Debian Bug report logs -
#766981
CVE-2014-4877: wget: FTP symlink arbitrary filesystem access
Reported by: Henri Salo <henri@nerv.fi>
Date: Mon, 27 Oct 2014 11:45:07 UTC
Severity: important
Tags: confirmed, fixed-upstream, security, upstream
Found in versions wget/1.15-1, wget/1.12-1
Fixed in versions wget/1.16-1, wget/1.13.4-3+deb7u2
Done: Noël Köthe <noel@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Noël Köthe <noel@debian.org>:
Bug#766981; Package wget.
(Mon, 27 Oct 2014 11:45:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Noël Köthe <noel@debian.org>.
(Mon, 27 Oct 2014 11:45:12 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Package: wget
Version: 1.15-1
Severity: important
Tags: fixed-upstream, security, upstream
http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7
"""
Wget was susceptible to a symlink attack which could create arbitrary files,
directories or symbolic links and set their permissions when retrieving a
directory recursively through FTP. This commit changes the default settings in
Wget such that Wget no longer creates local symbolic links, but rather traverses
them and retrieves the pointed-to file in such a retrieval. The old behaviour
can be attained by passing the --retr-symlinks=no option to the Wget invokation
command.
"""
- ---
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlROLg0ACgkQXf6hBi6kbk//KgCfY1kB9+jp++XGb1GMlekuBirP
IbEAoMBHvnAupKh7npnyUcyxyzk9R6R6
=uiOZ
-----END PGP SIGNATURE-----
Marked as fixed in versions wget/1.16-1.
Request was from Noël Köthe <noel@debian.org>
to control@bugs.debian.org.
(Mon, 27 Oct 2014 12:15:04 GMT) (full text, mbox, link).
Added tag(s) confirmed.
Request was from Noël Köthe <noel@debian.org>
to control@bugs.debian.org.
(Mon, 27 Oct 2014 12:15:05 GMT) (full text, mbox, link).
Reply sent
to Noël Köthe <noel@debian.org>:
You have taken responsibility.
(Mon, 27 Oct 2014 12:15:10 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer.
(Mon, 27 Oct 2014 12:15:10 GMT) (full text, mbox, link).
Message #14 received at 766981-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
fixed 766981 1.16-1
tags 766981 + confirmed
thanks
Am Montag, den 27.10.2014, 13:35 +0200 schrieb Henri Salo:
> http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7
>
> """
> Wget was susceptible to a symlink attack which could create arbitrary files,
> directories or symbolic links and set their permissions when retrieving a
> directory recursively through FTP. This commit changes the default settings in
> Wget such that Wget no longer creates local symbolic links, but rather traverses
> them and retrieves the pointed-to file in such a retrieval. The old behaviour
> can be attained by passing the --retr-symlinks=no option to the Wget invokation
> command.
> """
This is fixed in the today released version of wget 1.16 which is
already uploaded to unstable:
https://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html
https://packages.qa.debian.org/w/wget/news/20141027T104935Z.html
It will be in the archive in the next hours.
Regards
Noël
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Noël Köthe <noel@debian.org>:
Bug#766981; Package wget.
(Mon, 27 Oct 2014 12:39:33 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Noël Köthe <noel@debian.org>.
(Mon, 27 Oct 2014 12:39:33 GMT) (full text, mbox, link).
Message #19 received at 766981@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ok. Nice and thanks!
- ---
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlROOtkACgkQXf6hBi6kbk+dTwCfSMi51fRJ8AVXXL3tXG3OYKG+
FZgAmwQQna4Jd4nbP9HnjqFHQVQF7CE/
=bBRW
-----END PGP SIGNATURE-----
Marked as found in versions wget/1.12-1.
Request was from Henrique de Moraes Holschuh <hmh@debian.org>
to control@bugs.debian.org.
(Thu, 30 Oct 2014 22:21:05 GMT) (full text, mbox, link).
Marked as fixed in versions wget/1.13.4-3+deb7u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 02 Nov 2014 21:27:09 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 01 Dec 2014 08:13:19 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:01:48 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon