wget: Fix for CVE-2014-4887

(From OE-Core rev: 52f9eebe86e4b641229b524dd7701c01d9ed833c) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Saul Wold <sgw@linux.intel.com> 2014-11-05 21:08:53 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-11-06 11:40:38 +0000
commit: e76d790bbf116c33c8f799527e1a03d4c6762521 (patch)
tree: bcdcc9bb4bedf55052642700c84230bac12b98f1
parent: b60383c1b94c10b81da19602b162daec547a3565 (diff)
download: poky-e76d790bbf116c33c8f799527e1a03d4c6762521.tar.gz
2 files changed, 79 insertions, 0 deletions
diff --git a/meta/recipes-extended/wget/wget-1.14/wget_cve-2014-4877.patch b/meta/recipes-extended/wget/wget-1.14/wget_cve-2014-4877.patch
new file mode 100644
index 0000000000..bfcc36ea9e
--- /dev/null
+++ b/meta/recipes-extended/wget/wget-1.14/wget_cve-2014-4877.patch
@@ -0,0 +1,78 @@
+From 18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7 Mon Sep 17 00:00:00 2001
+From: Darshit Shah <darnir@gmail.com>
+Date: Sun, 07 Sep 2014 19:11:17 +0000
+Subject: CVE-2014-4877: Arbitrary Symlink Access
+Wget was susceptible to a symlink attack which could create arbitrary
+files, directories or symbolic links and set their permissions when
+retrieving a directory recursively through FTP. This commit changes the
+default settings in Wget such that Wget no longer creates local symbolic
+links, but rather traverses them and retrieves the pointed-to file in
+such a retrieval.
+The old behaviour can be attained by passing the --retr-symlinks=no
+option to the Wget invokation command.
+---
+diff --git a/doc/wget.texi b/doc/wget.texi
+index aef1f80..d7a4c94 100644
+--- a/doc/wget.texi
+++ b/doc/wget.texi
+@@ -1883,17 +1883,18 @@ Preserve remote file permissions instead of permissions set by umask.
+ 
+ @cindex symbolic links, retrieving
+ @item --retr-symlinks
+-Usually, when retrieving @sc{ftp} directories recursively and a symbolic
+-link is encountered, the linked-to file is not downloaded.  Instead, a
+-matching symbolic link is created on the local filesystem.  The
+-pointed-to file will not be downloaded unless this recursive retrieval
+-would have encountered it separately and downloaded it anyway.
+-
+-When @samp{--retr-symlinks} is specified, however, symbolic links are
+-traversed and the pointed-to files are retrieved.  At this time, this
+-option does not cause Wget to traverse symlinks to directories and
+-recurse through them, but in the future it should be enhanced to do
+-this.
+By default, when retrieving @sc{ftp} directories recursively and a symbolic link
+is encountered, the symbolic link is traversed and the pointed-to files are
+retrieved.  Currently, Wget does not traverse symbolic links to directories to
+download them recursively, though this feature may be added in the future.
+
+When @samp{--retr-symlinks=no} is specified, the linked-to file is not
+downloaded.  Instead, a matching symbolic link is created on the local
+filesystem.  The pointed-to file will not be retrieved unless this recursive
+retrieval would have encountered it separately and downloaded it anyway.  This
+option poses a security risk where a malicious FTP Server may cause Wget to
+write to files outside of the intended directories through a specially crafted
+@sc{.listing} file.
+ 
+ Note that when retrieving a file (not a directory) because it was
+ specified on the command-line, rather than because it was recursed to,
+diff --git a/src/init.c b/src/init.c
+index 09557af..3bdaa48 100644
+--- a/src/init.c
+++ b/src/init.c
+@@ -366,6 +366,22 @@ defaults (void)
+ 
+   opt.dns_cache = true;
+   opt.ftp_pasv = true;
+  /* 2014-09-07  Darshit Shah  <darnir@gmail.com>
+   * opt.retr_symlinks is set to true by default. Creating symbolic links on the
+   * local filesystem pose a security threat by malicious FTP Servers that
+   * server a specially crafted .listing file akin to this:
+   *
+   * lrwxrwxrwx   1 root     root           33 Dec 25  2012 JoCxl6d8rFU -> /
+   * drwxrwxr-x  15 1024     106          4096 Aug 28 02:02 JoCxl6d8rFU
+   *
+   * A .listing file in this fashion makes Wget susceptiple to a symlink attack
+   * wherein the attacker is able to create arbitrary files, directories and
+   * symbolic links on the target system and even set permissions.
+   *
+   * Hence, by default Wget attempts to retrieve the pointed-to files and does
+   * not create the symbolic links locally.
+   */
+  opt.retr_symlinks = true;
+ 
+ #ifdef HAVE_SSL
+   opt.check_cert = true;
+--
+cgit v0.9.0.2
diff --git a/meta/recipes-extended/wget/wget_1.14.bb b/meta/recipes-extended/wget/wget_1.14.bb
index b12c14711d..48c237046a 100644
--- a/meta/recipes-extended/wget/wget_1.14.bb
+++ b/meta/recipes-extended/wget/wget_1.14.bb
@@ -3,6 +3,7 @@ PR = "${INC_PR}.0"
 SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \
           file://fix_makefile.patch \
           file://fix_doc.patch \
+           file://wget_cve-2014-4877.patch \
          "
 SRC_URI[md5sum] = "12edc291dba8127f2e9696e69f36299e"
 SRC_URI[sha256sum] = "f3a6898e3a765bb94435b04a6668db9e5d19b3e90e0c69a503a2773ae936c269"
author	Saul Wold <sgw@linux.intel.com>	2014-11-05 21:08:53 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-11-06 11:40:38 +0000
commit	e76d790bbf116c33c8f799527e1a03d4c6762521 (patch)
tree	bcdcc9bb4bedf55052642700c84230bac12b98f1
parent	b60383c1b94c10b81da19602b162daec547a3565 (diff)
download	poky-e76d790bbf116c33c8f799527e1a03d4c6762521.tar.gz

diff --git a/meta/recipes-extended/wget/wget-1.14/wget_cve-2014-4877.patch b/meta/recipes-extended/wget/wget-1.14/wget_cve-2014-4877.patch new file mode 100644 index 0000000000..bfcc36ea9e --- /dev/null +++ b/meta/recipes-extended/wget/wget-1.14/wget_cve-2014-4877.patch
@@ -0,0 +1,78 @@
		1	From 18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7 Mon Sep 17 00:00:00 2001
		2	From: Darshit Shah <darnir@gmail.com>
		3	Date: Sun, 07 Sep 2014 19:11:17 +0000
		4	Subject: CVE-2014-4877: Arbitrary Symlink Access
		5
		6	Wget was susceptible to a symlink attack which could create arbitrary
		7	files, directories or symbolic links and set their permissions when
		8	retrieving a directory recursively through FTP. This commit changes the
		9	default settings in Wget such that Wget no longer creates local symbolic
		10	links, but rather traverses them and retrieves the pointed-to file in
		11	such a retrieval.
		12
		13	The old behaviour can be attained by passing the --retr-symlinks=no
		14	option to the Wget invokation command.
		15	---
		16	diff --git a/doc/wget.texi b/doc/wget.texi
		17	index aef1f80..d7a4c94 100644
		18	--- a/doc/wget.texi
		19	+++ b/doc/wget.texi
		20	@@ -1883,17 +1883,18 @@ Preserve remote file permissions instead of permissions set by umask.
		21
		22	@cindex symbolic links, retrieving
		23	@item --retr-symlinks
		24	-Usually, when retrieving @sc{ftp} directories recursively and a symbolic
		25	-link is encountered, the linked-to file is not downloaded. Instead, a
		26	-matching symbolic link is created on the local filesystem. The
		27	-pointed-to file will not be downloaded unless this recursive retrieval
		28	-would have encountered it separately and downloaded it anyway.
		29	-
		30	-When @samp{--retr-symlinks} is specified, however, symbolic links are
		31	-traversed and the pointed-to files are retrieved. At this time, this
		32	-option does not cause Wget to traverse symlinks to directories and
		33	-recurse through them, but in the future it should be enhanced to do
		34	-this.
		35	+By default, when retrieving @sc{ftp} directories recursively and a symbolic link
		36	+is encountered, the symbolic link is traversed and the pointed-to files are
		37	+retrieved. Currently, Wget does not traverse symbolic links to directories to
		38	+download them recursively, though this feature may be added in the future.
		39	+
		40	+When @samp{--retr-symlinks=no} is specified, the linked-to file is not
		41	+downloaded. Instead, a matching symbolic link is created on the local
		42	+filesystem. The pointed-to file will not be retrieved unless this recursive
		43	+retrieval would have encountered it separately and downloaded it anyway. This
		44	+option poses a security risk where a malicious FTP Server may cause Wget to
		45	+write to files outside of the intended directories through a specially crafted
		46	+@sc{.listing} file.
		47
		48	Note that when retrieving a file (not a directory) because it was
		49	specified on the command-line, rather than because it was recursed to,
		50	diff --git a/src/init.c b/src/init.c
		51	index 09557af..3bdaa48 100644
		52	--- a/src/init.c
		53	+++ b/src/init.c
		54	@@ -366,6 +366,22 @@ defaults (void)
		55
		56	opt.dns_cache = true;
		57	opt.ftp_pasv = true;
		58	+ /* 2014-09-07 Darshit Shah <darnir@gmail.com>
		59	+ * opt.retr_symlinks is set to true by default. Creating symbolic links on the
		60	+ * local filesystem pose a security threat by malicious FTP Servers that
		61	+ * server a specially crafted .listing file akin to this:
		62	+ *
		63	+ * lrwxrwxrwx 1 root root 33 Dec 25 2012 JoCxl6d8rFU -> /
		64	+ * drwxrwxr-x 15 1024 106 4096 Aug 28 02:02 JoCxl6d8rFU
		65	+ *
		66	+ * A .listing file in this fashion makes Wget susceptiple to a symlink attack
		67	+ * wherein the attacker is able to create arbitrary files, directories and
		68	+ * symbolic links on the target system and even set permissions.
		69	+ *
		70	+ * Hence, by default Wget attempts to retrieve the pointed-to files and does
		71	+ * not create the symbolic links locally.
		72	+ */
		73	+ opt.retr_symlinks = true;
		74
		75	#ifdef HAVE_SSL
		76	opt.check_cert = true;
		77	--
		78	cgit v0.9.0.2


diff --git a/meta/recipes-extended/wget/wget_1.14.bb b/meta/recipes-extended/wget/wget_1.14.bb index b12c14711d..48c237046a 100644 --- a/meta/recipes-extended/wget/wget_1.14.bb +++ b/meta/recipes-extended/wget/wget_1.14.bb
@@ -3,6 +3,7 @@ PR = "${INC_PR}.0"
3	SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \	3	SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \
4	file://fix_makefile.patch \	4	file://fix_makefile.patch \
5	file://fix_doc.patch \	5	file://fix_doc.patch \
		6	file://wget_cve-2014-4877.patch \
6	"	7	"
7	SRC_URI[md5sum] = "12edc291dba8127f2e9696e69f36299e"	8	SRC_URI[md5sum] = "12edc291dba8127f2e9696e69f36299e"
8	SRC_URI[sha256sum] = "f3a6898e3a765bb94435b04a6668db9e5d19b3e90e0c69a503a2773ae936c269"	9	SRC_URI[sha256sum] = "f3a6898e3a765bb94435b04a6668db9e5d19b3e90e0c69a503a2773ae936c269"