Bug #10364
wget may expose user IP address with FTP protocol (CVE-2015-7665)
100%
Description
See
I’ve attached a patch that should address this according to the comments from that thread. However, I have not explicitly set up an FTP server to test the attack and the fix. I won’t be in a position to do so for a week or so, but would greatly appreciate if someone else would do that.
A bit of explanation for the patch, I’m using dpkg-divert to move the wget binary to /usr/share/tails/wget to remove it from $PATH. I originally tried moving it to /usr/bin/wget-real, but then noticed that invoking wget w/o any args exposes the true binary name:
wget-real: missing URL
Usage: wget-real [OPTION]… [URL]…
Try `wget-real —help’ for more options.
That isn’t great, but it’s also scary to have wget itself in $PATH (i.e., some debian packaged binary may call /usr/bin/wget directly, which would bypass torsocks!). In light of this, I thought it prudent to move it out of $PATH, and /usr/share/tails seemed like an appropriate place, though I’m open to discussion on that.
Please review.
Files
Subtasks
Related issues
Copied to Tails - Bug #10365: Investigate if Nautilus / Tor Browser are vulnerable to FTP IP address leaks | Confirmed | 2015-10-13 |
History
#1 Updated by hybridwipe 2015-10-13 08:25:23
Forgot the links :)
See:
http://www.openwall.com/lists/oss-security/2015/10/01/10
https://mailman.boum.org/pipermail/tails-dev/2015-August/009370.html
https://mailman.boum.org/pipermail/tails-dev/2015-October/009590.html
It may also be necessary/useful to patch wget with the fix for the upstream problem, but this fix should be applied regardless, IMO.
#2 Updated by hybridwipe 2015-10-13 08:28:01
- copied to Bug #10365: Investigate if Nautilus / Tor Browser are vulnerable to FTP IP address leaks added
#3 Updated by intrigeri 2015-10-23 07:53:50
- Status changed from New to In Progress
- Assignee changed from hybridwipe to anonym
- % Done changed from 0 to 10
- QA Check set to Ready for QA
#4 Updated by intrigeri 2015-10-23 08:33:35
(This one was missed by the release manager due to missing ticket metadata.)
> In light of this, I thought it prudent to move it out of $PATH,
Makes sense.
> and /usr/share/tails seemed like an appropriate place, though I’m open to discussion on that.
/usr/lib/wget
would be FHS-compliant.
#5 Updated by hybridwipe 2015-10-23 10:21:53
intrigeri wrote:
> > and /usr/share/tails seemed like an appropriate place, though I’m open to discussion on that.
>
> /usr/lib/wget
would be FHS-compliant.
Good point, thanks. Patch updated.
#6 Updated by hybridwipe 2015-10-23 10:22:00
- File deleted (
use-dpkg-divert-to-replace-usr-bin-wget-instead-of-h.txt)
#7 Updated by hybridwipe 2015-10-26 13:01:13
Applied in changeset commit:b9fd6312435d55dd0bc0b6abdb7994da4d66e2b2.
#8 Updated by anonym 2015-10-26 13:01:13
- Status changed from In Progress to Fix committed
- % Done changed from 10 to 100
Applied in changeset commit:bd0b04c7f25e719404cfee8597204fc6ad889370.
#9 Updated by anonym 2015-10-26 13:01:45
- Assignee deleted (
anonym) - QA Check changed from Ready for QA to Pass
#10 Updated by anonym 2015-11-03 11:28:48
- Status changed from Fix committed to Resolved