search

QubesOS / qubes-issues

The Qubes OS Project issue tracker
https://www.qubes-os.org/doc/issue-tracking/
536 stars 48 forks source link

Replace wget with curl #6528

Open DemiMarie opened 3 years ago

DemiMarie commented 3 years ago

The problem you're addressing (if any) wget has a bad history of security vulnerabilities, and it relies on gnutls which also has a history of issues. curl, on the other hand, has never had a single vulnerability that affects unauthenticated HTTP and/or HTTPS downloads from ASCII domain names, as long as its protocols are limited to HTTP and HTTPS.

Describe the solution you'd like We should replace the uses of wget in the builder with curl.

Where is the value to a user, and who might that user be? All users will benefit from reduced attack surface in the builder.

Describe alternatives you've considered None

Additional context See CVE-2017-13089, CVE-2017-13090, and CVE-2019-5953.

Relevant documentation you've consulted

Related, non-duplicate issues

DemiMarie commented 2 years ago

This is almost finished; there is one remaining use of wget.