Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 329941 (CVE-2010-2252) - <net-misc/wget-1.12-r2: arbitrary code execution (CVE-2010-2252)
Summary: <net-misc/wget-1.12-r2: arbitrary code execution (CVE-2010-2252)
Status: RESOLVED FIXED
Alias: CVE-2010-2252
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-07-26 15:43 UTC by Stefan Behte (RETIRED)
Modified: 2016-06-14 16:10 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2010-07-26 15:43:23 UTC
CVE-2010-2252 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2252):
  GNU Wget 1.12 and earlier uses a server-provided filename instead of
  the original URL to determine the destination filename of a download,
  which allows remote servers to create or overwrite arbitrary files
  via a 3xx redirect to a URL with a .wgetrc filename followed by a 3xx
  redirect to a URL with a crafted filename, and possibly execute
  arbitrary code as a consequence of writing to a dotfile in a home
  directory.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-07-26 15:44:13 UTC
We use wget for fetching packages as root, so lets fix this as soon as upstream reacts.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2010-07-26 15:46:49 UTC
Sorry for bugspam!
Comment 3 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-07-26 21:53:36 UTC
For the sake of stating it, wget _should_ run with userpriv iirc by default. does not solve the problem, but at least it seems to be slightly make it feasible to deal with.
Comment 4 SpanKY gentoo-dev 2010-08-21 22:17:57 UTC
ive added the upstream commit to wget-1.12-r2 (add --trust-server-names option that defaults to off)
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2010-09-03 23:38:55 UTC
Arches, please test and mark stable:
=net-misc/wget-1.12-r2
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 6 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-09-04 01:43:41 UTC
x86 stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2010-09-04 16:50:19 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 8 Markos Chandras (RETIRED) gentoo-dev 2010-09-05 09:44:38 UTC
amd64 done
Comment 9 Brent Baude (RETIRED) gentoo-dev 2010-09-06 20:12:41 UTC
ppc64 done
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2010-09-06 22:37:56 UTC
Stable for HPPA PPC.

Readding S390:

Index: wget-1.12-r2.ebuild
===================================================================
RCS file: /var/cvsroot/gentoo-x86/net-misc/wget/wget-1.12-r2.ebuild,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -B -r1.3 -r1.4
--- wget-1.12-r2.ebuild 4 Sep 2010 01:42:04 -0000       1.3
+++ wget-1.12-r2.ebuild 4 Sep 2010 16:49:32 -0000       1.4
@@ -1,6 +1,6 @@
 # Copyright 1999-2010 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/wget/wget-1.12-r2.ebuild,v 1.3 2010/09/04 01:4
2:04 phajdan.jr Exp $                                                                      +# $Header: /var/cvsroot/gentoo-x86/net-misc/wget/wget-1.12-r2.ebuild,v 1.4 2010/09/04 16:4
9:32 armin76 Exp $                                                                          
 EAPI="2"
 
@@ -12,7 +12,7 @@
 
 LICENSE="GPL-3"
 SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc x86 ~spa
rc-fbsd ~x86-fbsd"                                                                         +KEYWORDS="alpha ~amd64 arm ~hppa ia64 m68k ~mips ~ppc ~ppc64 ~s390 sh sparc x86 ~sparc-fbs
d ~x86-fbsd"                                                                                IUSE="debug idn ipv6 nls ntlm +ssl static"
 
 RDEPEND="idn? ( net-dns/libidn )
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2010-09-19 17:50:07 UTC
s390 stable
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2010-11-19 07:26:28 UTC
GLSA request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2011-10-13 23:51:22 UTC
This issue was resolved and addressed in
 GLSA 201110-10 at http://security.gentoo.org/glsa/glsa-201110-10.xml
by GLSA coordinator Tim Sammut (underling).