Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 612326 (CVE-2017-6508)

Summary: <net-misc/wget-1.19.1-r1: CRLF injection in the url_parse function in url.c (CVE-2017-6508)
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: base-system
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://lists.gnu.org/archive/html/bug-wget/2017-03/msg00018.html
Whiteboard: B2 [glsa cve]
Package list:
=net-misc/wget-1.19.1-r1
 Runtime testing required: ---
Bug Depends on: 609244, 612376    
Bug Blocks: 612498    

Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-03-11 16:03:52 UTC 
CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in the host subcomponent of a URL.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-03-11 16:06:45 UTC 
Upstream patch:

http://git.savannah.gnu.org/cgit/wget.git/commit/?id=4d729e322fae359a1aefaafec1144764a54e8ad4
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2017-03-11 19:49:27 UTC 
commit ae9ba23240bc2dda1b90887732451801b96117f1
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Sat Mar 11 20:43:33 2017

    net-misc/wget: Security revbump to fix CRLF injection (bug #612326).

    Package-Manager: Portage-2.3.4, Repoman-2.3.2



Arches please test and mark stable =net-misc/wget-1.19.1-r1 with target KEYWORDS:

alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris
Comment 3 Michael Weber (RETIRED) gentoo-dev 2017-03-11 23:26:52 UTC 
arm ppc ppc64 stable.
Comment 4 Michael Weber (RETIRED) gentoo-dev 2017-03-11 23:40:59 UTC 
arm64 stable w/ following additions

=dev-perl/HTTP-Message-6.110.0
=virtual/perl-IO-Compress-2.68.1_rc
=virtual/perl-Compress-Raw-Bzip2-2.68.0-r1
=virtual/perl-IO-1.350.100_rc
=virtual/perl-Compress-Raw-Zlib-2.68.0-r1
=dev-perl/URI-1.710.0
=dev-perl/IO-HTML-1.1.0
Comment 5 Agostino Sarubbo gentoo-dev 2017-03-13 12:59:17 UTC 
amd64 stable
Comment 6 Alexander Bezrukov 2017-03-13 17:21:02 UTC 
Please note, net-misc/wget-1.19.1-r1 has linking issue with USE=idn, see bug #612498.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2017-03-14 16:22:06 UTC 
Stable for HPPA.
Comment 8 Matt Turner gentoo-dev 2017-03-18 15:46:56 UTC 
sparc stable
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2017-03-19 13:56:09 UTC 
CVE-2017-6508 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6508):
  CRLF injection vulnerability in the url_parse function in url.c in Wget
  through 1.19.1 allows remote attackers to inject arbitrary HTTP headers via
  CRLF sequences in the host subcomponent of a URL.
Comment 10 Matt Turner gentoo-dev 2017-03-20 01:07:13 UTC 
alpha stable
Comment 11 Matt Turner gentoo-dev 2017-03-20 06:18:22 UTC 
ia64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2017-03-21 14:34:39 UTC 
x86 stable.

Maintainer(s), please cleanup.
Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev 2017-03-23 20:32:03 UTC 
New GLSA request filed.
Comment 14 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-17 21:15:10 UTC 
Cleanup PR: https://github.com/gentoo/gentoo/pull/4954
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-06-20 17:15:19 UTC 
This issue was resolved and addressed in
 GLSA 201706-16 at https://security.gentoo.org/glsa/201706-16
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 16 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-06-20 17:16:02 UTC 
Repoen for cleanup
Comment 17 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-20 18:03:13 UTC 
Repository is clean (https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=79c6e0d3c61d35a6669b0091f4548fb199250eb7), all done.