Bug #10364

wget may expose user IP address with FTP protocol (CVE-2015-7665)

Added by hybridwipe almost 2 years ago. Updated almost 2 years ago.

Status:ResolvedStart date:10/13/2015
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:-
Target version:Tails_1.7
QA Check:Pass Blueprint:
Feature Branch: Easy:
Type of work:Code Affected tool:

Description

See

I've attached a patch that should address this according to the comments from that thread. However, I have not explicitly set up an FTP server to test the attack and the fix. I won't be in a position to do so for a week or so, but would greatly appreciate if someone else would do that.

A bit of explanation for the patch, I'm using dpkg-divert to move the wget binary to /usr/share/tails/wget to remove it from $PATH. I originally tried moving it to /usr/bin/wget-real, but then noticed that invoking wget w/o any args exposes the true binary name:
wget-real: missing URL
Usage: wget-real [OPTION]... [URL]...

Try `wget-real --help' for more options.

That isn't great, but it's also scary to have wget itself in $PATH (i.e., some debian packaged binary may call /usr/bin/wget directly, which would bypass torsocks!). In light of this, I thought it prudent to move it out of $PATH, and /usr/share/tails seemed like an appropriate place, though I'm open to discussion on that.

Please review.

0001-use-dpkg-divert-to-replace-usr-bin-wget-instead-of-h.txt Magnifier (1.66 KB) hybridwipe, 10/23/2015 10:21 AM


Related issues

Copied to Tails - Bug #10365: Investigate if Nautilus / Tor Browser are vulnerable to FTP IP address leaks Confirmed 10/13/2015

Associated revisions

Revision b9fd6312
Added by hybridwipe almost 2 years ago

Fix CVE-2015-7665 against wget in Tails.

Force --passive-ftp in our wget wrapper, and use dpkg-divert to
replace /usr/bin/wget instead of having a second wget in $PATH.

Will-fix: #10364

Revision bd0b04c7
Added by anonym almost 2 years ago

Merge branch 'bugfix/10364-wget-cve-2015-7665' into devel

Fix-committed: #10364

History

#1 Updated by hybridwipe almost 2 years ago

Forgot the links :)

See:
http://www.openwall.com/lists/oss-security/2015/10/01/10
https://mailman.boum.org/pipermail/tails-dev/2015-August/009370.html
https://mailman.boum.org/pipermail/tails-dev/2015-October/009590.html

It may also be necessary/useful to patch wget with the fix for the upstream problem, but this fix should be applied regardless, IMO.

#2 Updated by hybridwipe almost 2 years ago

  • Copied to Bug #10365: Investigate if Nautilus / Tor Browser are vulnerable to FTP IP address leaks added

#3 Updated by intrigeri almost 2 years ago

  • Status changed from New to In Progress
  • Assignee changed from hybridwipe to anonym
  • % Done changed from 0 to 10
  • QA Check set to Ready for QA

#4 Updated by intrigeri almost 2 years ago

(This one was missed by the release manager due to missing ticket metadata.)

In light of this, I thought it prudent to move it out of $PATH,

Makes sense.

and /usr/share/tails seemed like an appropriate place, though I'm open to discussion on that.

/usr/lib/wget would be FHS-compliant.

#5 Updated by hybridwipe almost 2 years ago

intrigeri wrote:

and /usr/share/tails seemed like an appropriate place, though I'm open to discussion on that.

/usr/lib/wget would be FHS-compliant.

Good point, thanks. Patch updated.

#6 Updated by hybridwipe almost 2 years ago

  • File deleted (use-dpkg-divert-to-replace-usr-bin-wget-instead-of-h.txt)

#8 Updated by anonym almost 2 years ago

  • Status changed from In Progress to Fix committed
  • % Done changed from 10 to 100

#9 Updated by anonym almost 2 years ago

  • Assignee deleted (anonym)
  • QA Check changed from Ready for QA to Pass

#10 Updated by anonym almost 2 years ago

  • Status changed from Fix committed to Resolved

Also available in: Atom PDF