Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 26 Oct 2015 15:21:23 -0500
From: Austin English <>
To:, Austin English <>,
Subject: Re: Re: CVE request for wget

On Thu, Oct 1, 2015 at 6:10 PM, Seth Arnold <> wrote:
> On Thu, Oct 01, 2015 at 06:57:26PM -0400, wrote:
>> If there is any additional Tails vulnerability related to this,
>> another CVE ID may be needed. For example,
>> says
>>   to be 100% sure, you should add --passive-ftp to your command line.
>>   If you don't do that, your /etc/wgetrc or ~/.wgetrc could include
>>   --no-passive-ftp (or passiveftp = off).
>> If Tails is supposed to try to ensure that, perhaps there's a
>> requirement to have something like:
>>   alias wget="wget --passive-ftp"
>> in a system-wide location (possibly /etc/bash.bashrc). The concept of
>> CVE IDs for "failure of a torify step" issues is new, and we aren't
>> sure of the best approach.
> I suspect using a bash alias in a site-wide config might then qualify for
> another CVE in the future, along the lines of "programs that spawn wget
> via system(3), popen(3), or exec family of functions can use unsafe active
> mode by accident". If Tails is in the business of fixing these things
> for safety, removing active ftp support from tools seems like better fix.
> Thanks

A fix has been applied to Tails git:

In short, the wget binary is moved to /usr/lib/wget/wget, and a
wrapper script is put in place in /usr/bin/wget. The wrapper ensures
that wget is called via torsocks, and additionally, also forces

Moving wget to /usr/lib/wget/wget gets the potentially dangerous wget
binary out of $PATH. A dedicated attacker could check if /usr/bin/wget
is a script and then parse it to find the actual binary, but that
would need to be a very dedicated attacker and at that point, there
are more feasible attacks available.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ