CVE-2010-2252 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2252): GNU Wget 1.12 and earlier uses a server-provided filename instead of the original URL to determine the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a 3xx redirect to a URL with a .wgetrc filename followed by a 3xx redirect to a URL with a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.
We use wget for fetching packages as root, so lets fix this as soon as upstream reacts.
Sorry for bugspam!
For the sake of stating it, wget _should_ run with userpriv iirc by default. does not solve the problem, but at least it seems to be slightly make it feasible to deal with.
ive added the upstream commit to wget-1.12-r2 (add --trust-server-names option that defaults to off)
Arches, please test and mark stable: =net-misc/wget-1.12-r2 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
x86 stable
alpha/arm/ia64/m68k/s390/sh/sparc stable
amd64 done
ppc64 done
Stable for HPPA PPC. Readding S390: Index: wget-1.12-r2.ebuild =================================================================== RCS file: /var/cvsroot/gentoo-x86/net-misc/wget/wget-1.12-r2.ebuild,v retrieving revision 1.3 retrieving revision 1.4 diff -u -B -r1.3 -r1.4 --- wget-1.12-r2.ebuild 4 Sep 2010 01:42:04 -0000 1.3 +++ wget-1.12-r2.ebuild 4 Sep 2010 16:49:32 -0000 1.4 @@ -1,6 +1,6 @@ # Copyright 1999-2010 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/wget/wget-1.12-r2.ebuild,v 1.3 2010/09/04 01:4 2:04 phajdan.jr Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-misc/wget/wget-1.12-r2.ebuild,v 1.4 2010/09/04 16:4 9:32 armin76 Exp $ EAPI="2" @@ -12,7 +12,7 @@ LICENSE="GPL-3" SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc x86 ~spa rc-fbsd ~x86-fbsd" +KEYWORDS="alpha ~amd64 arm ~hppa ia64 m68k ~mips ~ppc ~ppc64 ~s390 sh sparc x86 ~sparc-fbs d ~x86-fbsd" IUSE="debug idn ipv6 nls ntlm +ssl static" RDEPEND="idn? ( net-dns/libidn )
s390 stable
GLSA request filed.
This issue was resolved and addressed in GLSA 201110-10 at http://security.gentoo.org/glsa/glsa-201110-10.xml by GLSA coordinator Tim Sammut (underling).