summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrii Bordunov via Openembedded-core <openembedded-core@lists.openembedded.org>2019-10-02 23:07:35 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-10-10 16:52:30 +0100
commit93cde0830101b26e598f7366fbaccb3f493d1f7f (patch)
tree0551e52402981462132b0faa27f9fdd16ad34cd8
parent6d5867a94c153ba058689ff33129d73cf4158a1e (diff)
downloadpoky-93cde0830101b26e598f7366fbaccb3f493d1f7f.tar.gz
wget: Security fixes CVE-2018-20483
Source: http://git.savannah.gnu.org/cgit/wget.git/ Type: Security Fix Disposition: Backport from http://git.savannah.gnu.org/cgit/wget.git/ Description: Fixes CVE-2018-20483 (From OE-Core rev: c901bc8cd9de5853185af2059c6f1efeb4ccdd60) Signed-off-by: Aviraj CJ <acj@cisco.com> [Affects Wget before 1.20.1] Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch73
-rw-r--r--meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch127
-rw-r--r--meta/recipes-extended/wget/wget_1.19.5.bb2
3 files changed, 202 insertions, 0 deletions
diff --git a/meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch b/meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch
new file mode 100644
index 0000000000..cbc4a127a8
--- /dev/null
+++ b/meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch
@@ -0,0 +1,73 @@
1From 6c5471e4834aebd7359d88b760b087136473bac8 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
3Date: Wed, 26 Dec 2018 13:51:48 +0100
4Subject: [PATCH 1/2] Don't use extended attributes (--xattr) by default
5
6* src/init.c (defaults): Set enable_xattr to false by default
7* src/main.c (print_help): Reverse option logic of --xattr
8* doc/wget.texi: Add description for --xattr
9
10Users may not be aware that the origin URL and Referer are saved
11including credentials, and possibly access tokens within
12the urls.
13
14CVE: CVE-2018-20483 patch 1
15Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/wget.git/commit/?id=c125d24762962d91050d925fbbd9e6f30b2302f8]
16Signed-off-by: Aviraj CJ <acj@cisco.com>
17---
18 doc/wget.texi | 8 ++++++++
19 src/init.c | 4 ----
20 src/main.c | 2 +-
21 3 files changed, 9 insertions(+), 5 deletions(-)
22
23diff --git a/doc/wget.texi b/doc/wget.texi
24index eaf6b380..3f9d7c1c 100644
25--- a/doc/wget.texi
26+++ b/doc/wget.texi
27@@ -540,6 +540,14 @@ right NUMBER.
28 Set preferred location for Metalink resources. This has effect if multiple
29 resources with same priority are available.
30
31+@cindex xattr
32+@item --xattr
33+Enable use of file system's extended attributes to save the
34+original URL and the Referer HTTP header value if used.
35+
36+Be aware that the URL might contain private information like
37+access tokens or credentials.
38+
39
40 @cindex force html
41 @item -F
42diff --git a/src/init.c b/src/init.c
43index eb81ab47..800970c5 100644
44--- a/src/init.c
45+++ b/src/init.c
46@@ -509,11 +509,7 @@ defaults (void)
47 opt.hsts = true;
48 #endif
49
50-#ifdef ENABLE_XATTR
51- opt.enable_xattr = true;
52-#else
53 opt.enable_xattr = false;
54-#endif
55 }
56
57 /* Return the user's home directory (strdup-ed), or NULL if none is
58diff --git a/src/main.c b/src/main.c
59index 81db9319..6ac1621b 100644
60--- a/src/main.c
61+++ b/src/main.c
62@@ -754,7 +754,7 @@ Download:\n"),
63 #endif
64 #ifdef ENABLE_XATTR
65 N_("\
66- --no-xattr turn off storage of metadata in extended file attributes\n"),
67+ --xattr turn on storage of metadata in extended file attributes\n"),
68 #endif
69 "\n",
70
71--
722.19.1
73
diff --git a/meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch b/meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch
new file mode 100644
index 0000000000..72ce8a0b33
--- /dev/null
+++ b/meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch
@@ -0,0 +1,127 @@
1From 5a4ee4f3c07cc5dc7ef5f7244fcf51fd2fa3bc67 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
3Date: Wed, 26 Dec 2018 14:38:18 +0100
4Subject: [PATCH 2/2] Don't save user/pw with --xattr
5
6Also the Referer info is reduced to scheme+host+port.
7
8* src/ftp.c (getftp): Change params of set_file_metadata()
9* src/http.c (gethttp): Change params of set_file_metadata()
10* src/xattr.c (set_file_metadata): Remove user/password from origin URL,
11 reduce Referer value to scheme/host/port.
12* src/xattr.h: Change prototype of set_file_metadata()
13
14CVE: CVE-2018-20483 patch 2
15Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/wget.git/commit/?id=3cdfb594cf75f11cdbb9702ac5e856c332ccacfa]
16Signed-off-by: Aviraj CJ <acj@cisco.com>
17---
18 src/ftp.c | 2 +-
19 src/http.c | 4 ++--
20 src/xattr.c | 24 ++++++++++++++++++++----
21 src/xattr.h | 3 ++-
22 4 files changed, 25 insertions(+), 8 deletions(-)
23
24diff --git a/src/ftp.c b/src/ftp.c
25index 69148936..db8a6267 100644
26--- a/src/ftp.c
27+++ b/src/ftp.c
28@@ -1580,7 +1580,7 @@ Error in server response, closing control connection.\n"));
29
30 #ifdef ENABLE_XATTR
31 if (opt.enable_xattr)
32- set_file_metadata (u->url, NULL, fp);
33+ set_file_metadata (u, NULL, fp);
34 #endif
35
36 fd_close (local_sock);
37diff --git a/src/http.c b/src/http.c
38index 77bdbbed..472c328f 100644
39--- a/src/http.c
40+++ b/src/http.c
41@@ -4120,9 +4120,9 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
42 if (opt.enable_xattr)
43 {
44 if (original_url != u)
45- set_file_metadata (u->url, original_url->url, fp);
46+ set_file_metadata (u, original_url, fp);
47 else
48- set_file_metadata (u->url, NULL, fp);
49+ set_file_metadata (u, NULL, fp);
50 }
51 #endif
52
53diff --git a/src/xattr.c b/src/xattr.c
54index 66524226..0f20fadf 100644
55--- a/src/xattr.c
56+++ b/src/xattr.c
57@@ -21,6 +21,7 @@
58 #include <string.h>
59
60 #include "log.h"
61+#include "utils.h"
62 #include "xattr.h"
63
64 #ifdef USE_XATTR
65@@ -57,7 +58,7 @@ write_xattr_metadata (const char *name, const char *value, FILE *fp)
66 #endif /* USE_XATTR */
67
68 int
69-set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp)
70+set_file_metadata (const struct url *origin_url, const struct url *referrer_url, FILE *fp)
71 {
72 /* Save metadata about where the file came from (requested, final URLs) to
73 * user POSIX Extended Attributes of retrieved file.
74@@ -67,13 +68,28 @@ set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp)
75 * [http://0pointer.de/lennart/projects/mod_mime_xattr/].
76 */
77 int retval = -1;
78+ char *value;
79
80 if (!origin_url || !fp)
81 return retval;
82
83- retval = write_xattr_metadata ("user.xdg.origin.url", escnonprint_uri (origin_url), fp);
84- if ((!retval) && referrer_url)
85- retval = write_xattr_metadata ("user.xdg.referrer.url", escnonprint_uri (referrer_url), fp);
86+ value = url_string (origin_url, URL_AUTH_HIDE);
87+ retval = write_xattr_metadata ("user.xdg.origin.url", escnonprint_uri (value), fp);
88+ xfree (value);
89+
90+ if (!retval && referrer_url)
91+ {
92+ struct url u;
93+
94+ memset(&u, 0, sizeof(u));
95+ u.scheme = referrer_url->scheme;
96+ u.host = referrer_url->host;
97+ u.port = referrer_url->port;
98+
99+ value = url_string (&u, 0);
100+ retval = write_xattr_metadata ("user.xdg.referrer.url", escnonprint_uri (value), fp);
101+ xfree (value);
102+ }
103
104 return retval;
105 }
106diff --git a/src/xattr.h b/src/xattr.h
107index 10f3ed11..40c7a8d3 100644
108--- a/src/xattr.h
109+++ b/src/xattr.h
110@@ -16,12 +16,13 @@
111 along with this program; if not, see <http://www.gnu.org/licenses/>. */
112
113 #include <stdio.h>
114+#include <url.h>
115
116 #ifndef _XATTR_H
117 #define _XATTR_H
118
119 /* Store metadata name/value attributes against fp. */
120-int set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp);
121+int set_file_metadata (const struct url *origin_url, const struct url *referrer_url, FILE *fp);
122
123 #if defined(__linux)
124 /* libc on Linux has fsetxattr (5 arguments). */
125--
1262.19.1
127
diff --git a/meta/recipes-extended/wget/wget_1.19.5.bb b/meta/recipes-extended/wget/wget_1.19.5.bb
index 920b74de1b..a53844bb8f 100644
--- a/meta/recipes-extended/wget/wget_1.19.5.bb
+++ b/meta/recipes-extended/wget/wget_1.19.5.bb
@@ -2,6 +2,8 @@ SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \
2 file://0001-Unset-need_charset_alias-when-building-for-musl.patch \ 2 file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
3 file://0002-improve-reproducibility.patch \ 3 file://0002-improve-reproducibility.patch \
4 file://CVE-2019-5953.patch \ 4 file://CVE-2019-5953.patch \
5 file://CVE-2018-20483_p1.patch \
6 file://CVE-2018-20483_p2.patch \
5 " 7 "
6 8
7SRC_URI[md5sum] = "2db6f03d655041f82eb64b8c8a1fa7da" 9SRC_URI[md5sum] = "2db6f03d655041f82eb64b8c8a1fa7da"