Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 612326 (CVE-2017-6508) - <net-misc/wget-1.19.1-r1: CRLF injection in the url_parse function in url.c (CVE-2017-6508)
Summary: <net-misc/wget-1.19.1-r1: CRLF injection in the url_parse function in url.c (...
Status: RESOLVED FIXED
Alias: CVE-2017-6508
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://lists.gnu.org/archive/html/bug...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on: 609244 612376
Blocks: 612498
  Show dependency tree
 
Reported: 2017-03-11 16:03 UTC by Thomas Deutschmann
Modified: 2017-06-20 18:03 UTC (History)
1 user (show)

See Also:
Package list:
=net-misc/wget-1.19.1-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2017-03-11 16:03:52 UTC
CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in the host subcomponent of a URL.
Comment 2 Lars Wendler (Polynomial-C) gentoo-dev 2017-03-11 19:49:27 UTC
commit ae9ba23240bc2dda1b90887732451801b96117f1
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Sat Mar 11 20:43:33 2017

    net-misc/wget: Security revbump to fix CRLF injection (bug #612326).

    Package-Manager: Portage-2.3.4, Repoman-2.3.2



Arches please test and mark stable =net-misc/wget-1.19.1-r1 with target KEYWORDS:

alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris
Comment 3 Michael Weber (RETIRED) gentoo-dev 2017-03-11 23:26:52 UTC
arm ppc ppc64 stable.
Comment 4 Michael Weber (RETIRED) gentoo-dev 2017-03-11 23:40:59 UTC
arm64 stable w/ following additions

=dev-perl/HTTP-Message-6.110.0
=virtual/perl-IO-Compress-2.68.1_rc
=virtual/perl-Compress-Raw-Bzip2-2.68.0-r1
=virtual/perl-IO-1.350.100_rc
=virtual/perl-Compress-Raw-Zlib-2.68.0-r1
=dev-perl/URI-1.710.0
=dev-perl/IO-HTML-1.1.0
Comment 5 Agostino Sarubbo gentoo-dev 2017-03-13 12:59:17 UTC
amd64 stable
Comment 6 Alexander Bezrukov 2017-03-13 17:21:02 UTC
Please note, net-misc/wget-1.19.1-r1 has linking issue with USE=idn, see bug #612498.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2017-03-14 16:22:06 UTC
Stable for HPPA.
Comment 8 Matt Turner gentoo-dev 2017-03-18 15:46:56 UTC
sparc stable
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2017-03-19 13:56:09 UTC
CVE-2017-6508 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6508):
  CRLF injection vulnerability in the url_parse function in url.c in Wget
  through 1.19.1 allows remote attackers to inject arbitrary HTTP headers via
  CRLF sequences in the host subcomponent of a URL.
Comment 10 Matt Turner gentoo-dev 2017-03-20 01:07:13 UTC
alpha stable
Comment 11 Matt Turner gentoo-dev 2017-03-20 06:18:22 UTC
ia64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2017-03-21 14:34:39 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 13 Thomas Deutschmann gentoo-dev Security 2017-03-23 20:32:03 UTC
New GLSA request filed.
Comment 14 Thomas Deutschmann gentoo-dev Security 2017-06-17 21:15:10 UTC
Cleanup PR: https://github.com/gentoo/gentoo/pull/4954
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-06-20 17:15:19 UTC
This issue was resolved and addressed in
 GLSA 201706-16 at https://security.gentoo.org/glsa/201706-16
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 16 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-06-20 17:16:02 UTC
Repoen for cleanup
Comment 17 Thomas Deutschmann gentoo-dev Security 2017-06-20 18:03:13 UTC
Repository is clean (https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=79c6e0d3c61d35a6669b0091f4548fb199250eb7), all done.