>>>> Please unblock package wget
>>>>
>>>> It fixes CVE-2019-5953, #926389 a buffer overflow vulnerability in the
>>>> handling of Internationalized Resource Identifiers (IRI), it was
>>>> adressed as well in DSA-4425-1 for stretch.
>>>>
>>>> Attached is the debdiff between 1.20.1-1 and 1.20.1-1.1.
>>>>
>>>> unblock wget/1.20.1-1.1
>>>>
>>>> Regards,
>>>> Salvatore
> 
>>> OK from here; Cc'ing KiBi for a d-i ack.
>>>
>>> Thanks,
>>> ~Niels
>>>
>>>
>>
>> Gentle ping on this unblock request for a CVE fix in wget.
> 
> No objections, thanks.
> 
> Sorry, I had closed my local todo item as I thought it was done already,
> but I got confused there (was probably thinking about the openssl bug
> fix that made wget work in d-i)…
> 
> 
> Cheers,
> 

Unblocked, thanks.
~Niels

--- End Message ---