aboutsummaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorSaul Wold <sgw@linux.intel.com>2014-11-05 21:08:53 -0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2014-11-06 11:39:41 +0000
commit52f9eebe86e4b641229b524dd7701c01d9ed833c (patch)
tree4767b09851adf0e1e35f7f03a0cfbeea68c4865c /meta
parent7504c2e715d675775e166a52ae83cf48504add19 (diff)
downloadopenembedded-core-52f9eebe86e4b641229b524dd7701c01d9ed833c.tar.gz
wget: Fix for CVE-2014-4887
Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-extended/wget/wget-1.14/wget_cve-2014-4877.patch78
-rw-r--r--meta/recipes-extended/wget/wget_1.14.bb1
2 files changed, 79 insertions, 0 deletions
diff --git a/meta/recipes-extended/wget/wget-1.14/wget_cve-2014-4877.patch b/meta/recipes-extended/wget/wget-1.14/wget_cve-2014-4877.patch
new file mode 100644
index 0000000000..bfcc36ea9e
--- /dev/null
+++ b/meta/recipes-extended/wget/wget-1.14/wget_cve-2014-4877.patch
@@ -0,0 +1,78 @@
+From 18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7 Mon Sep 17 00:00:00 2001
+From: Darshit Shah <darnir@gmail.com>
+Date: Sun, 07 Sep 2014 19:11:17 +0000
+Subject: CVE-2014-4877: Arbitrary Symlink Access
+
+Wget was susceptible to a symlink attack which could create arbitrary
+files, directories or symbolic links and set their permissions when
+retrieving a directory recursively through FTP. This commit changes the
+default settings in Wget such that Wget no longer creates local symbolic
+links, but rather traverses them and retrieves the pointed-to file in
+such a retrieval.
+
+The old behaviour can be attained by passing the --retr-symlinks=no
+option to the Wget invokation command.
+---
+diff --git a/doc/wget.texi b/doc/wget.texi
+index aef1f80..d7a4c94 100644
+--- a/doc/wget.texi
++++ b/doc/wget.texi
+@@ -1883,17 +1883,18 @@ Preserve remote file permissions instead of permissions set by umask.
+
+ @cindex symbolic links, retrieving
+ @item --retr-symlinks
+-Usually, when retrieving @sc{ftp} directories recursively and a symbolic
+-link is encountered, the linked-to file is not downloaded. Instead, a
+-matching symbolic link is created on the local filesystem. The
+-pointed-to file will not be downloaded unless this recursive retrieval
+-would have encountered it separately and downloaded it anyway.
+-
+-When @samp{--retr-symlinks} is specified, however, symbolic links are
+-traversed and the pointed-to files are retrieved. At this time, this
+-option does not cause Wget to traverse symlinks to directories and
+-recurse through them, but in the future it should be enhanced to do
+-this.
++By default, when retrieving @sc{ftp} directories recursively and a symbolic link
++is encountered, the symbolic link is traversed and the pointed-to files are
++retrieved. Currently, Wget does not traverse symbolic links to directories to
++download them recursively, though this feature may be added in the future.
++
++When @samp{--retr-symlinks=no} is specified, the linked-to file is not
++downloaded. Instead, a matching symbolic link is created on the local
++filesystem. The pointed-to file will not be retrieved unless this recursive
++retrieval would have encountered it separately and downloaded it anyway. This
++option poses a security risk where a malicious FTP Server may cause Wget to
++write to files outside of the intended directories through a specially crafted
++@sc{.listing} file.
+
+ Note that when retrieving a file (not a directory) because it was
+ specified on the command-line, rather than because it was recursed to,
+diff --git a/src/init.c b/src/init.c
+index 09557af..3bdaa48 100644
+--- a/src/init.c
++++ b/src/init.c
+@@ -366,6 +366,22 @@ defaults (void)
+
+ opt.dns_cache = true;
+ opt.ftp_pasv = true;
++ /* 2014-09-07 Darshit Shah <darnir@gmail.com>
++ * opt.retr_symlinks is set to true by default. Creating symbolic links on the
++ * local filesystem pose a security threat by malicious FTP Servers that
++ * server a specially crafted .listing file akin to this:
++ *
++ * lrwxrwxrwx 1 root root 33 Dec 25 2012 JoCxl6d8rFU -> /
++ * drwxrwxr-x 15 1024 106 4096 Aug 28 02:02 JoCxl6d8rFU
++ *
++ * A .listing file in this fashion makes Wget susceptiple to a symlink attack
++ * wherein the attacker is able to create arbitrary files, directories and
++ * symbolic links on the target system and even set permissions.
++ *
++ * Hence, by default Wget attempts to retrieve the pointed-to files and does
++ * not create the symbolic links locally.
++ */
++ opt.retr_symlinks = true;
+
+ #ifdef HAVE_SSL
+ opt.check_cert = true;
+--
+cgit v0.9.0.2
diff --git a/meta/recipes-extended/wget/wget_1.14.bb b/meta/recipes-extended/wget/wget_1.14.bb
index b12c14711d..48c237046a 100644
--- a/meta/recipes-extended/wget/wget_1.14.bb
+++ b/meta/recipes-extended/wget/wget_1.14.bb
@@ -3,6 +3,7 @@ PR = "${INC_PR}.0"
SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \
file://fix_makefile.patch \
file://fix_doc.patch \
+ file://wget_cve-2014-4877.patch \
"
SRC_URI[md5sum] = "12edc291dba8127f2e9696e69f36299e"
SRC_URI[sha256sum] = "f3a6898e3a765bb94435b04a6668db9e5d19b3e90e0c69a503a2773ae936c269"