[Bug-wget] CVE-2018-20483 counter-measure

[Tim Rühsen]

As you might have seen, the new release 1.20.1 of GNU Wget addresses
CVE-2018-20483 [1].

The issue is that since 1.19 Wget stores the URL and in certain cases
the 'Referer' URL within extended attributes (xattrs) of the file system
- by default.

This includes username + password and other credentials or private data
*if* those have been used within the URLs. Anyone with read access to
those files might also read the xattrs and might use the data.

Wget 1.20.1 or higher will not use xattrs by default any more. To enable
it again you have to use the --xattr option or xattr command for .wgetrc
files.


To check if files are affected in and below the current directory, you
can use the following command (Linux):

find . -type f -print0 | LC_ALL=C xargs -0 xattr | \
egrep 'user.xdg.origin.url|user.xdg.referrer.url'


To print the contents of 'user.xdg.origin.url':

find . -type f -print0 | LC_ALL=C xargs -0 xattr \
-p user.xdg.origin.url 2>/dev/null


To print the contents of 'user.xdg.referrer.url':

find . -type f -print0 | LC_ALL=C xargs -0 xattr \
-p user.xdg.referrer.url 2>/dev/null


To remove the xattrs:

find . -type f -print0 | LC_ALL=C xargs -0 xattr \
-d user.xdg.origin.url 2>/dev/null

find . -type f -print0 | LC_ALL=C xargs -0 xattr \
-d user.xdg.referrer.url 2>/dev/null


E.g. for Debian the 'xattr' command comes with the 'xattr' package.
Install by `sudo apt-get install xattr`.


I am really sorry for the inconvenience.
Please spread the word.


With Best Regards, Tim


[1] https://security-tracker.debian.org/tracker/CVE-2018-20483

signature.asc
Description: OpenPGP digital signature