Blame SOURCES/wget-1.14-CVE-2014-4877.patch

87e294
From 043366ac3248a58662a6fbf47a1dd688a75d0e78 Mon Sep 17 00:00:00 2001
87e294
From: Darshit Shah <darnir@gmail.com>
87e294
Date: Mon, 8 Sep 2014 00:41:17 +0530
87e294
Subject: [PATCH 1/2] Fix R7-2014-15: Arbitrary Symlink Access
87e294
87e294
Wget was susceptible to a symlink attack which could create arbitrary
87e294
files, directories or symbolic links and set their permissions when
87e294
retrieving a directory recursively through FTP. This commit changes the
87e294
default settings in Wget such that Wget no longer creates local symbolic
87e294
links, but rather traverses them and retrieves the pointed-to file in
87e294
such a retrieval.
87e294
87e294
The old behaviour can be attained by passing the --retr-symlinks=no
87e294
option to the Wget invokation command.
87e294
---
87e294
 doc/wget.texi | 23 ++++++++++++-----------
87e294
 src/init.c    | 16 ++++++++++++++++
87e294
 2 files changed, 28 insertions(+), 11 deletions(-)
87e294
87e294
diff --git a/doc/wget.texi b/doc/wget.texi
87e294
index a31eb5e..f54e98d 100644
87e294
--- a/doc/wget.texi
87e294
+++ b/doc/wget.texi
87e294
@@ -1883,17 +1883,18 @@ Preserve remote file permissions instead of permissions set by umask.
87e294
 
87e294
 @cindex symbolic links, retrieving
87e294
 @item --retr-symlinks
87e294
-Usually, when retrieving @sc{ftp} directories recursively and a symbolic
87e294
-link is encountered, the linked-to file is not downloaded.  Instead, a
87e294
-matching symbolic link is created on the local filesystem.  The
87e294
-pointed-to file will not be downloaded unless this recursive retrieval
87e294
-would have encountered it separately and downloaded it anyway.
87e294
-
87e294
-When @samp{--retr-symlinks} is specified, however, symbolic links are
87e294
-traversed and the pointed-to files are retrieved.  At this time, this
87e294
-option does not cause Wget to traverse symlinks to directories and
87e294
-recurse through them, but in the future it should be enhanced to do
87e294
-this.
87e294
+By default, when retrieving @sc{ftp} directories recursively and a symbolic link
87e294
+is encountered, the symbolic link is traversed and the pointed-to files are
87e294
+retrieved.  Currently, Wget does not traverse symbolic links to directories to
87e294
+download them recursively, though this feature may be added in the future.
87e294
+
87e294
+When @samp{--retr-symlinks=no} is specified, the linked-to file is not
87e294
+downloaded.  Instead, a matching symbolic link is created on the local
87e294
+filesystem.  The pointed-to file will not be retrieved unless this recursive
87e294
+retrieval would have encountered it separately and downloaded it anyway.  This
87e294
+option poses a security risk where a malicious FTP Server may cause Wget to
87e294
+write to files outside of the intended directories through a specially crafted
87e294
+@sc{.listing} file.
87e294
 
87e294
 Note that when retrieving a file (not a directory) because it was
87e294
 specified on the command-line, rather than because it was recursed to,
87e294
diff --git a/src/init.c b/src/init.c
87e294
index 93e95f8..94b6f8b 100644
87e294
--- a/src/init.c
87e294
+++ b/src/init.c
87e294
@@ -366,6 +366,22 @@ defaults (void)
87e294
 
87e294
   opt.dns_cache = true;
87e294
   opt.ftp_pasv = true;
87e294
+  /* 2014-09-07  Darshit Shah  <darnir@gmail.com>
87e294
+   * opt.retr_symlinks is set to true by default. Creating symbolic links on the
87e294
+   * local filesystem pose a security threat by malicious FTP Servers that
87e294
+   * server a specially crafted .listing file akin to this:
87e294
+   *
87e294
+   * lrwxrwxrwx   1 root     root           33 Dec 25  2012 JoCxl6d8rFU -> /
87e294
+   * drwxrwxr-x  15 1024     106          4096 Aug 28 02:02 JoCxl6d8rFU
87e294
+   *
87e294
+   * A .listing file in this fashion makes Wget susceptiple to a symlink attack
87e294
+   * wherein the attacker is able to create arbitrary files, directories and
87e294
+   * symbolic links on the target system and even set permissions.
87e294
+   *
87e294
+   * Hence, by default Wget attempts to retrieve the pointed-to files and does
87e294
+   * not create the symbolic links locally.
87e294
+   */
87e294
+  opt.retr_symlinks = true;
87e294
 
87e294
 #ifdef HAVE_SSL
87e294
   opt.check_cert = true;
87e294
-- 
87e294
2.1.0
87e294
87e294
From bfa8c9cc9937f686a4de110e49710061267f8d9e Mon Sep 17 00:00:00 2001
87e294
From: Darshit Shah <darnir@gmail.com>
87e294
Date: Mon, 8 Sep 2014 15:07:45 +0530
87e294
Subject: [PATCH 2/2] Add checks for valid listing file in FTP
87e294
87e294
When Wget retrieves a file through FTP, it first downloads a .listing
87e294
file and parses it for information about the files and other metadata.
87e294
Some servers may serve invalid .listing files. This patch checks for one
87e294
such known inconsistency wherein multiple lines in a listing file have
87e294
the same name. Such a filesystem is clearly not possible and hence we
87e294
eliminate duplicate entries here.
87e294
87e294
Signed-off-by: Darshit Shah <darnir@gmail.com>
87e294
---
87e294
 src/ftp.c     | 27 +++++++++++++++++++++++++--
87e294
 1 file changed, 25 insertions(+), 2 deletions(-)
87e294
87e294
diff --git a/src/ftp.c b/src/ftp.c
87e294
index 2d54333..054cb61 100644
87e294
--- a/src/ftp.c
87e294
+++ b/src/ftp.c
87e294
@@ -2211,6 +2211,29 @@ has_insecure_name_p (const char *s)
87e294
   return false;
87e294
 }
87e294
 
87e294
+/* Test if the file node is invalid. This can occur due to malformed or
87e294
+ * maliciously crafted listing files being returned by the server.
87e294
+ *
87e294
+ * Currently, this function only tests if there are multiple entries in the
87e294
+ * listing file by the same name. However this function can be expanded as more
87e294
+ * such illegal listing formats are discovered. */
87e294
+static bool
87e294
+is_invalid_entry (struct fileinfo *f)
87e294
+{
87e294
+  struct fileinfo *cur;
87e294
+  cur = f;
87e294
+  char *f_name = f->name;
87e294
+  /* If the node we're currently checking has a duplicate later, we eliminate
87e294
+   * the current node and leave the next one intact. */
87e294
+  while (cur->next)
87e294
+    {
87e294
+      cur = cur->next;
87e294
+      if (strcmp(f_name, cur->name) == 0)
87e294
+          return true;
87e294
+    }
87e294
+  return false;
87e294
+}
87e294
+
87e294
 /* A near-top-level function to retrieve the files in a directory.
87e294
    The function calls ftp_get_listing, to get a linked list of files.
87e294
    Then it weeds out the file names that do not match the pattern.
87e294
@@ -2248,11 +2271,11 @@ ftp_retrieve_glob (struct url *u, ccon *con, int action)
87e294
             f = f->next;
87e294
         }
87e294
     }
87e294
-  /* Remove all files with possible harmful names */
87e294
+  /* Remove all files with possible harmful names or invalid entries. */
87e294
   f = start;
87e294
   while (f)
87e294
     {
87e294
-      if (has_insecure_name_p (f->name))
87e294
+      if (has_insecure_name_p (f->name) || is_invalid_entry (f))
87e294
         {
87e294
           logprintf (LOG_VERBOSE, _("Rejecting %s.\n"),
87e294
                      quote (f->name));
87e294
-- 
87e294
2.1.0
87e294