Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu,  1 Oct 2015 18:57:26 -0400 (EDT)
Subject: Re: CVE request for wget

Hash: SHA256

>>                                                 ... We know that a
>> design goal of Tails is to prevent Internet servers from discovering
>> the IP address of a machine running Tails. Possibly it's a design
>> requirement of Tails that a developer needs to "torify" every piece of
>> Internet client software before it can be shipped with the Tails
>> distribution, and that a failure of a torify step is, by definition, a
>> Tails vulnerability.

> That's a reasonable position, please instead issue a CVE for Tails.

Use CVE-2015-7665 for the Tails vulnerability corresponding to the

If there is any additional Tails vulnerability related to this,
another CVE ID may be needed. For example,


  to be 100% sure, you should add --passive-ftp to your command line.
  If you don't do that, your /etc/wgetrc or ~/.wgetrc could include
  --no-passive-ftp (or passiveftp = off).

If Tails is supposed to try to ensure that, perhaps there's a
requirement to have something like:

  alias wget="wget --passive-ftp"

in a system-wide location (possibly /etc/bash.bashrc). The concept of
CVE IDs for "failure of a torify step" issues is new, and we aren't
sure of the best approach.

Responding to:

> From: Andreas Stieger <>
> Date: Tue, 29 Sep 2015 13:12:37 +0200

>> We really don't understand what set of expectations led to this
>> becoming a CVE request for a vulnerability in wget.

> Possibly assignments for CWE-200 including CVE-2000-0649, CVE-2002-0422
> relating to exposure if an internal IP address of a communication partner.

The difference here is that sending the client IP address within the
TCP application data is inherently a part of the FTP protocol. That's
why we've been reluctant to consider this a vulnerability in the
upstream wget distribution.

This is also a situation in which the need to torify may be different
with IPv6 than with IPv4. IPv4 NAT environments are sometimes set up
so that clients cannot successfully use FTP in active mode. Perhaps
because of this, it is currently common for FTP clients to use passive
mode by default. With IPv6, it is probably more likely that a client
can successfully use FTP in active mode. There might be, now or in the
near future, FTP clients that try active mode for IPv6 FTP servers.
Thus, when Tor is used, there may be information disclosure in EPRT
commands even when there hadn't been information disclosure in PORT
commands. (Of course, a PORT command may be sent even when active mode
is ultimately going to fail. The point is that, for communication
between a normal FTP client and a normal IPv4 FTP server, active mode
will often never be attempted.)

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.