Summary: | <net-misc/wget-1.12: X.509 NUL character spoofing (CVE-2009-3490) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | CC: | base-system, polynomial-c | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://permalink.gmane.org/gmane.comp.web.wget.general/8972 | ||||||
Whiteboard: | A3 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Alex Legler (RETIRED)
2009-09-23 09:16:57 UTC
wget-1.12 now in the tree erp, didnt mean to close the bug Created attachment 205034 [details, diff]
wget-1.12.ebuild.diff
wget-1.12 makes use of libidn when being found in the system and not explicitly disabled through configure:
# ldd /usr/bin/wget | grep idn
libidn.so.11 => /usr/lib/libidn.so.11 (0x00007f2b11074000)
Please find attached an ebuild patch which incorporates the idn USE flag...
By the way, is the linking patch no longer necessary or was it dropped because it doesn't apply anymore? If the latter is true, I created a new linking patch for wget-1.12. Just let me know if you want that patch.
thanks, that looks good to me CVE-2009-3490 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3490): GNU Wget before 1.12 does not properly handle a '\0' character in a domain name in the Common Name field of an X.509 certificate, which allows man-in-the-middle remote attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. Arches, please test and mark stable: =net-misc/wget-1.12 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" x86 stable Stable for HPPA. alpha/arm/ia64/m68k/s390/sh/sparc stable amd64 stable ppc stable ppc64 done GLSA 200910-10 |