Summary: | <net-misc/wget-1.12-r2: arbitrary code execution (CVE-2010-2252) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Stefan Behte (RETIRED) <craig> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | jaak |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=602797 | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=346151 https://bugs.gentoo.org/show_bug.cgi?id=585926 |
||
Whiteboard: | A2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Stefan Behte (RETIRED)
2010-07-26 15:43:23 UTC
We use wget for fetching packages as root, so lets fix this as soon as upstream reacts. Sorry for bugspam! For the sake of stating it, wget _should_ run with userpriv iirc by default. does not solve the problem, but at least it seems to be slightly make it feasible to deal with. ive added the upstream commit to wget-1.12-r2 (add --trust-server-names option that defaults to off) Arches, please test and mark stable: =net-misc/wget-1.12-r2 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" x86 stable alpha/arm/ia64/m68k/s390/sh/sparc stable amd64 done ppc64 done Stable for HPPA PPC. Readding S390: Index: wget-1.12-r2.ebuild =================================================================== RCS file: /var/cvsroot/gentoo-x86/net-misc/wget/wget-1.12-r2.ebuild,v retrieving revision 1.3 retrieving revision 1.4 diff -u -B -r1.3 -r1.4 --- wget-1.12-r2.ebuild 4 Sep 2010 01:42:04 -0000 1.3 +++ wget-1.12-r2.ebuild 4 Sep 2010 16:49:32 -0000 1.4 @@ -1,6 +1,6 @@ # Copyright 1999-2010 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/wget/wget-1.12-r2.ebuild,v 1.3 2010/09/04 01:4 2:04 phajdan.jr Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-misc/wget/wget-1.12-r2.ebuild,v 1.4 2010/09/04 16:4 9:32 armin76 Exp $ EAPI="2" @@ -12,7 +12,7 @@ LICENSE="GPL-3" SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc x86 ~spa rc-fbsd ~x86-fbsd" +KEYWORDS="alpha ~amd64 arm ~hppa ia64 m68k ~mips ~ppc ~ppc64 ~s390 sh sparc x86 ~sparc-fbs d ~x86-fbsd" IUSE="debug idn ipv6 nls ntlm +ssl static" RDEPEND="idn? ( net-dns/libidn ) s390 stable GLSA request filed. This issue was resolved and addressed in GLSA 201110-10 at http://security.gentoo.org/glsa/glsa-201110-10.xml by GLSA coordinator Tim Sammut (underling). |