[Bug-wget] [Secunia Research] GNU wget Vulnerability Report - Request for Details

[Secunia Research]

Hello,

 

We are currently processing a report published by a third-party [1] for GNU
wget and are currently evaluating it to publish a Secunia Advisory for this.
Please see the original report for details.

 

We would appreciate to receive your comments on those issues before we
publish our advisory based on this information.

 

* Can you confirm the vulnerability?

* Which products and versions are affected by the vulnerability?

* When do you expect to release fixed versions?

* Are there any mitigating factors or recommended workarounds?


References:
[1] http://jvn.jp/en/jp/JVN25261088/index.html

 

---

Kind Regards,

Laurent Delosieres
Security Specialist

Secunia Research at Flexera

Arne Jacobsens Allé 7, 5th floor
2300 Copenhagen S
Denmark


Phone +45 7020 5144
Fax +45 7020 5145

http://www.flexera.com  

 

[Bug-wget] buildbot failure in OpenCSW Buildbot on wget-solaris10-sparc

[buildbot]

The Buildbot has detected a new failure on builder wget-solaris10-sparc while 
building wget. Full details are available at:

https://buildfarm.opencsw.org/buildbot/builders/wget-solaris10-sparc/builds/332

Buildbot URL: https://buildfarm.opencsw.org/buildbot/

Buildslave for this Build: unstable10s

Build Reason: The SingleBranchScheduler scheduler named 
'schedule-wget-solaris10-sparc' triggered this build
Build Source Stamp: [branch master] 0eaa5f1771f3d96c88f0a3d464df1fa4bdb7e307
Blamelist: Tim Rühsen 

BUILD FAILED: failed shell_1 shell_3 shell_4 shell_5 shell_6

Sincerely,
 -The Buildbot

Re: [Bug-wget] Bugs in make check in wget2 on mac

[Dirk Loeckx]

Dear Tim,

Thank you very much! The --without-libpsl did the trick!

Vriendelijke groeten,
Kind regards,

Dirk Loeckx


d...@zeronary.care :: T +32 486 68 38 33 :: zeronary.care
zeronary.care is an initiative of Jomale bvba :: VAT BE 0597.858.312


On Wed, 3 Apr 2019 at 10:47, Tim Rühsen  wrote:

> Hi Dirk,
>
> On 4/2/19 11:09 PM, Dirk Loeckx wrote:
> > Dear Shah,
> >
> > Attached you can find the output of ./configure, nothing special I have
> the
> > impression.
> >
> > The output of `./unit-tests/test-parse-html` is very short:
> >
> >> dloeckx$ ./unit-tests/test-parse-html
> >> dyld: Library not loaded: /usr/local/opt/libidn2/lib/libidn2.4.dylib
> >>   Referenced from: /usr/local/opt/libpsl/lib/libpsl.5.dylib
> >>   Reason: image not found
> >> Abort trap: 6
>
> As it looks like, you have libpsl installed without the proper libidn2.
> This could have happened when you updated libidn2 without updating
> libpsl - or by removing libidn2. Please check the above library paths
> and fix it.
>
> An alternative would be to build wget2 without libpsl, using
> --without-libpsl as ./configure flag.
>
> Regards, Tim
>
> >>
> > Vriendelijke groeten,
> > Kind regards,
> >
> > Dirk Loeckx
> >
> >
> > d...@zeronary.care :: T +32 486 68 38 33 :: zeronary.care
> > zeronary.care is an initiative of Jomale bvba :: VAT BE 0597.858.312
> >
> >
> > On Tue, 2 Apr 2019 at 18:18, Darshit Shah  wrote:
> >
> >> Two things here:
> >>
> >> 1. `configure` should have handled the case where you don't have
> >> libmicrohttpd
> >>installed. So `make -C tests` should not have failed. Could you
> please
> >> share
> >>the entire output of `./configure`?
> >>
> >> 2. What happens if you try to run `./unit-tests/test-parse-html`?
> >>
> >> I'm guessing there is something happening with clang here. Some
> >> optimization
> >> which is either buggy, or the more likely case is picking up on
> undefined
> >> behaviour in Wget2.
> >>
> >> * Dirk Loeckx  [190402 17:52]:
> >>> Dear Tim,
> >>>
> >>> Thanks for the quick response. I know I am a little bit out of scope,
> so
> >>> don't feel obliged to fix this.
> >>>
> >>> Unfortunately, the make -C commands also both fail (attached the log
> >> file):
> >>>
>  dloeckx$ make check -C unit-tests
>  /Applications/Xcode.app/Contents/Developer/usr/bin/make
>  buffer_printf_perf stringmap_perf test test-parse-html test-cond
> >> test-dl
>  libalpha.la libbeta.la
>    CC   buffer_printf_perf.o
>    CCLD buffer_printf_perf
>    CC   stringmap_perf.o
>    CCLD stringmap_perf
>    CC   test.o
>    CCLD test
>    CC   test-parse-html.o
>    CCLD test-parse-html
>    CC   test-cond.o
>    CCLD test-cond
>    CC   test-dl.o
>    CCLD test-dl
>    CC   libalpha_la-test-dl-dummy.lo
>    CCLD libalpha.la
>    CC   libbeta_la-test-dl-dummy.lo
>    CCLD libbeta.la
>  /Applications/Xcode.app/Contents/Developer/usr/bin/make  check-TESTS
>  ../build-aux/test-driver: line 107: 40594 Abort trap: 6   "$@"
> >>>
>  $log_file 2>&1
>  FAIL: test
>  ../build-aux/test-driver: line 107: 40613 Abort trap: 6   "$@"
> >>>
>  $log_file 2>&1
>  FAIL: test-parse-html
>  ../build-aux/test-driver: line 107: 40632 Abort trap: 6   "$@"
> >>>
>  $log_file 2>&1
>  FAIL: test-cond
>  ../build-aux/test-driver: line 107: 40651 Abort trap: 6   "$@"
> >>>
>  $log_file 2>&1
>  FAIL: test-dl
> 
> 
> >>
> 
>  Testsuite summary for wget2 1.99.1
> 
> 
> >>
> 
>  # TOTAL: 4
>  # PASS:  0
>  # SKIP:  0
>  # XFAIL: 0
>  # FAIL:  4
>  # XPASS: 0
>  # ERROR: 0
> 
> 
> >>
> 
>  See unit-tests/test-suite.log
>  Please report to bug-wget@gnu.org
> 
> 
> >>
> 
>  make[2]: *** [test-suite.log] Error 1
>  make[1]: *** [check-TESTS] Error 2
>  make: *** [check-am] Error 2
>  dloeckx$ make check -C tests
>    CC   libtest_la-libtest.lo
>  libtest.c:46:10: fatal error: 'microhttpd.h' file not found
>  #include 
>   ^~
>  1 error generated.
>  make: *** [libtest_la-libtest.lo] Error 1
>  dloeckx$
> 
> >>>
> >>>
> >>> Vriendelijke groeten,
> >>> Kind regards,
> >>>
> >>> Dirk Loeckx
> >>>
> >>>
> >>> d...@zeronary.care :: T +32 486 68 38 33 :: zeronary.care
> >>> zeronary.care is an initiative of Jomale bvba :: VAT BE 0597.858.312
> >>>
> >>>
> >>> On Tue, 2 Apr 2019 at 16:32, Tim Rühsen  wrote:
> >>>
>  Hi Dirk,
> 
>  thanks for reporting.
> 
>  The only "Mac" we 

Re: [Bug-wget] Bugs in make check in wget2 on mac

[Tim Rühsen]

Hi Dirk,

On 4/2/19 11:09 PM, Dirk Loeckx wrote:
> Dear Shah,
> 
> Attached you can find the output of ./configure, nothing special I have the
> impression.
> 
> The output of `./unit-tests/test-parse-html` is very short:
> 
>> dloeckx$ ./unit-tests/test-parse-html
>> dyld: Library not loaded: /usr/local/opt/libidn2/lib/libidn2.4.dylib
>>   Referenced from: /usr/local/opt/libpsl/lib/libpsl.5.dylib
>>   Reason: image not found
>> Abort trap: 6

As it looks like, you have libpsl installed without the proper libidn2.
This could have happened when you updated libidn2 without updating
libpsl - or by removing libidn2. Please check the above library paths
and fix it.

An alternative would be to build wget2 without libpsl, using
--without-libpsl as ./configure flag.

Regards, Tim

>>
> Vriendelijke groeten,
> Kind regards,
> 
> Dirk Loeckx
> 
> 
> d...@zeronary.care :: T +32 486 68 38 33 :: zeronary.care
> zeronary.care is an initiative of Jomale bvba :: VAT BE 0597.858.312
> 
> 
> On Tue, 2 Apr 2019 at 18:18, Darshit Shah  wrote:
> 
>> Two things here:
>>
>> 1. `configure` should have handled the case where you don't have
>> libmicrohttpd
>>installed. So `make -C tests` should not have failed. Could you please
>> share
>>the entire output of `./configure`?
>>
>> 2. What happens if you try to run `./unit-tests/test-parse-html`?
>>
>> I'm guessing there is something happening with clang here. Some
>> optimization
>> which is either buggy, or the more likely case is picking up on undefined
>> behaviour in Wget2.
>>
>> * Dirk Loeckx  [190402 17:52]:
>>> Dear Tim,
>>>
>>> Thanks for the quick response. I know I am a little bit out of scope, so
>>> don't feel obliged to fix this.
>>>
>>> Unfortunately, the make -C commands also both fail (attached the log
>> file):
>>>
 dloeckx$ make check -C unit-tests
 /Applications/Xcode.app/Contents/Developer/usr/bin/make
 buffer_printf_perf stringmap_perf test test-parse-html test-cond
>> test-dl
 libalpha.la libbeta.la
   CC   buffer_printf_perf.o
   CCLD buffer_printf_perf
   CC   stringmap_perf.o
   CCLD stringmap_perf
   CC   test.o
   CCLD test
   CC   test-parse-html.o
   CCLD test-parse-html
   CC   test-cond.o
   CCLD test-cond
   CC   test-dl.o
   CCLD test-dl
   CC   libalpha_la-test-dl-dummy.lo
   CCLD libalpha.la
   CC   libbeta_la-test-dl-dummy.lo
   CCLD libbeta.la
 /Applications/Xcode.app/Contents/Developer/usr/bin/make  check-TESTS
 ../build-aux/test-driver: line 107: 40594 Abort trap: 6   "$@"
>>>
 $log_file 2>&1
 FAIL: test
 ../build-aux/test-driver: line 107: 40613 Abort trap: 6   "$@"
>>>
 $log_file 2>&1
 FAIL: test-parse-html
 ../build-aux/test-driver: line 107: 40632 Abort trap: 6   "$@"
>>>
 $log_file 2>&1
 FAIL: test-cond
 ../build-aux/test-driver: line 107: 40651 Abort trap: 6   "$@"
>>>
 $log_file 2>&1
 FAIL: test-dl


>> 
 Testsuite summary for wget2 1.99.1


>> 
 # TOTAL: 4
 # PASS:  0
 # SKIP:  0
 # XFAIL: 0
 # FAIL:  4
 # XPASS: 0
 # ERROR: 0


>> 
 See unit-tests/test-suite.log
 Please report to bug-wget@gnu.org


>> 
 make[2]: *** [test-suite.log] Error 1
 make[1]: *** [check-TESTS] Error 2
 make: *** [check-am] Error 2
 dloeckx$ make check -C tests
   CC   libtest_la-libtest.lo
 libtest.c:46:10: fatal error: 'microhttpd.h' file not found
 #include 
  ^~
 1 error generated.
 make: *** [libtest_la-libtest.lo] Error 1
 dloeckx$

>>>
>>>
>>> Vriendelijke groeten,
>>> Kind regards,
>>>
>>> Dirk Loeckx
>>>
>>>
>>> d...@zeronary.care :: T +32 486 68 38 33 :: zeronary.care
>>> zeronary.care is an initiative of Jomale bvba :: VAT BE 0597.858.312
>>>
>>>
>>> On Tue, 2 Apr 2019 at 16:32, Tim Rühsen  wrote:
>>>
 Hi Dirk,

 thanks for reporting.

 The only "Mac" we regularly test on is the OSX environment of TravisCI
 (a continuous integration service). We don't have such errors there.

 Looks like there is something basically going wrong with the test
 harness in fuzz/.

 If 'make check -C unit-tests' and 'make check -C tests' work OK for
>> you,
 then you are likely fine with using wget2.

 If you know a Mac developer, you could ask that person to take a closer
 look.

 Regards, Tim

 On 4/2/19 1:34 PM, Dirk Loeckx wrote:
> Dear,
>
> First of all thank you very much for building wget2!
>
>