Date: Thu, 24 Sep 2015 19:55:02 -0500 From: Austin English <austinenglish@...il.com> To: Andreas Stieger <astieger@...e.com> Cc: oss-security@...ts.openwall.com, cve-assign@...re.org Subject: Re: CVE request for wget On Wed, Sep 9, 2015 at 2:52 AM, Andreas Stieger <astieger@...e.com> wrote: > Hello, > > On 09/07/2015 10:39 PM, Austin English wrote: >> This was reported to tails-dev  and other places  and is fixed >> upstream . >> >> I've rebased the patch for 1.13.4 (attached), which is the current >> version in Debian wheezy  that Tails is based on. >> >> Please keep me in CC, as I'm not subscribed. >> >>  https://mailman.boum.org/pipermail/tails-dev/2015-August/009370.html >>  https://lists.gnu.org/archive/html/bug-wget/2015-08/msg00020.html >>  http://git.savannah.gnu.org/cgit/wget.git/commit/?id=075d7556964f5a871a73c22ac4b69f5361295099 >>  https://packages.debian.org/wheezy/wget > > To reproduce: > > A $> nc -lv 8020 > B $> wget ftp://A:8020 > > On A keep entering "200 ok", the following will be printed: > >> $ wget ftp://dexter:8020 > --2015-09-08 17:11:30-- ftp://dexter:8020/ > => > ‘.listing’ > Resolving dexter (dexter)... 10.160.4.160 > Connecting to > dexter (dexter)|10.160.4.160|:8020... connected. > Logging in as > anonymous ... Logged in! > ==> SYST ... done. ==> PWD ... done. > ==> > TYPE I ... done. ==> CWD not needed. > ==> PASV ... > Cannot parse PASV > response. > ==> PORT ... > > On the server side: > >> $ nc -lv 8020 > Connection from 10.160.4.160 port 8020 [tcp/intu-ec-svcdisc] accepted >> 200 ok > USER anonymous > 200 ok > SYST > 200 ok > PWD > 200 ok > TYPE > I > 200 ok > PASV > 200 ok > PORT 10,160,4,160,134,42 > ^^^^^^^^^^^^ > > This would affect IP users connecting through a privacy proxy or VPN, > leaking their public IP address if they are otherwise connected without > NAT. For users connecting without such a proxy but through NAT, it leaks > the internal IP address. > > https://bugzilla.suse.com/show_bug.cgi?id=944858 > > Andreas > > -- > Andreas Stieger <astieger@...e.com> > Project Manager Security > SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Ping. It's been over two weeks, I was hoping to have a CVE for this by now :) -- -Austin
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ