Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 674170 (CVE-2018-20483) - <net-misc/wget-1.20.1: password and metadata leak via extended filesystem attributes (CVE-2018-20483)
Summary: <net-misc/wget-1.20.1: password and metadata leak via extended filesystem att...
Alias: CVE-2018-20483
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa+ cve]
Depends on:
Reported: 2018-12-31 12:17 UTC by Hanno Böck
Modified: 2019-03-10 20:50 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2018-12-31 12:17:34 UTC
wget stores download URLs (and included in them potentially HTTP authentication passwords) in its extended attributes.

Upstream 1.20.1 disables this behavior by default and adds some safeguards, see:

It's already in the tree, I suggest stabilizing 1.20.1 asap.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2018-12-31 16:44:46 UTC
x86 stable
Comment 2 Rolf Eike Beer archtester 2019-01-01 11:08:09 UTC
sparc stable
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2019-01-01 12:20:07 UTC
ppc stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2019-01-01 12:22:07 UTC
ppc64 stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2019-01-01 12:30:54 UTC
commit db55a059572de84d5bb25032009711b652f2d527
Author: Jeroen Roovers <>
Date:   Mon Dec 31 18:00:32 2018 +0100

    net-misc/wget: Stable for HPPA too.
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2019-01-01 12:36:30 UTC
ia64 stable
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-01-02 09:59:37 UTC
amd64 stable
Comment 8 Mart Raudsepp gentoo-dev 2019-01-07 18:49:04 UTC
arm64 stable
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2019-03-10 06:21:40 UTC
Arches and Maintainer(s), Thank you for your work.
New GLSA Request filed.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2019-03-10 20:50:40 UTC
This issue was resolved and addressed in
 GLSA 201903-08 at
by GLSA coordinator Aaron Bauman (b-man).