Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 286058 (CVE-2009-3490) - <net-misc/wget-1.12: X.509 NUL character spoofing (CVE-2009-3490)
Summary: <net-misc/wget-1.12: X.509 NUL character spoofing (CVE-2009-3490)
Alias: CVE-2009-3490
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa]
Depends on:
Reported: 2009-09-23 09:16 UTC by Alex Legler (RETIRED)
Modified: 2009-10-21 12:29 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

wget-1.12.ebuild.diff (wget-1.12.ebuild.diff,678 bytes, patch)
2009-09-23 17:16 UTC, Lars Wendler (Polynomial-C) (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-23 09:16:57 UTC
From the Changelog:
** SECURITY FIX: It had been possible to trick Wget into accepting
SSL certificates that don't match the host name, through the trick of
embedding NUL characters into the certs' common name. Fixed by Joao
Ferreira <joao <at>>.

This issue is related to CVE-2009-2408 (
Comment 1 SpanKY gentoo-dev 2009-09-23 16:34:16 UTC
wget-1.12 now in the tree
Comment 2 SpanKY gentoo-dev 2009-09-23 16:59:52 UTC
erp, didnt mean to close the bug
Comment 3 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2009-09-23 17:16:41 UTC
Created attachment 205034 [details, diff]

wget-1.12 makes use of libidn when being found in the system and not explicitly disabled through configure:

# ldd /usr/bin/wget | grep idn => /usr/lib/ (0x00007f2b11074000)

Please find attached an ebuild patch which incorporates the idn USE flag...

By the way, is the linking patch no longer necessary or was it dropped because it doesn't apply anymore? If the latter is true, I created a new linking patch for wget-1.12. Just let me know if you want that patch.
Comment 4 SpanKY gentoo-dev 2009-09-23 19:57:42 UTC
thanks, that looks good to me
Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-30 21:51:14 UTC
CVE-2009-3490 (
  GNU Wget before 1.12 does not properly handle a '\0' character in a
  domain name in the Common Name field of an X.509 certificate, which
  allows man-in-the-middle remote attackers to spoof arbitrary SSL
  servers via a crafted certificate issued by a legitimate
  Certification Authority, a related issue to CVE-2009-2408.

Comment 6 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-06 18:20:58 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2009-10-06 22:32:18 UTC
x86 stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2009-10-06 23:39:10 UTC
Stable for HPPA.
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2009-10-07 18:44:31 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 10 Markus Meier gentoo-dev 2009-10-07 19:08:32 UTC
amd64 stable
Comment 11 Mounir Lamouri (volkmar) (RETIRED) gentoo-dev 2009-10-15 15:29:44 UTC
ppc stable
Comment 12 Brent Baude (RETIRED) gentoo-dev 2009-10-18 14:26:53 UTC
ppc64 done
Comment 13 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-21 12:29:35 UTC
GLSA 200910-10