Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 674170 (CVE-2018-20483)

Summary: <net-misc/wget-1.20.1: password and metadata leak via extended filesystem attributes (CVE-2018-20483)
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: base-system
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://lists.gnu.org/archive/html/bug-wget/2018-12/msg00034.html
Whiteboard: A2 [glsa+ cve]
Package list:
net-misc/wget-1.20.1
 Runtime testing required: ---

Description Hanno Böck gentoo-dev 2018-12-31 12:17:34 UTC 
wget stores download URLs (and included in them potentially HTTP authentication passwords) in its extended attributes.

Upstream 1.20.1 disables this behavior by default and adds some safeguards, see:
https://lists.gnu.org/archive/html/bug-wget/2018-12/msg00034.html

It's already in the tree, I suggest stabilizing 1.20.1 asap.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2018-12-31 16:44:46 UTC 
x86 stable
Comment 2 Rolf Eike Beer archtester 2019-01-01 11:08:09 UTC 
sparc stable
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2019-01-01 12:20:07 UTC 
ppc stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2019-01-01 12:22:07 UTC 
ppc64 stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2019-01-01 12:30:54 UTC 
commit db55a059572de84d5bb25032009711b652f2d527
Author: Jeroen Roovers <jer@gentoo.org>
Date:   Mon Dec 31 18:00:32 2018 +0100

    net-misc/wget: Stable for HPPA too.
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2019-01-01 12:36:30 UTC 
ia64 stable
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-01-02 09:59:37 UTC 
amd64 stable
Comment 8 Mart Raudsepp gentoo-dev 2019-01-07 18:49:04 UTC 
arm64 stable
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2019-03-10 06:21:40 UTC 
Arches and Maintainer(s), Thank you for your work.
New GLSA Request filed.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2019-03-10 20:50:40 UTC 
This issue was resolved and addressed in
 GLSA 201903-08 at https://security.gentoo.org/glsa/201903-08
by GLSA coordinator Aaron Bauman (b-man).