Critical vulnerability in pre-1.16 versions of wget fixed

Antivirus, forensics, intrusion detection, cryptography, etc.
Message
Author
l0wt3ch
Posts: 182
Joined: Thu 24 Apr 2014, 01:30

Critical vulnerability in pre-1.16 versions of wget fixed

#1 Post by l0wt3ch »

Critical vulnerability discovered in wget. New, fixed, verson, tested on Slacko 5.7:

wget-1.16

darry1966

Re: Critical vulnerability in pre-1.16 versions of wget fixed

#2 Post by darry1966 »

l0wt3ch wrote:Critical vulnerability discovered in wget. New, fixed, verson, tested on Slacko 5.7:

wget-1.16
Does this version of wget in Puppy Linux 4 and Wary etc????????
Last edited by darry1966 on Fri 31 Oct 2014, 23:55, edited 1 time in total.

l0wt3ch
Posts: 182
Joined: Thu 24 Apr 2014, 01:30

#3 Post by l0wt3ch »

All current and past versions of Puppy are affected.

The .pet has only been tested on Slacko.

User avatar
Semme
Posts: 8399
Joined: Sun 07 Aug 2011, 20:07
Location: World_Hub

#4 Post by Semme »

l0wt3ch, while the updated build is appreciated, the announcement belongs in our security forum.

Lucid, Precise *patched* versions here >> https://launchpad.net/ubuntu/+source/wget

Slacko >> http://slackware.cs.utah.edu/pub/slackw ... s/packages
Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/wget-1.14-i486-3_slack14.1.txz: Rebuilt.
This update fixes a symlink vulnerability that could allow an attacker
to write outside of the expected directory.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cg ... -2014-4877
(* Security fix *)
+--------------------------+
>>> Living with the immediacy of death helps you sort out your priorities. It helps you live a life less trivial <<<

l0wt3ch
Posts: 182
Joined: Thu 24 Apr 2014, 01:30

#5 Post by l0wt3ch »

Semme wrote:l0wt3ch, while the updated build is appreciated, the announcement belongs in our security forum.
Oops! :oops:

User avatar
Semme
Posts: 8399
Joined: Sun 07 Aug 2011, 20:07
Location: World_Hub

#6 Post by Semme »

:wink: Hey, not a biggie, but, that's where it'll get noticed. This forum's otherwise fine for all non-security related upgrades.
>>> Living with the immediacy of death helps you sort out your priorities. It helps you live a life less trivial <<<

User avatar
Bert
Posts: 1103
Joined: Fri 30 Jun 2006, 20:09

#7 Post by Bert »

Thanks for this l0wt3ch,

It does not seem to work in Precise 5.7.2:

Code: Select all

wget: error while loading shared libraries: libgnutls.so.28: cannot open shared object file: No such file or directory
It is also much bigger than the installed wget 1.13.4. (362k installed) Probably because all locales and the manual are included.

PPM does not find libgnutls.so.28. Pfind says libgnutl.so.26 is installed.

A search on the net was quickly ended, I started to drown in a morass of complexity and extra dependencies.
A guru will be needed :)
[url=http://pupsearch.weebly.com/][img]http://pupsearch.weebly.com/uploads/7/4/6/4/7464374/125791.gif[/img][/url]
[url=https://startpage.com/do/search?q=host%3Awww.murga-linux.com%2F][img]http://i.imgur.com/XJ9Tqc7.png[/img][/url]

User avatar
Semme
Posts: 8399
Joined: Sun 07 Aug 2011, 20:07
Location: World_Hub

#8 Post by Semme »

Bert >> no guru, just re-read my post. Remove the one you grabbed and install this one.
>>> Living with the immediacy of death helps you sort out your priorities. It helps you live a life less trivial <<<

User avatar
Bert
Posts: 1103
Joined: Fri 30 Jun 2006, 20:09

#9 Post by Bert »

Ah, the art of careful reading... ( :oops: )

Thank you Semme!
[url=http://pupsearch.weebly.com/][img]http://pupsearch.weebly.com/uploads/7/4/6/4/7464374/125791.gif[/img][/url]
[url=https://startpage.com/do/search?q=host%3Awww.murga-linux.com%2F][img]http://i.imgur.com/XJ9Tqc7.png[/img][/url]

l0wt3ch
Posts: 182
Joined: Thu 24 Apr 2014, 01:30

#10 Post by l0wt3ch »

The vulnerability has now been fixed by the Wget project in wget 1.16, which blocks the default setting that allowed the setting of local symlinks.

"Upgrade to wget version 1.16 or a package that has backported the CVE-2014-4877 patch," Moore said.

darry1966

#11 Post by darry1966 »

Sorry I mean't to ask if this patch works in puppy 4 and Wary.
Last edited by darry1966 on Sat 01 Nov 2014, 02:45, edited 1 time in total.

User avatar
8Geee
Posts: 2181
Joined: Mon 12 May 2008, 11:29
Location: N.E. USA

#12 Post by 8Geee »

l0wt3ch

I have the tar.gz release from gnu org.

Are there any "directory" mods needed to the gnu org release? If there are many, ya don't have to list them... I was about to install to usr/bin as a test.

Where does the pet install?
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."

l0wt3ch
Posts: 182
Joined: Thu 24 Apr 2014, 01:30

#13 Post by l0wt3ch »

The package I posted is just the 1.16 version of wget.

It's been tested on Slacko 5.7 only.

User avatar
Semme
Posts: 8399
Joined: Sun 07 Aug 2011, 20:07
Location: World_Hub

#14 Post by Semme »

Here..
Attachments
install_dirs.txt.gz
(1.04 KiB) Downloaded 443 times
>>> Living with the immediacy of death helps you sort out your priorities. It helps you live a life less trivial <<<

User avatar
Dingo
Posts: 1437
Joined: Tue 11 Dec 2007, 17:48
Location: somewhere at the end of rainbow...
Contact:

wget 1.16 for puppy 3.01

#15 Post by Dingo »

wget 1.16 for puppy 3.01
wget-1.16-i486.pet for puppy 3.01

- compressed with upx (273 KB)
- without nls

Code: Select all

GNU Wget 1.16 built on linux-gnu.

+digest +https +ipv6 +iri +large-file -nls -ntlm +opie -psl +ssl/gnutls 

Wgetrc: 
    /root/.wgetrc (user)
    /usr/etc/wgetrc (system)
Compile: 
    gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/usr/etc/wgetrc" 
    -DLOCALEDIR="/usr/share/locale" -I. -I../lib -I../lib -g -O2 
Link: 
    gcc -g -O2 /usr/lib/libgnutls.so /usr/lib/libgcrypt.so 
    /usr/lib/libgpg-error.so /usr/lib/libz.a /usr/lib/libnsl.so -lz 
    -lidn -luuid -lpcre -lrt ftp-opie.o gnutls.o ../lib/libgnu.a
replace .co.cc with .info to get access to stuff I posted in forum
dropbox 2GB free
OpenOffice for Puppy Linux

darry1966

Re: wget 1.16 for puppy 3.01

#16 Post by darry1966 »

Dingo wrote:wget 1.16 for puppy 3.01
wget-1.16-i486.pet for puppy 3.01

- compressed with upx (273 KB)
- without nls

Code: Select all

GNU Wget 1.16 built on linux-gnu.

+digest +https +ipv6 +iri +large-file -nls -ntlm +opie -psl +ssl/gnutls 

Wgetrc: 
    /root/.wgetrc (user)
    /usr/etc/wgetrc (system)
Compile: 
    gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/usr/etc/wgetrc" 
    -DLOCALEDIR="/usr/share/locale" -I. -I../lib -I../lib -g -O2 
Link: 
    gcc -g -O2 /usr/lib/libgnutls.so /usr/lib/libgcrypt.so 
    /usr/lib/libgpg-error.so /usr/lib/libz.a /usr/lib/libnsl.so -lz 
    -lidn -luuid -lpcre -lrt ftp-opie.o gnutls.o ../lib/libgnu.a
Thanks mirrored here: http://sourceforge.net/projects/puppyli ... rce=navbar

watchdog
Posts: 2021
Joined: Fri 28 Sep 2012, 18:04
Location: Italy

#17 Post by watchdog »

wget-1.16-p4-i486.pet

Code: Select all

./configure --prefix=/usr --sysconfdir=/etc --with-ssl=openssl
Download:

https://copy.com/7BTNjoEgKhZNL9rI

wget-1.16-w5-i486.pet

Code: Select all

./configure --prefix=/usr --sysconfdir=/etc --without-ssl
Download:

https://copy.com/H3LOm2gOh4MAYP86

I could not compile with ssl in wary: errors. If someone can better do the job he is invited to share the pets. Is openssl needed as configure option compiling wget?

User avatar
dejan555
Posts: 2798
Joined: Sun 30 Nov 2008, 11:57
Location: Montenegro
Contact:

#18 Post by dejan555 »

Compiled in dpup 487:
wget-1.16-i486-dpup487.pet
puppy.b0x.me stuff mirrored [url=https://drive.google.com/open?id=0B_Mb589v0iCXNnhSZWRwd3R2UWs]HERE[/url] or [url=http://archive.org/details/Puppy_Linux_puppy.b0x.me_mirror]HERE[/url]

User avatar
OscarTalks
Posts: 2196
Joined: Mon 06 Feb 2012, 00:58
Location: London, England

#19 Post by OscarTalks »

watchdog wrote:I could not compile with ssl in wary: errors
Confirmed that in Racy 5.5 I get an error if I try to configure it with openssl, but if I upgrade openssl to version 1.0.1j

Code: Select all

./config --prefix=/usr --openssldir=/etc/ssl shared
then wget 1.16 compiles OK

Code: Select all

./configure --prefix=/usr --sysconfdir=/etc --build=i486-t2-linux-gnu --disable-nls --disable-debug --with-ssl=openssl --with-openssl=auto
but I don't know if this wget then depends on the upgraded openssl or if you could install it and run it against the original openssl so I won't post it as a .pet yet until I do some more testing.
Oscar in England
Image

darry1966

#20 Post by darry1966 »

Cheers Watchdog for .pets

Post Reply