Summary: | <net-misc/wget-1.16 arbitrary file creation through ftp symlinks (CVE-2014-4877) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | base-system, bugs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7 | ||
Whiteboard: | A2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Hanno Böck
2014-10-27 11:35:43 UTC
1.16 is in the tree Arches, please test and mark stable: =net-misc/wget-1.16 Target keywords : "alpha amd64 arm arm64 hppa ia64 ppc ppc64 s390 sh sparc x86" amd64 stable x86 stable Stable for HPPA. sparc stable Stable on alpha. arm stable Shouldn't there be a GLSA for this? I knew of this vulnerability through a Debian system I also have. (In reply to Tiago Marques from comment #9) the bug isn't closed until a GLSA is issued. a GLSA isn't issued until arches have stabilized it. ia64 stable ppc/ppc64 stable arm/arm64/s390/sh already stable. Cleanup please! GLSA request filed. (In reply to SpanKY from comment #10) > (In reply to Tiago Marques from comment #9) > > the bug isn't closed until a GLSA is issued. a GLSA isn't issued until > arches have stabilized it. Not submitting GLSAs despite not having versions stabilized seems bad policy. If I only use "glsa-check" to patch my systems, it should tell me if my system has vulnerabilities or not and let me apply unstable versions. Is this unreasonable to ask? (In reply to Tiago Marques from comment #13) > (In reply to SpanKY from comment #10) > > (In reply to Tiago Marques from comment #9) > > > > the bug isn't closed until a GLSA is issued. a GLSA isn't issued until > > arches have stabilized it. > > Not submitting GLSAs despite not having versions stabilized seems bad > policy. If I only use "glsa-check" to patch my systems, it should tell me if > my system has vulnerabilities or not and let me apply unstable versions. Is > this unreasonable to ask? Yes, and this bug is not the appropriate forum to discuss it. Maintainers, the GLSA is ready to be released as soon as you cleanup the vulnerable versions. When you do, please add a note here and revert the whiteboard to "A2 [glsa]". Thanks! Old dropped (as per conversation with Chainsaw on #-dev a couple of days ago). This issue was resolved and addressed in GLSA 201411-05 at http://security.gentoo.org/glsa/glsa-201411-05.xml by GLSA coordinator Mikle Kolyada (Zlogene). CVE-2014-4877 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4877): Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink. |