Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 286058 (CVE-2009-3490)

Summary: <net-misc/wget-1.12: X.509 NUL character spoofing (CVE-2009-3490)
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: base-system, polynomial-c
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Description Flags
wget-1.12.ebuild.diff none

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-23 09:16:57 UTC
From the Changelog:
** SECURITY FIX: It had been possible to trick Wget into accepting
SSL certificates that don't match the host name, through the trick of
embedding NUL characters into the certs' common name. Fixed by Joao
Ferreira <joao <at>>.

This issue is related to CVE-2009-2408 (
Comment 1 SpanKY gentoo-dev 2009-09-23 16:34:16 UTC
wget-1.12 now in the tree
Comment 2 SpanKY gentoo-dev 2009-09-23 16:59:52 UTC
erp, didnt mean to close the bug
Comment 3 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2009-09-23 17:16:41 UTC
Created attachment 205034 [details, diff]

wget-1.12 makes use of libidn when being found in the system and not explicitly disabled through configure:

# ldd /usr/bin/wget | grep idn => /usr/lib/ (0x00007f2b11074000)

Please find attached an ebuild patch which incorporates the idn USE flag...

By the way, is the linking patch no longer necessary or was it dropped because it doesn't apply anymore? If the latter is true, I created a new linking patch for wget-1.12. Just let me know if you want that patch.
Comment 4 SpanKY gentoo-dev 2009-09-23 19:57:42 UTC
thanks, that looks good to me
Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-30 21:51:14 UTC
CVE-2009-3490 (
  GNU Wget before 1.12 does not properly handle a '\0' character in a
  domain name in the Common Name field of an X.509 certificate, which
  allows man-in-the-middle remote attackers to spoof arbitrary SSL
  servers via a crafted certificate issued by a legitimate
  Certification Authority, a related issue to CVE-2009-2408.

Comment 6 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-06 18:20:58 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2009-10-06 22:32:18 UTC
x86 stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2009-10-06 23:39:10 UTC
Stable for HPPA.
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2009-10-07 18:44:31 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 10 Markus Meier gentoo-dev 2009-10-07 19:08:32 UTC
amd64 stable
Comment 11 Mounir Lamouri (volkmar) (RETIRED) gentoo-dev 2009-10-15 15:29:44 UTC
ppc stable
Comment 12 Brent Baude (RETIRED) gentoo-dev 2009-10-18 14:26:53 UTC
ppc64 done
Comment 13 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-21 12:29:35 UTC
GLSA 200910-10