--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bookworm-pu: package wget/1.21.3-1+deb12u1
- From: Shengqi Chen <harry@debian.org>
- Date: Mon, 03 Mar 2025 21:48:40 +0800
- Message-id: <174100972019.8121.14454517225382142243.reportbug@Harry-Raptor.>
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: wget@packages.debian.org
Control: affects -1 + src:wget
[ Reason ]
Fix CVE-2024-38428 and trivial packaging update.
[ Impact ]
The CVE is not be fixed. Users would face risk of info leak.
[ Tests ]
dh_auto_test has passed, and it has been tested manually by me.
[ Risks ]
Changes are backported from upstream and minimal.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Replace obselete B-D pkg-config to pkgconf.
* Backport a patch from upstream that properly re-implement userinfo parsing in
src/url.c.
[ Other info ]
I did not backport fix to CVE-2024-10524 since, as Ubuntu developer said, this
patch might be a breaking change to wget behavior.
diff -Nru wget-1.21.3/debian/changelog wget-1.21.3/debian/changelog
--- wget-1.21.3/debian/changelog 2022-03-30 01:40:59.000000000 +0800
+++ wget-1.21.3/debian/changelog 2025-03-03 21:32:32.000000000 +0800
@@ -1,3 +1,11 @@
+wget (1.21.3-1+deb12u1) bookworm; urgency=medium
+
+ * d/control: replace obsolete B-D pkg-config with pkgconf.
+ * Backport patch to fix mishandling of semicolons in userinfo
+ (closes: CVE-2024-38428).
+
+ -- Shengqi Chen <harry@debian.org> Mon, 03 Mar 2025 21:32:32 +0800
+
wget (1.21.3-1) unstable; urgency=medium
* new upstream from 2022-02-26
diff -Nru wget-1.21.3/debian/control wget-1.21.3/debian/control
--- wget-1.21.3/debian/control 2022-03-30 01:40:59.000000000 +0800
+++ wget-1.21.3/debian/control 2025-03-03 21:32:32.000000000 +0800
@@ -2,7 +2,7 @@
Section: web
Priority: standard
Maintainer: Noël Köthe <noel@debian.org>
-Build-Depends: debhelper-compat (= 13), pkg-config, gettext, texinfo, libidn2-dev, uuid-dev, libpsl-dev, libpcre2-dev, libgnutls28-dev (>= 3.3.15-5), automake, libssl-dev (>= 0.9.8k), zlib1g-dev, dh-strip-nondeterminism
+Build-Depends: debhelper-compat (= 13), pkgconf, gettext, texinfo, libidn2-dev, uuid-dev, libpsl-dev, libpcre2-dev, libgnutls28-dev (>= 3.3.15-5), automake, libssl-dev (>= 0.9.8k), zlib1g-dev, dh-strip-nondeterminism
Standards-Version: 4.6.0
Homepage: https://www.gnu.org/software/wget/
diff -Nru wget-1.21.3/debian/patches/CVE-2024-38428.patch wget-1.21.3/debian/patches/CVE-2024-38428.patch
--- wget-1.21.3/debian/patches/CVE-2024-38428.patch 1970-01-01 08:00:00.000000000 +0800
+++ wget-1.21.3/debian/patches/CVE-2024-38428.patch 2025-03-03 21:30:39.000000000 +0800
@@ -0,0 +1,75 @@
+From ed0c7c7e0e8f7298352646b2fd6e06a11e242ace Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Sun, 2 Jun 2024 12:40:16 +0200
+Subject: Properly re-implement userinfo parsing (rfc2396)
+
+* src/url.c (url_skip_credentials): Properly re-implement userinfo parsing (rfc2396)
+
+The reason why the implementation is based on RFC 2396, an outdated standard,
+is that the whole file is based on that RFC, and mixing standard here might be
+dangerous.
+---
+ src/url.c | 40 ++++++++++++++++++++++++++++++++++------
+ 1 file changed, 34 insertions(+), 6 deletions(-)
+
+diff --git a/src/url.c b/src/url.c
+index 69e948b..07c3bc8 100644
+--- a/src/url.c
++++ b/src/url.c
+@@ -41,6 +41,7 @@ as that of the covered work. */
+ #include "url.h"
+ #include "host.h" /* for is_valid_ipv6_address */
+ #include "c-strcase.h"
++#include "c-ctype.h"
+
+ #ifdef HAVE_ICONV
+ # include <iconv.h>
+@@ -526,12 +527,39 @@ scheme_leading_string (enum url_scheme scheme)
+ static const char *
+ url_skip_credentials (const char *url)
+ {
+- /* Look for '@' that comes before terminators, such as '/', '?',
+- '#', or ';'. */
+- const char *p = (const char *)strpbrk (url, "@/?#;");
+- if (!p || *p != '@')
+- return url;
+- return p + 1;
++ /*
++ * This whole file implements https://www.rfc-editor.org/rfc/rfc2396 .
++ * RFC 2396 is outdated since 2005 and needs a rewrite or a thorough re-visit.
++ *
++ * The RFC says
++ * server = [ [ userinfo "@" ] hostport ]
++ * userinfo = *( unreserved | escaped | ";" | ":" | "&" | "=" | "+" | "$" | "," )
++ * unreserved = alphanum | mark
++ * mark = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")"
++ */
++ static const char *allowed = "-_.!~*'();:&=+$,";
++
++ for (const char *p = url; *p; p++)
++ {
++ if (c_isalnum(*p))
++ continue;
++
++ if (strchr(allowed, *p))
++ continue;
++
++ if (*p == '%' && c_isxdigit(p[1]) && c_isxdigit(p[2]))
++ {
++ p += 2;
++ continue;
++ }
++
++ if (*p == '@')
++ return p + 1;
++
++ break;
++ }
++
++ return url;
+ }
+
+ /* Parse credentials contained in [BEG, END). The region is expected
+--
+cgit v1.1
+
diff -Nru wget-1.21.3/debian/patches/series wget-1.21.3/debian/patches/series
--- wget-1.21.3/debian/patches/series 2022-03-29 17:54:56.000000000 +0800
+++ wget-1.21.3/debian/patches/series 2025-03-03 21:30:39.000000000 +0800
@@ -1,3 +1,4 @@
wget-doc-remove-usr-local-in-sample.wgetrc
wget-doc-remove-usr-local-in-wget.texi
wget-passive_ftp-default
+CVE-2024-38428.patch
--- End Message ---