Debian Bug report logs -
#917375
wget: CVE-2018-20483
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 26 Dec 2018 20:27:02 UTC
Severity: serious
Tags: security, upstream
Found in version wget/1.20-1
Fixed in version wget/1.20.1-1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Noël Köthe <noel@debian.org>:
Bug#917375; Package src:wget.
(Wed, 26 Dec 2018 20:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Noël Köthe <noel@debian.org>.
(Wed, 26 Dec 2018 20:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: wget
Version: 1.20-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for wget.
CVE-2018-20483[0]:
| set_file_metadata in xattr.c in GNU Wget through 1.20 stores a file's
| origin URL in the user.xdg.origin.url metadata attribute of the
| extended attributes of the downloaded file, which allows local users to
| obtain sensitive information (e.g., credentials contained in the URL)
| by reading this attribute, as demonstrated by getfattr. This also
| applies to Referer information in the user.xdg.referrer.url metadata
| attribute. According to 2016-07-22 in the Wget ChangeLog,
| user.xdg.origin.url was partially based on the behavior of fwrite_xattr
| in tool_xattr.c in curl.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-20483
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20483
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Noël Köthe <noel@debian.org>:
Bug#917375; Package src:wget.
(Wed, 26 Dec 2018 20:39:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Noël Köthe <noel@debian.org>.
(Wed, 26 Dec 2018 20:39:02 GMT) (full text, mbox, link).
Message #10 received at 917375@bugs.debian.org (full text, mbox, reply):
Control: severity -1 serious
Hi
I would agree RC severity is not strongly warranted, but raising the
issue as the change is overviewable, and upstream released a fix, and
RC severity set to quarantee buster will have the fix.
If you though disagree, feel free to downgrade again.
Upstream fixed the issue with 1.20.1.
https://git.savannah.gnu.org/cgit/wget.git/commit/?id=c125d24762962d91050d925fbbd9e6f30b2302f8
https://git.savannah.gnu.org/cgit/wget.git/commit/?id=3cdfb594cf75f11cdbb9702ac5e856c332ccacfa
Regards,
Salvatore
Severity set to 'serious' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 917375-submit@bugs.debian.org.
(Wed, 26 Dec 2018 20:39:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Noël Köthe <noel@debian.org>:
Bug#917375; Package src:wget.
(Thu, 27 Dec 2018 20:15:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Noël Köthe <noel@debian.org>.
(Thu, 27 Dec 2018 20:15:09 GMT) (full text, mbox, link).
Message #17 received at 917375@bugs.debian.org (full text, mbox, reply):
Source: wget
Source-Version: 1.20.1-1
On Wed, Dec 26, 2018 at 09:24:23PM +0100, Salvatore Bonaccorso wrote:
> Source: wget
> Version: 1.20-1
> Severity: important
> Tags: security upstream
>
> Hi,
>
> The following vulnerability was published for wget.
>
> CVE-2018-20483[0]:
> | set_file_metadata in xattr.c in GNU Wget through 1.20 stores a file's
> | origin URL in the user.xdg.origin.url metadata attribute of the
> | extended attributes of the downloaded file, which allows local users to
> | obtain sensitive information (e.g., credentials contained in the URL)
> | by reading this attribute, as demonstrated by getfattr. This also
> | applies to Referer information in the user.xdg.referrer.url metadata
> | attribute. According to 2016-07-22 in the Wget ChangeLog,
> | user.xdg.origin.url was partially based on the behavior of fwrite_xattr
> | in tool_xattr.c in curl.
Fixed with the 1.20.1 upstream version upload to sid today.
Regards,
Salvatore
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Thu, 27 Dec 2018 20:15:22 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 27 Dec 2018 20:15:22 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 25 Jan 2019 07:31:35 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:53:45 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon