Re: Re: CVE request for wget

[Austin English <austinenglish () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 12/24/2015 12:05 PM, Austin English wrote:
> On Tue, Nov 3, 2015 at 10:19 PM, Austin English
> <austinenglish () gmail com> wrote:
> > And 1.7 is now out as well: 
> > https://tails.boum.org/news/version_1.7/index.en.html
> >
> > With the fix included and documented
> >
> > On Mon, Nov 2, 2015 at 2:37 AM, Austin English
> > <austinenglish () gmail com> wrote:
> > > The fix has been released in 1.7-rc1, 
> > > https://tails.boum.org/news/test_1.7-rc1/index.en.html
> > >
> > > On Mon, Oct 26, 2015 at 3:21 PM, Austin English
> > > <austinenglish () gmail com> wrote:
> > > > On Thu, Oct 1, 2015 at 6:10 PM, Seth Arnold
> > > > <seth.arnold () canonical com> wrote:
> > > > > On Thu, Oct 01, 2015 at 06:57:26PM -0400,
> > > > > cve-assign () mitre org wrote:
> > > > > > If there is any additional Tails vulnerability related to
> > > > > > this, another CVE ID may be needed. For example,
> > > > > >
> > > > > > https://lists.gnu.org/archive/html/bug-wget/2015-08/msg00050.html
says
> > > > > > to be 100% sure, you should add --passive-ftp to your
> > > > > > command line. If you don't do that, your /etc/wgetrc or
> > > > > > ~/.wgetrc could include --no-passive-ftp (or passiveftp =
> > > > > > off).
> > > > > >
> > > > > > If Tails is supposed to try to ensure that, perhaps
> > > > > > there's a requirement to have something like:
> > > > > >
> > > > > > alias wget="wget --passive-ftp"
> > > > > >
> > > > > > in a system-wide location (possibly /etc/bash.bashrc).
> > > > > > The concept of CVE IDs for "failure of a torify step"
> > > > > > issues is new, and we aren't sure of the best approach.
> > > > >
> > > > > I suspect using a bash alias in a site-wide config might
> > > > > then qualify for another CVE in the future, along the lines
> > > > > of "programs that spawn wget via system(3), popen(3), or
> > > > > exec family of functions can use unsafe active mode by
> > > > > accident". If Tails is in the business of fixing these
> > > > > things for safety, removing active ftp support from tools
> > > > > seems like better fix.
> > > > >
> > > > > Thanks
> > > >
> > > > A fix has been applied to Tails git:
> > > >
> > > > https://labs.riseup.net/code/projects/tails/repository/revisions/b9
fd6312435d55dd0bc0b6abdb7994da4d66e2b2
> > > >
In short, the wget binary is moved to /usr/lib/wget/wget, and a
> > > > wrapper script is put in place in /usr/bin/wget. The wrapper
> > > > ensures that wget is called via torsocks, and additionally,
> > > > also forces --passive-ftp.
> > > >
> > > > Moving wget to /usr/lib/wget/wget gets the potentially
> > > > dangerous wget binary out of $PATH. A dedicated attacker
> > > > could check if /usr/bin/wget is a script and then parse it to
> > > > find the actual binary, but that would need to be a very
> > > > dedicated attacker and at that point, there are more feasible
> > > > attacks available.
>
> This CVE has been fixed in a released version for quite some time, 
> what is needed to get this published/resolved?

Ping.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWxkmbAAoJEBT71+qgQZN7RpsP/1awlNnGYkiY5EZtywc+6zYV
/dIyEtmuQI41Yk2eVCImgXgHK4ZDd8YjOxI9Ad7SOoCVp83qEfHJmshWbihREefA
8ScXQ8LXs/F1265ylx26kOyWptqt2UbRaHUSadFGolE/B5im8D574kI1VBxTT7Uh
Qr/aoCRDysIloEAo354mzn8kxDQeyMcG1+UaLXPMRKvuSy4btYszY4dQpC9HYQiK
2UWqJda5r8AN38u0xtr1W6W+lYrO0HXqA5PRyHXlCEmdTpnhm+boUaBt+0XMQf/s
58nUjDEnt3l4R0U2U7Mph9Wv9zFVezIPyFavh9tdUi+Z9wDAvB0MGeSg3nub7DEw
2blC9tmy+FLooZ6DONYupLsrtE66Ugpj330ZLgZP2M/PXsEWd28U/lZs0SPN7WdB
UMKCrAjhmpJiVISae0/OABj+Ht2seeJC9a0z8PucrcFdQrc2nVaq3Rl0D9NDi4//
Rfj1jG1OdZpeBsHtApMRoNJ1EcWDddokjachvQgIWWM2H/G4XPfq9Y1SCvQ8W8NQ
9ek1m5XyRvkoAFngR30hfSpBEToRqS1CYMWcKnu03Ab+D56Mi78fFmbV99LmxIYX
I6uzb6BvAFDcEzn4x3xe9VJWIw4nc7obB+zgnMiWpMRlQz5TYjxIbb7+tBvJWDoK
HhSjXSFqiDRWRl8swuoN
=m327
-----END PGP SIGNATURE-----