summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrii Bordunov via Openembedded-core <openembedded-core@lists.openembedded.org>2019-10-02 23:07:35 -0700
committerArmin Kuster <akuster808@gmail.com>2019-10-06 13:50:05 -0700
commitc901bc8cd9de5853185af2059c6f1efeb4ccdd60 (patch)
tree67956c5a1bbcb7cb44b2b2b2e02c9e5a9085e517
parentc0c66d213b4b6deb0a5e9a688810d2e9674d3ecf (diff)
downloadopenembedded-core-contrib-c901bc8cd9de5853185af2059c6f1efeb4ccdd60.tar.gz
openembedded-core-contrib-c901bc8cd9de5853185af2059c6f1efeb4ccdd60.tar.bz2
openembedded-core-contrib-c901bc8cd9de5853185af2059c6f1efeb4ccdd60.zip
wget: Security fixes CVE-2018-20483
Source: http://git.savannah.gnu.org/cgit/wget.git/ Type: Security Fix Disposition: Backport from http://git.savannah.gnu.org/cgit/wget.git/ Description: Fixes CVE-2018-20483 Signed-off-by: Aviraj CJ <acj@cisco.com> [Affects Wget before 1.20.1] Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r--meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch73
-rw-r--r--meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch127
-rw-r--r--meta/recipes-extended/wget/wget_1.19.5.bb2
3 files changed, 202 insertions, 0 deletions
diff --git a/meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch b/meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch
new file mode 100644
index 0000000000..cbc4a127a8
--- /dev/null
+++ b/meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch
@@ -0,0 +1,73 @@
+From 6c5471e4834aebd7359d88b760b087136473bac8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Wed, 26 Dec 2018 13:51:48 +0100
+Subject: [PATCH 1/2] Don't use extended attributes (--xattr) by default
+
+* src/init.c (defaults): Set enable_xattr to false by default
+* src/main.c (print_help): Reverse option logic of --xattr
+* doc/wget.texi: Add description for --xattr
+
+Users may not be aware that the origin URL and Referer are saved
+including credentials, and possibly access tokens within
+the urls.
+
+CVE: CVE-2018-20483 patch 1
+Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/wget.git/commit/?id=c125d24762962d91050d925fbbd9e6f30b2302f8]
+Signed-off-by: Aviraj CJ <acj@cisco.com>
+---
+ doc/wget.texi | 8 ++++++++
+ src/init.c | 4 ----
+ src/main.c | 2 +-
+ 3 files changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/doc/wget.texi b/doc/wget.texi
+index eaf6b380..3f9d7c1c 100644
+--- a/doc/wget.texi
++++ b/doc/wget.texi
+@@ -540,6 +540,14 @@ right NUMBER.
+ Set preferred location for Metalink resources. This has effect if multiple
+ resources with same priority are available.
+
++@cindex xattr
++@item --xattr
++Enable use of file system's extended attributes to save the
++original URL and the Referer HTTP header value if used.
++
++Be aware that the URL might contain private information like
++access tokens or credentials.
++
+
+ @cindex force html
+ @item -F
+diff --git a/src/init.c b/src/init.c
+index eb81ab47..800970c5 100644
+--- a/src/init.c
++++ b/src/init.c
+@@ -509,11 +509,7 @@ defaults (void)
+ opt.hsts = true;
+ #endif
+
+-#ifdef ENABLE_XATTR
+- opt.enable_xattr = true;
+-#else
+ opt.enable_xattr = false;
+-#endif
+ }
+
+ /* Return the user's home directory (strdup-ed), or NULL if none is
+diff --git a/src/main.c b/src/main.c
+index 81db9319..6ac1621b 100644
+--- a/src/main.c
++++ b/src/main.c
+@@ -754,7 +754,7 @@ Download:\n"),
+ #endif
+ #ifdef ENABLE_XATTR
+ N_("\
+- --no-xattr turn off storage of metadata in extended file attributes\n"),
++ --xattr turn on storage of metadata in extended file attributes\n"),
+ #endif
+ "\n",
+
+--
+2.19.1
+
diff --git a/meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch b/meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch
new file mode 100644
index 0000000000..72ce8a0b33
--- /dev/null
+++ b/meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch
@@ -0,0 +1,127 @@
+From 5a4ee4f3c07cc5dc7ef5f7244fcf51fd2fa3bc67 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Wed, 26 Dec 2018 14:38:18 +0100
+Subject: [PATCH 2/2] Don't save user/pw with --xattr
+
+Also the Referer info is reduced to scheme+host+port.
+
+* src/ftp.c (getftp): Change params of set_file_metadata()
+* src/http.c (gethttp): Change params of set_file_metadata()
+* src/xattr.c (set_file_metadata): Remove user/password from origin URL,
+ reduce Referer value to scheme/host/port.
+* src/xattr.h: Change prototype of set_file_metadata()
+
+CVE: CVE-2018-20483 patch 2
+Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/wget.git/commit/?id=3cdfb594cf75f11cdbb9702ac5e856c332ccacfa]
+Signed-off-by: Aviraj CJ <acj@cisco.com>
+---
+ src/ftp.c | 2 +-
+ src/http.c | 4 ++--
+ src/xattr.c | 24 ++++++++++++++++++++----
+ src/xattr.h | 3 ++-
+ 4 files changed, 25 insertions(+), 8 deletions(-)
+
+diff --git a/src/ftp.c b/src/ftp.c
+index 69148936..db8a6267 100644
+--- a/src/ftp.c
++++ b/src/ftp.c
+@@ -1580,7 +1580,7 @@ Error in server response, closing control connection.\n"));
+
+ #ifdef ENABLE_XATTR
+ if (opt.enable_xattr)
+- set_file_metadata (u->url, NULL, fp);
++ set_file_metadata (u, NULL, fp);
+ #endif
+
+ fd_close (local_sock);
+diff --git a/src/http.c b/src/http.c
+index 77bdbbed..472c328f 100644
+--- a/src/http.c
++++ b/src/http.c
+@@ -4120,9 +4120,9 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
+ if (opt.enable_xattr)
+ {
+ if (original_url != u)
+- set_file_metadata (u->url, original_url->url, fp);
++ set_file_metadata (u, original_url, fp);
+ else
+- set_file_metadata (u->url, NULL, fp);
++ set_file_metadata (u, NULL, fp);
+ }
+ #endif
+
+diff --git a/src/xattr.c b/src/xattr.c
+index 66524226..0f20fadf 100644
+--- a/src/xattr.c
++++ b/src/xattr.c
+@@ -21,6 +21,7 @@
+ #include <string.h>
+
+ #include "log.h"
++#include "utils.h"
+ #include "xattr.h"
+
+ #ifdef USE_XATTR
+@@ -57,7 +58,7 @@ write_xattr_metadata (const char *name, const char *value, FILE *fp)
+ #endif /* USE_XATTR */
+
+ int
+-set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp)
++set_file_metadata (const struct url *origin_url, const struct url *referrer_url, FILE *fp)
+ {
+ /* Save metadata about where the file came from (requested, final URLs) to
+ * user POSIX Extended Attributes of retrieved file.
+@@ -67,13 +68,28 @@ set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp)
+ * [http://0pointer.de/lennart/projects/mod_mime_xattr/].
+ */
+ int retval = -1;
++ char *value;
+
+ if (!origin_url || !fp)
+ return retval;
+
+- retval = write_xattr_metadata ("user.xdg.origin.url", escnonprint_uri (origin_url), fp);
+- if ((!retval) && referrer_url)
+- retval = write_xattr_metadata ("user.xdg.referrer.url", escnonprint_uri (referrer_url), fp);
++ value = url_string (origin_url, URL_AUTH_HIDE);
++ retval = write_xattr_metadata ("user.xdg.origin.url", escnonprint_uri (value), fp);
++ xfree (value);
++
++ if (!retval && referrer_url)
++ {
++ struct url u;
++
++ memset(&u, 0, sizeof(u));
++ u.scheme = referrer_url->scheme;
++ u.host = referrer_url->host;
++ u.port = referrer_url->port;
++
++ value = url_string (&u, 0);
++ retval = write_xattr_metadata ("user.xdg.referrer.url", escnonprint_uri (value), fp);
++ xfree (value);
++ }
+
+ return retval;
+ }
+diff --git a/src/xattr.h b/src/xattr.h
+index 10f3ed11..40c7a8d3 100644
+--- a/src/xattr.h
++++ b/src/xattr.h
+@@ -16,12 +16,13 @@
+ along with this program; if not, see <http://www.gnu.org/licenses/>. */
+
+ #include <stdio.h>
++#include <url.h>
+
+ #ifndef _XATTR_H
+ #define _XATTR_H
+
+ /* Store metadata name/value attributes against fp. */
+-int set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp);
++int set_file_metadata (const struct url *origin_url, const struct url *referrer_url, FILE *fp);
+
+ #if defined(__linux)
+ /* libc on Linux has fsetxattr (5 arguments). */
+--
+2.19.1
+
diff --git a/meta/recipes-extended/wget/wget_1.19.5.bb b/meta/recipes-extended/wget/wget_1.19.5.bb
index 920b74de1b..a53844bb8f 100644
--- a/meta/recipes-extended/wget/wget_1.19.5.bb
+++ b/meta/recipes-extended/wget/wget_1.19.5.bb
@@ -2,6 +2,8 @@ SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \
file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
file://0002-improve-reproducibility.patch \
file://CVE-2019-5953.patch \
+ file://CVE-2018-20483_p1.patch \
+ file://CVE-2018-20483_p2.patch \
"
SRC_URI[md5sum] = "2db6f03d655041f82eb64b8c8a1fa7da"