Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 527056 (CVE-2014-4877) - <net-misc/wget-1.16 arbitrary file creation through ftp symlinks (CVE-2014-4877)
Summary: <net-misc/wget-1.16 arbitrary file creation through ftp symlinks (CVE-2014-4877)
Status: RESOLVED FIXED
Alias: CVE-2014-4877
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://git.savannah.gnu.org/cgit/wget...
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-10-27 11:35 UTC by Hanno Böck
Modified: 2014-11-23 14:35 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2014-10-27 11:35:43 UTC
wget 1.15 and earlier suffer from an issue where an ftp server that's recursively downloaded can create arbitrary files and directories through symlinks.

Upstream fix makes this behaviour non-default and it should only be invoked on trusted servers:
http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7

See also redhat bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=1139181

wget released 1.16 today which fixes the issue. Please bump.
Comment 1 SpanKY gentoo-dev 2014-10-27 19:12:52 UTC
1.16 is in the tree
Comment 2 Agostino Sarubbo gentoo-dev 2014-10-28 08:36:42 UTC
Arches, please test and mark stable:
=net-misc/wget-1.16
Target keywords : "alpha amd64 arm arm64 hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2014-10-28 08:49:23 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-10-28 08:49:37 UTC
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2014-10-28 10:27:20 UTC
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2014-10-29 12:03:21 UTC
sparc stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2014-10-29 16:37:10 UTC
Stable on alpha.
Comment 8 Markus Meier gentoo-dev 2014-10-30 19:03:24 UTC
arm stable
Comment 9 Tiago Marques 2014-10-31 09:53:22 UTC
Shouldn't there be a GLSA for this? I knew of this vulnerability through a Debian system I also have.
Comment 10 SpanKY gentoo-dev 2014-10-31 16:07:55 UTC
(In reply to Tiago Marques from comment #9)

the bug isn't closed until a GLSA is issued.  a GLSA isn't issued until arches have stabilized it.
Comment 11 Agostino Sarubbo gentoo-dev 2014-11-02 09:43:22 UTC
ia64 stable
Comment 12 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-11-09 09:20:15 UTC
ppc/ppc64 stable

arm/arm64/s390/sh already stable.

Cleanup please!

GLSA request filed.
Comment 13 Tiago Marques 2014-11-10 16:23:38 UTC
(In reply to SpanKY from comment #10)
> (In reply to Tiago Marques from comment #9)
> 
> the bug isn't closed until a GLSA is issued.  a GLSA isn't issued until
> arches have stabilized it.

Not submitting GLSAs despite not having versions stabilized seems bad policy. If I only use "glsa-check" to patch my systems, it should tell me if my system has vulnerabilities or not and let me apply unstable versions. Is this unreasonable to ask?
Comment 14 Sean Amoss (RETIRED) gentoo-dev Security 2014-11-10 22:14:44 UTC
(In reply to Tiago Marques from comment #13)
> (In reply to SpanKY from comment #10)
> > (In reply to Tiago Marques from comment #9)
> > 
> > the bug isn't closed until a GLSA is issued.  a GLSA isn't issued until
> > arches have stabilized it.
> 
> Not submitting GLSAs despite not having versions stabilized seems bad
> policy. If I only use "glsa-check" to patch my systems, it should tell me if
> my system has vulnerabilities or not and let me apply unstable versions. Is
> this unreasonable to ask?

Yes, and this bug is not the appropriate forum to discuss it. 


Maintainers, the GLSA is ready to be released as soon as you cleanup the vulnerable versions. When you do, please add a note here and revert the whiteboard to "A2 [glsa]". Thanks!
Comment 15 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-11-16 07:58:31 UTC
Old dropped (as per conversation with Chainsaw on #-dev a couple of days ago).
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2014-11-16 08:41:59 UTC
This issue was resolved and addressed in
 GLSA 201411-05 at http://security.gentoo.org/glsa/glsa-201411-05.xml
by GLSA coordinator Mikle Kolyada (Zlogene).
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2014-11-23 14:35:26 UTC
CVE-2014-4877 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4877):
  Absolute path traversal vulnerability in GNU Wget before 1.16, when
  recursion is enabled, allows remote FTP servers to write to arbitrary files,
  and consequently execute arbitrary code, via a LIST response that references
  the same filename within two entries, one of which indicates that the
  filename is for a symlink.