Bug #10364: wget may expose user IP address with FTP protocol (CVE-2015-7665)

Bug #10364

wget may expose user IP address with FTP protocol (CVE-2015-7665)

Added by hybridwipe 2015-10-13 08:23:10 . Updated 2015-11-03 11:28:48 .

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Target version:

Tails_1.7

Start date:

2015-10-13

Due date:

% Done:

100%

Feature Branch:

Type of work:

Code

Blueprint:

Starter:

Affected tool:

Deliverable for:

Description

See

I’ve attached a patch that should address this according to the comments from that thread. However, I have not explicitly set up an FTP server to test the attack and the fix. I won’t be in a position to do so for a week or so, but would greatly appreciate if someone else would do that.

A bit of explanation for the patch, I’m using dpkg-divert to move the wget binary to /usr/share/tails/wget to remove it from $PATH. I originally tried moving it to /usr/bin/wget-real, but then noticed that invoking wget w/o any args exposes the true binary name:
wget-real: missing URL
Usage: wget-real [OPTION]… [URL]…

Try `wget-real —help’ for more options.

That isn’t great, but it’s also scary to have wget itself in $PATH (i.e., some debian packaged binary may call /usr/bin/wget directly, which would bypass torsocks!). In light of this, I thought it prudent to move it out of $PATH, and /usr/share/tails seemed like an appropriate place, though I’m open to discussion on that.

Please review.

Files

0001-use-dpkg-divert-to-replace-usr-bin-wget-instead-of-h.txt (1704 B)

hybridwipe, 2015-10-23 10:21:44

Subtasks

Related issues

Copied to Tails - Bug #10365: Investigate if Nautilus / Tor Browser are vulnerable to FTP IP address leaks

Confirmed

2015-10-13

History

#1 Updated by hybridwipe 2015-10-13 08:25:23

Forgot the links :)

See:
http://www.openwall.com/lists/oss-security/2015/10/01/10
https://mailman.boum.org/pipermail/tails-dev/2015-August/009370.html
https://mailman.boum.org/pipermail/tails-dev/2015-October/009590.html

It may also be necessary/useful to patch wget with the fix for the upstream problem, but this fix should be applied regardless, IMO.

#2 Updated by hybridwipe 2015-10-13 08:28:01

copied to Bug #10365: Investigate if Nautilus / Tor Browser are vulnerable to FTP IP address leaks added

#3 Updated by intrigeri 2015-10-23 07:53:50

Status changed from New to In Progress
Assignee changed from hybridwipe to anonym
% Done changed from 0 to 10
QA Check set to Ready for QA

#4 Updated by intrigeri 2015-10-23 08:33:35

(This one was missed by the release manager due to missing ticket metadata.)

> In light of this, I thought it prudent to move it out of $PATH,

Makes sense.

> and /usr/share/tails seemed like an appropriate place, though I’m open to discussion on that.

/usr/lib/wget would be FHS-compliant.

#5 Updated by hybridwipe 2015-10-23 10:21:53

File 0001-use-dpkg-divert-to-replace-usr-bin-wget-instead-of-h.txt added

intrigeri wrote:
> > and /usr/share/tails seemed like an appropriate place, though I’m open to discussion on that.
>
> /usr/lib/wget would be FHS-compliant.

Good point, thanks. Patch updated.

#6 Updated by hybridwipe 2015-10-23 10:22:00

File deleted (~~use-dpkg-divert-to-replace-usr-bin-wget-instead-of-h.txt~~)

#7 Updated by hybridwipe 2015-10-26 13:01:13

Applied in changeset commit:b9fd6312435d55dd0bc0b6abdb7994da4d66e2b2.

#8 Updated by anonym 2015-10-26 13:01:13

Status changed from In Progress to Fix committed
% Done changed from 10 to 100

Applied in changeset commit:bd0b04c7f25e719404cfee8597204fc6ad889370.

#9 Updated by anonym 2015-10-26 13:01:45

Assignee deleted (~~anonym~~)
QA Check changed from Ready for QA to Pass

#10 Updated by anonym 2015-11-03 11:28:48

Status changed from Fix committed to Resolved