Bug#858118: unblock: wget/1.18-5

Ivo De Decker Sat, 18 Mar 2017 11:48:37 -0700

Hi,

On Sat, Mar 18, 2017 at 04:10:11PM +0100, Noël Köthe wrote:
> I fixed it in unstable but unstable already has the new upstream
> version 1.19.1. To fix this problem in stretch I fixed only this
> problem with the wget package 1.18-5
> 
> The debdiff:


The package was uploaded to t-p-u and I approved it, but it also needs an
unblock-udeb (diff below).

Cheers,

Ivo

> $ debdiff wget_1.18-4.1.dsc wget_1.18-5.dsc 
> dpkg-source: Warnung: unsigniertes Quellpaket wird extrahiert 
> (/home/nk/debian/wget/wget-stretch/wget_1.18-5.dsc)
> diff -Nru wget-1.18/debian/changelog wget-1.18/debian/changelog
> --- wget-1.18/debian/changelog        2017-02-25 16:58:53.000000000 +0100
> +++ wget-1.18/debian/changelog        2017-03-18 15:12:55.000000000 +0100
> @@ -1,3 +1,9 @@
> +wget (1.18-5) testing-proposed-updates; urgency=medium
> +
> +  * applied upstream patch to fix CVE-2017-6508 closes: Bug#857073
> +
> + -- Noël Köthe <n...@debian.org>  Sat, 18 Mar 2017 15:12:55 +0100
> +
>  wget (1.18-4.1) testing-proposed-updates; urgency=medium
>  
>    * Non-maintainer upload.
> diff -Nru wget-1.18/debian/patches/CVE-2017-6508.patch 
> wget-1.18/debian/patches/CVE-2017-6508.patch
> --- wget-1.18/debian/patches/CVE-2017-6508.patch      1970-01-01 
> 01:00:00.000000000 +0100
> +++ wget-1.18/debian/patches/CVE-2017-6508.patch      2017-03-18 
> 15:12:55.000000000 +0100
> @@ -0,0 +1,32 @@
> +commit 4d729e322fae359a1aefaafec1144764a54e8ad4
> +Author: Tim Rühsen <tim.rueh...@gmx.de>
> +Date:   Mon Mar 6 10:04:22 2017 +0100
> +
> +    Fix CRLF injection in Wget host part
> +    
> +    * src/url.c (url_parse): Reject control characters in host part of URL
> +    
> +    Reported-by: Orange Tsai
> +
> +diff --git a/src/url.c b/src/url.c
> +index 8f8ff0b8..7d36b27d 100644
> +--- a/src/url.c
> ++++ b/src/url.c
> +@@ -925,6 +925,17 @@ url_parse (const char *url, int *error, struct iri 
> *iri, bool percent_encode)
> +       url_unescape (u->host);
> +       host_modified = true;
> + 
> ++      /* check for invalid control characters in host name */
> ++      for (p = u->host; *p; p++)
> ++        {
> ++          if (c_iscntrl(*p))
> ++            {
> ++              url_free(u);
> ++              error_code = PE_INVALID_HOST_NAME;
> ++              goto error;
> ++            }
> ++        }
> ++
> +       /* Apply IDNA regardless of iri->utf8_encode status */
> +       if (opt.enable_iri && iri)
> +         {
> diff -Nru wget-1.18/debian/patches/series wget-1.18/debian/patches/series
> --- wget-1.18/debian/patches/series   2016-09-26 15:07:33.000000000 +0200
> +++ wget-1.18/debian/patches/series   2017-03-18 15:12:55.000000000 +0100
> @@ -4,3 +4,4 @@
>  wget-doc-CRLs.patch
>  wget-openssl1.1.0.patch
>  CVE-2016-7098.patch
> +CVE-2017-6508.patch
>

Bug#858118: unblock: wget/1.18-5

Reply via email to