Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 7 Sep 2015 15:39:49 -0500
From: Austin English <austinenglish@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE request for wget

This was reported to tails-dev [1] and other places [2] and is fixed
upstream [3].

I've rebased the patch for 1.13.4 (attached), which is the current
version in Debian wheezy [4] that Tails is based on.

Please keep me in CC, as I'm not subscribed.

[1] https://mailman.boum.org/pipermail/tails-dev/2015-August/009370.html
[2] https://lists.gnu.org/archive/html/bug-wget/2015-08/msg00020.html
[3] http://git.savannah.gnu.org/cgit/wget.git/commit/?id=075d7556964f5a871a73c22ac4b69f5361295099
[4] https://packages.debian.org/wheezy/wget
-- 
-Austin

diff -urN wget-1.13.4.orig/src/ftp.c wget-1.13.4/src/ftp.c
--- wget-1.13.4.orig/src/ftp.c	2011-09-13 03:05:12.000000000 -0500
+++ wget-1.13.4/src/ftp.c	2015-09-07 14:01:10.694727053 -0500
@@ -249,7 +249,6 @@
   char *tms;
   const char *tmrate;
   int cmd = con->cmd;
-  bool pasv_mode_open = false;
   wgint expected_bytes = 0;
   bool got_expected_bytes = false;
   bool rest_failed = false;
@@ -841,13 +840,19 @@
                           ? CONERROR : CONIMPOSSIBLE);
                 }
 
-              pasv_mode_open = true;  /* Flag to avoid accept port */
               if (!opt.server_response)
                 logputs (LOG_VERBOSE, _("done.    "));
-            } /* err==FTP_OK */
-        }
+            }
+          else
+            return err;
 
-      if (!pasv_mode_open)   /* Try to use a port command if PASV failed */
+          /*
+           * We do not want to fall back from PASSIVE mode to ACTIVE mode !
+           * The reason is the PORT command exposes the client's real IP address
+           * to the server. Bad for someone who relies on privacy via a ftp proxy.
+           */
+        }
+      else
         {
           err = ftp_do_port (csock, &local_sock);
           /* FTPRERR, WRITEFAILED, bindport (FTPSYSERR), HOSTERR,
@@ -1106,8 +1111,8 @@
     }
 
   /* If no transmission was required, then everything is OK.  */
-  if (!pasv_mode_open)  /* we are not using pasive mode so we need
-                              to accept */
+  if (!opt.ftp_pasv)  /* we are not using passive mode so we need
+                         to accept */
     {
       /* Wait for the server to connect to the address we're waiting
          at.  */
diff -urN wget-1.13.4.orig/tests/FTPServer.pm wget-1.13.4/tests/FTPServer.pm
--- wget-1.13.4.orig/tests/FTPServer.pm	2011-01-01 06:12:35.000000000 -0600
+++ wget-1.13.4/tests/FTPServer.pm	2015-09-07 14:01:10.694727053 -0500
@@ -633,6 +633,14 @@
                     last;
                 }
 
+                if (defined($self->{_server_behavior}{pasv_not_supported})
+                    && $cmd eq 'PASV')
+                {
+                    print {$conn->{socket}}
+                      "500 PASV not supported.\r\n";
+                    next;
+                }
+
                 # Run the command.
                 &{$command_table->{$cmd}} ($conn, $cmd, $rest);
             }
diff -urN wget-1.13.4.orig/tests/Makefile.am wget-1.13.4/tests/Makefile.am
--- wget-1.13.4.orig/tests/Makefile.am	2011-07-20 04:37:15.000000000 -0500
+++ wget-1.13.4/tests/Makefile.am	2015-09-07 15:00:36.864394282 -0500
@@ -82,6 +82,7 @@
              Test-ftp-iri-fallback.px \
              Test-ftp-iri-recursive.px \
              Test-ftp-iri-disabled.px \
+             Test-ftp-pasv-not-supported.px \
              Test-HTTP-Content-Disposition-1.px \
              Test-HTTP-Content-Disposition-2.px \
              Test-HTTP-Content-Disposition.px \
diff -urN wget-1.13.4.orig/tests/run-px wget-1.13.4/tests/run-px
--- wget-1.13.4.orig/tests/run-px	2011-07-20 04:37:15.000000000 -0500
+++ wget-1.13.4/tests/run-px	2015-09-07 15:13:54.125469084 -0500
@@ -35,6 +35,7 @@
     'Test-ftp-iri-fallback.px',
     'Test-ftp-iri-recursive.px',
     'Test-ftp-iri-disabled.px',
+    'Test-ftp-pasv-not-supported.px',
     'Test-HTTP-Content-Disposition-1.px',
     'Test-HTTP-Content-Disposition-2.px',
     'Test-HTTP-Content-Disposition.px',
diff -urN wget-1.13.4.orig/tests/Test-ftp-pasv-not-supported.px wget-1.13.4/tests/Test-ftp-pasv-not-supported.px
--- wget-1.13.4.orig/tests/Test-ftp-pasv-not-supported.px	1969-12-31 18:00:00.000000000 -0600
+++ wget-1.13.4/tests/Test-ftp-pasv-not-supported.px	2015-09-07 14:01:10.698727046 -0500
@@ -0,0 +1,60 @@
+#!/usr/bin/env perl
+
+use strict;
+use warnings;
+
+use FTPTest;
+
+# This test checks whether Wget *does not* fall back from passive mode to
+# active mode using a PORT command. Wget <= 1.16.3 made a fallback exposing
+# the client's real IP address to the remote FTP server.
+#
+# This behavior circumvents expected privacy when using a proxy / proxy network (e.g. Tor).
+#
+# Wget >= 1.16.4 does it right. This test checks it.
+
+###############################################################################
+
+# From bug report 10.08.2015 from tomtidaly@...aint.org
+my $afile = <<EOF;
+FTP PORT command code in v1.16.3?
+
+In the past it could be possible for a site over http connection to
+redirect wget to FPT using FTP PORT command so the site gets the real IP
+of the computer even when wget proxy command is in use I believe:
+https://lists.torproject.org/pipermail/tor-talk/2012-April/024040.html
+
+Is that code still present in wget v1.16.3? It was present in v1.13.4.
+EOF
+
+$afile =~ s/\n/\r\n/g;
+
+
+# code, msg, headers, content
+my %urls = (
+    '/afile.txt' => {
+        content => $afile,
+    },
+);
+
+my $cmdline = $WgetTest::WGETPATH . " -S ftp://localhost:{{port}}/afile.txt";
+
+my $expected_error_code = 8;
+
+my %expected_downloaded_files = (
+    'afile.txt' => {
+        content => $afile,
+    },
+);
+
+###############################################################################
+
+my $the_test = FTPTest->new (
+                             server_behavior => {pasv_not_supported => 1},
+                             input => \%urls,
+                             cmdline => $cmdline,
+                             errcode => $expected_error_code,
+                             output => \%expected_downloaded_files);
+exit !$the_test->run();
+
+# vim: et ts=4 sw=4

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ