Wget Vulnerable in WSL - CVE-2016-4971

[brianjking]

http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4971.html http://www.ubuntu.com/usn/usn-3012-1/

bk@BLACKBOX  /mnt/c/Users/brian  wget --version
GNU Wget 1.15 built on linux-gnu.

+digest +https +ipv6 +iri +large-file +nls +ntlm +opie +ssl/openssl

Wgetrc:
    /etc/wgetrc (system)
Locale:
    /usr/share/locale
Compile:
    gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc"
    -DLOCALEDIR="/usr/share/locale" -I. -I../../src -I../lib
    -I../../lib -D_FORTIFY_SOURCE=2 -I/usr/include -g -O2
    -fstack-protector --param=ssp-buffer-size=4 -Wformat
    -Werror=format-security -DNO_SSLv2 -D_FILE_OFFSET_BITS=64 -g -Wall
Link:
    gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat
    -Werror=format-security -DNO_SSLv2 -D_FILE_OFFSET_BITS=64 -g -Wall
    -Wl,-Bsymbolic-functions -Wl,-z,relro -L/usr/lib -lssl -lcrypto
    -ldl -lz -lidn -luuid ftp-opie.o openssl.o http-ntlm.o
    ../lib/libgnu.a

Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://www.gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Originally written by Hrvoje Niksic <hniksic@xemacs.org>.
Please send bug reports and questions to <bug-wget@gnu.org>.

[benhillis]

Patching wget should be possible the same way it is on native Ubuntu. It's interesting that the updated version of wget isn't coming down via apt-get dist-upgrade but I double checked and I see the same behavior on native Ubuntu 14.04.

[brianjking]

@benhillis

 bk@BLACKBOX  /mnt/c/Users/brian  sudo apt show wget
Package: wget
Priority: standard
Section: web
Installed-Size: 651 kB
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Noël Köthe <noel@debian.org>
Version: 1.15-1ubuntu1.14.04.2
Depends: libc6 (>= 2.17), libidn11 (>= 1.13), libssl1.0.0 (>= 1.0.0), libuuid1 (>= 2.16), zlib1g (>= 1:1.1.4)
Recommends: ca-certificates
Conflicts: wget-ssl
Download-Size: 271 kB
Homepage: http://www.gnu.org/software/wget/
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Origin: Ubuntu
Supported: 5y
Task: standard, kubuntu-active, kubuntu-active, mythbuntu-frontend, mythbuntu-desktop, mythbuntu-backend-slave, mythbuntu-backend-slave, mythbuntu-backend-master, mythbuntu-backend-master
APT-Manual-Installed: yes
APT-Sources: http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
Description: retrieves files from the web
 Wget is a network utility to retrieve files from the web
 using HTTP(S) and FTP, the two most widely used internet
 protocols. It works non-interactively, so it will work in
 the background, after having logged off. The program supports
 recursive retrieval of web-authoring pages as well as FTP
 sites -- you can use Wget to make mirrors of archives and
 home pages or to travel the web like a WWW robot.
 .
 Wget works particularly well with slow or unstable connections
 by continuing to retrieve a document until the document is fully
 downloaded. Re-getting files from where it left off works on
 servers (both HTTP and FTP) that support it. Both HTTP and FTP
 retrievals can be time stamped, so Wget can see if the remote
 file has changed since the last retrieval and automatically
 retrieve the new version if it has.
 .
 Wget supports proxy servers; this can lighten the network load,
 speed up retrieval, and provide access behind firewalls.

N: There is 1 additional record. Please use the '-a' switch to see it

I wonder if it's an issue with wget-ssl?

I don't have an actual native Ubuntu 14.x VM to test on, just Ubuntu 16.x which is already patched properly.

[benhillis]

Based on the links you provided in your original post 1.15-1ubuntu1.14.04.2 is the correct patched version for 14.04.

[benhillis]

We handle updates to the subsystem through our users running apt or apt-get. It looks to me like the package is getting correctly updated, but please reopen if I'm missing something.

Thank you for reporting this.