File wget-CVE-2014-4877.patch of Package wget

Overview Repositories Revisions Requests Users Attributes Meta

File wget-CVE-2014-4877.patch of Package wget

From 18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7 Mon Sep 17 00:00:00 2001
From: Darshit Shah <darnir@gmail.com>
Date: Sun, 07 Sep 2014 19:11:17 +0000
Subject: CVE-2014-4877: Arbitrary Symlink Access

Wget was susceptible to a symlink attack which could create arbitrary
files, directories or symbolic links and set their permissions when
retrieving a directory recursively through FTP. This commit changes the
default settings in Wget such that Wget no longer creates local symbolic
links, but rather traverses them and retrieves the pointed-to file in
such a retrieval.

The old behaviour can be attained by passing the --retr-symlinks=no
option to the Wget invokation command.
---
Index: wget-1.14/doc/ChangeLog
===================================================================
--- wget-1.14.orig/doc/ChangeLog	2012-08-04 10:43:28.000000000 +0200
+++ wget-1.14/doc/ChangeLog	2014-11-03 13:56:23.819708307 +0100
@@ -1,3 +1,9 @@
+2014-09-08  Darshit Shah  <darnir@gmail.com>
+
+	* wget.texi (symbolic links): Update documentation of retr-symlinks to
+	reflect the new default. Add warning about potential security issues with
+	--retr-symlinks=yes.
+
 2012-08-04  mancha <mancha@mac.hush.com> (tiny change)
 
 	* wget.texi: Export ENVIRONMENT to the man page.
Index: wget-1.14/doc/wget.texi
===================================================================
--- wget-1.14.orig/doc/wget.texi	2012-08-04 10:41:52.000000000 +0200
+++ wget-1.14/doc/wget.texi	2014-11-03 13:56:23.820708319 +0100
@@ -1779,17 +1779,18 @@
 
 @cindex symbolic links, retrieving
 @item --retr-symlinks
-Usually, when retrieving @sc{ftp} directories recursively and a symbolic
-link is encountered, the linked-to file is not downloaded.  Instead, a
-matching symbolic link is created on the local filesystem.  The
-pointed-to file will not be downloaded unless this recursive retrieval
-would have encountered it separately and downloaded it anyway.
+By default, when retrieving @sc{ftp} directories recursively and a symbolic link
+is encountered, the symbolic link is traversed and the pointed-to files are
+retrieved.  Currently, Wget does not traverse symbolic links to directories to
+download them recursively, though this feature may be added in the future.
 
-When @samp{--retr-symlinks} is specified, however, symbolic links are
-traversed and the pointed-to files are retrieved.  At this time, this
-option does not cause Wget to traverse symlinks to directories and
-recurse through them, but in the future it should be enhanced to do
-this.
+When @samp{--retr-symlinks=no} is specified, the linked-to file is not
+downloaded.  Instead, a matching symbolic link is created on the local
+filesystem.  The pointed-to file will not be retrieved unless this recursive
+retrieval would have encountered it separately and downloaded it anyway.  This
+option poses a security risk where a malicious FTP Server may cause Wget to
+write to files outside of the intended directories through a specially crafted
+@sc{.listing} file.
 
 Note that when retrieving a file (not a directory) because it was
 specified on the command-line, rather than because it was recursed to,
Index: wget-1.14/src/ChangeLog
===================================================================
--- wget-1.14.orig/src/ChangeLog	2012-07-08 11:36:29.000000000 +0200
+++ wget-1.14/src/ChangeLog	2014-11-03 13:56:23.823708353 +0100
@@ -1,3 +1,8 @@
+2014-09-08  Darshit Shah  <darnir@gmail.com>
+
+	* init.c (defaults): Set retr-symlinks to true by default. This changes a
+	default setting of wget. Fixes security bug CVE-2014-4877
+
 2012-07-03  Steven Schubiger  <stsc@member.fsf.org>
 
 	* init.c: Include warc.h for warc_close in cleanup function.
Index: wget-1.14/src/init.c
===================================================================
--- wget-1.14.orig/src/init.c	2012-07-08 11:35:36.000000000 +0200
+++ wget-1.14/src/init.c	2014-11-03 13:56:23.823708353 +0100
@@ -357,6 +357,22 @@
 
   opt.dns_cache = true;
   opt.ftp_pasv = true;
+  /* 2014-09-07  Darshit Shah  <darnir@gmail.com>
+   * opt.retr_symlinks is set to true by default. Creating symbolic links on the
+   * local filesystem pose a security threat by malicious FTP Servers that
+   * server a specially crafted .listing file akin to this:
+   *
+   * lrwxrwxrwx   1 root     root           33 Dec 25  2012 JoCxl6d8rFU -> /
+   * drwxrwxr-x  15 1024     106          4096 Aug 28 02:02 JoCxl6d8rFU
+   *
+   * A .listing file in this fashion makes Wget susceptiple to a symlink attack
+   * wherein the attacker is able to create arbitrary files, directories and
+   * symbolic links on the target system and even set permissions.
+   *
+   * Hence, by default Wget attempts to retrieve the pointed-to files and does
+   * not create the symbolic links locally.
+   */
+  opt.retr_symlinks = true;
 
 #ifdef HAVE_SSL
   opt.check_cert = true;

Places

File wget-CVE-2014-4877.patch of Package wget

Places