wget: CVE-2010-2252 use of server provided file name might lead to overwriting arbitrary files

Debian Bug report logs - #590296
wget: CVE-2010-2252 use of server provided file name might lead to overwriting arbitrary files

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: submit@bugs.debian.org

Subject: wget: CVE-2010-2252 use of server provided file name might lead to overwriting arbitrary files

Date: Sun, 25 Jul 2010 19:07:43 +0200

[Message part 1 (text/plain, inline)]

Package: wget
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for wget.

CVE-2010-2252[0]:
| GNU Wget 1.12 and earlier uses a server-provided filename instead of
| the original URL to determine the destination filename of a download,
| which allows remote servers to create or overwrite arbitrary files via
| a 3xx redirect to a URL with a .wgetrc filename followed by a 3xx
| redirect to a URL with a crafted filename, and possibly execute
| arbitrary code as a consequence of writing to a dotfile in a home
| directory.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2252
    http://security-tracker.debian.org/tracker/CVE-2010-2252

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #10 received at 590296@bugs.debian.org (full text, mbox, reply):

From: Noël Köthe <noel@debian.org>

To: Nico Golde <nion@debian.org>, 590296@bugs.debian.org

Cc: control <control@bugs.debian.org>

Subject: Re: Bug#590296: wget: CVE-2010-2252 use of server provided file name might lead to overwriting arbitrary files

Date: Mon, 26 Jul 2010 21:41:15 +0200

[Message part 1 (text/plain, inline)]

tags 590296 + upstream confirmed
forwarded 590296 https://savannah.gnu.org/bugs/?29958

Am Sonntag, den 25.07.2010, 19:07 +0200 schrieb Nico Golde:

> the following CVE (Common Vulnerabilities & Exposures) id was
> published for wget.
> 
> CVE-2010-2252[0]:
> | GNU Wget 1.12 and earlier uses a server-provided filename instead of
> | the original URL to determine the destination filename of a download,
> | which allows remote servers to create or overwrite arbitrary files via
> | a 3xx redirect to a URL with a .wgetrc filename followed by a 3xx
> | redirect to a URL with a crafted filename, and possibly execute
> | arbitrary code as a consequence of writing to a dotfile in a home
> | directory.
> 
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
> 
> For further information see:
> 
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2252
>     http://security-tracker.debian.org/tracker/CVE-2010-2252

Thanks for the report.
Upstream is aware of the problem but investigation and development is
needed.

-- 
Noël Köthe <noel debian.org>
Debian GNU/Linux, www.debian.org

[signature.asc (application/pgp-signature, inline)]

Message #21 received at 590296@bugs.debian.org (full text, mbox, reply):

From: Marc Deslauriers <marc.deslauriers@ubuntu.com>

To: Debian Bug Tracking System <590296@bugs.debian.org>

Subject: wget: Fix for CVE-2010-2252

Date: Fri, 03 Sep 2010 09:25:29 -0400

[Message part 1 (text/plain, inline)]

Package: wget
Version: 1.12-1.1
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu maverick ubuntu-patch

In Ubuntu, we've applied the attached patch to achieve the following:

  * SECURITY UPDATE: arbitrary file overwrite via 3xx redirect
    - debian/patches/CVE-2010-2252.dpatch: don't use server names in
      doc/wget.texi, src/{http.*,init.c,main.c,options.h,retr.c}.
    - This update changes previous behaviour by ignoring the filename
      supplied by the server during redirects. To re-enable previous
      behaviour, see the new --trust-server-names option.
    - CVE-2010-2252

We thought you might be interested in doing the same. 


-- System Information:
Debian Release: squeeze/sid
  APT prefers maverick-updates
  APT policy: (500, 'maverick-updates'), (500, 'maverick-security'), (500, 'maverick-proposed'), (500, 'maverick')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.35-19-generic (SMP w/2 CPU cores)
Locale: LANG=en_CA.utf8, LC_CTYPE=en_CA.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

[tmput6jtm (text/x-diff, attachment)]

Message #26 received at 590296@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>

To: 590296@bugs.debian.org

Subject: re: wget: CVE-2010-2252 use of server provided file name might lead to overwriting arbitrary files

Date: Sat, 4 Sep 2010 12:37:36 -0400

severity 590296 serious
tags 590296 patch
thanks

according to the upstream bug report, this is fixed in upstream commit
2409. also raising the severity since this should be fixed before
release; otherwise a DSA needs to be issued, and that's just more
work. thanks.

mike

Message #35 received at 590296@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <iuculano@debian.org>

To: 590296@bugs.debian.org

Subject: wget: diff for NMU version 1.12-2.1

Date: Sun, 5 Sep 2010 15:49:01 +0200

[Message part 1 (text/plain, inline)]

tags 590296 + pending
thanks

Dear maintainer,

I've prepared an NMU for wget (versioned as 1.12-2.1) and
uploaded it to DELAYED/1. Please feel free to tell me if I
should delay it longer.

Regards.
Giuseppe.

[wget-1.12-2.1-nmu.diff (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #42 received at 590296-close@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <iuculano@debian.org>

To: 590296-close@bugs.debian.org

Subject: Bug#590296: fixed in wget 1.12-2.1

Date: Mon, 06 Sep 2010 14:49:24 +0000

Source: wget
Source-Version: 1.12-2.1

We believe that the bug you reported is fixed in the latest version of
wget, which is due to be installed in the Debian FTP archive:

wget_1.12-2.1.debian.tar.gz
  to main/w/wget/wget_1.12-2.1.debian.tar.gz
wget_1.12-2.1.dsc
  to main/w/wget/wget_1.12-2.1.dsc
wget_1.12-2.1_i386.deb
  to main/w/wget/wget_1.12-2.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 590296@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated wget package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 05 Sep 2010 15:33:19 +0200
Source: wget
Binary: wget
Architecture: source i386
Version: 1.12-2.1
Distribution: unstable
Urgency: high
Maintainer: Noèl Köthe <noel@debian.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description: 
 wget       - retrieves files from the web
Closes: 590296
Changes: 
 wget (1.12-2.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2010-2252: use of server provided file name might lead to
     overwriting arbitrary files. Thanks to Marc Deslauriers and the Ubuntu
     Security team (Closes: #590296)
Checksums-Sha1: 
 6ed5a030bc892c9e5337bc94233f66c869b77ab9 1055 wget_1.12-2.1.dsc
 d4c1c8bbe431d6131cbd7ed2e4fc37dd7cef3611 48308 wget_1.12-2.1.debian.tar.gz
 5ff232b31aaf55ee3c75d16afda5c839be6f2731 754210 wget_1.12-2.1_i386.deb
Checksums-Sha256: 
 9dc82d34550a4fac9aaa641bc91814955401cb40c27dfe871aca922ecae5c04a 1055 wget_1.12-2.1.dsc
 1e9b0c4c00eae6b4172baae219a14857f4002382b9d7a289de7ab789c402ad78 48308 wget_1.12-2.1.debian.tar.gz
 cb9e58b88e2f912b1e54a3f9add637346a0a4b04f02298a0607c5b42b4bb0d8d 754210 wget_1.12-2.1_i386.deb
Files: 
 8809917dbb6e80f4aff6ecea5143b2a4 1055 web important wget_1.12-2.1.dsc
 e93123c934e3c141916f472f380278c2 48308 web important wget_1.12-2.1.debian.tar.gz
 766a0813615ec37f2b09159b38e47c3a 754210 web important wget_1.12-2.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkyDnx8ACgkQNxpp46476arPNACeN6IO7LaZXhFXFCg5ya3rp7ht
QboAnRNLZUSSQRsHW4G+SavJJ0F/kKJy
=dCAw
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.