DSA-209-1 wget -- directory traversal

Debian Security Advisory

DSA-209-1 wget -- directory traversal

Date Reported:

12 Dec 2002

Affected Packages:

wget

Vulnerable:

Yes

Security database references:

In the Bugtraq database (at SecurityFocus): BugTraq ID 6352.
In Mitre's CVE dictionary: CVE-2002-1344, CVE-2002-1565.

More information:

Two problems have been found in the wget package as distributed in Debian GNU/Linux:

• Stefano Zacchiroli found a buffer overrun in the url_filename function, which would make wget segfault on very long URLs
• Steven M. Christey discovered that wget did not verify the FTP server response to a NLST command: it must not contain any directory information, since that can be used to make an FTP client overwrite arbitrary files.

Both problems have been fixed in version 1.5.3-3.1 for Debian GNU/Linux 2.2/potato and version 1.8.1-6.1 for Debian GNU/Linux 3.0/woody.

Fixed in:

Debian GNU/Linux 2.2 (potato)

Source:

http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1.diff.gz

http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3.orig.tar.gz

http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1.dsc

alpha (DEC Alpha):

http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1_alpha.deb

arm (ARM):

http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1_arm.deb

i386 (Intel ia32):

http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1_i386.deb

m68k (Motorola Mc680x0):

http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1_m68k.deb

powerpc (PowerPC):

http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1_powerpc.deb

sparc (Sun SPARC/UltraSPARC):

http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1_sparc.deb

Debian GNU/Linux 3.0 (woody)

Source:

http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1.orig.tar.gz

http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1.diff.gz

http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1.dsc

alpha (DEC Alpha):

http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_alpha.deb

arm (ARM):

http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_arm.deb

hppa (HP PA RISC):

http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_hppa.deb

i386 (Intel ia32):

http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_i386.deb

ia64 (Intel ia64):

http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_ia64.deb

m68k (Motorola Mc680x0):

http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_m68k.deb

mips (MIPS (Big Endian)):

http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_mips.deb

powerpc (PowerPC):

http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_powerpc.deb

s390 (IBM S/390):

http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_s390.deb

sparc (Sun SPARC/UltraSPARC):

http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_sparc.deb

MD5 checksums of the listed files are available in the original advisory.