Your message dated Thu, 27 Dec 2018 21:13:04 +0100
with message-id <20181227201304.GA21453@eldamar.local>
and subject line Re: Bug#917375: wget: CVE-2018-20483
has caused the Debian Bug report #917375,
regarding wget: CVE-2018-20483
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
917375: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917375
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: wget
Version: 1.20-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for wget.
CVE-2018-20483[0]:
| set_file_metadata in xattr.c in GNU Wget through 1.20 stores a file's
| origin URL in the user.xdg.origin.url metadata attribute of the
| extended attributes of the downloaded file, which allows local users to
| obtain sensitive information (e.g., credentials contained in the URL)
| by reading this attribute, as demonstrated by getfattr. This also
| applies to Referer information in the user.xdg.referrer.url metadata
| attribute. According to 2016-07-22 in the Wget ChangeLog,
| user.xdg.origin.url was partially based on the behavior of fwrite_xattr
| in tool_xattr.c in curl.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-20483
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20483
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: wget
Source-Version: 1.20.1-1
On Wed, Dec 26, 2018 at 09:24:23PM +0100, Salvatore Bonaccorso wrote:
> Source: wget
> Version: 1.20-1
> Severity: important
> Tags: security upstream
>
> Hi,
>
> The following vulnerability was published for wget.
>
> CVE-2018-20483[0]:
> | set_file_metadata in xattr.c in GNU Wget through 1.20 stores a file's
> | origin URL in the user.xdg.origin.url metadata attribute of the
> | extended attributes of the downloaded file, which allows local users to
> | obtain sensitive information (e.g., credentials contained in the URL)
> | by reading this attribute, as demonstrated by getfattr. This also
> | applies to Referer information in the user.xdg.referrer.url metadata
> | attribute. According to 2016-07-22 in the Wget ChangeLog,
> | user.xdg.origin.url was partially based on the behavior of fwrite_xattr
> | in tool_xattr.c in curl.
Fixed with the 1.20.1 upstream version upload to sid today.
Regards,
Salvatore
--- End Message ---
