wget 1.15 and earlier suffer from an issue where an ftp server that's recursively downloaded can create arbitrary files and directories through symlinks. Upstream fix makes this behaviour non-default and it should only be invoked on trusted servers: http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7 See also redhat bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1139181 wget released 1.16 today which fixes the issue. Please bump.
1.16 is in the tree
Arches, please test and mark stable: =net-misc/wget-1.16 Target keywords : "alpha amd64 arm arm64 hppa ia64 ppc ppc64 s390 sh sparc x86"
amd64 stable
x86 stable
Stable for HPPA.
sparc stable
Stable on alpha.
arm stable
Shouldn't there be a GLSA for this? I knew of this vulnerability through a Debian system I also have.
(In reply to Tiago Marques from comment #9) the bug isn't closed until a GLSA is issued. a GLSA isn't issued until arches have stabilized it.
ia64 stable
ppc/ppc64 stable arm/arm64/s390/sh already stable. Cleanup please! GLSA request filed.
(In reply to SpanKY from comment #10) > (In reply to Tiago Marques from comment #9) > > the bug isn't closed until a GLSA is issued. a GLSA isn't issued until > arches have stabilized it. Not submitting GLSAs despite not having versions stabilized seems bad policy. If I only use "glsa-check" to patch my systems, it should tell me if my system has vulnerabilities or not and let me apply unstable versions. Is this unreasonable to ask?
(In reply to Tiago Marques from comment #13) > (In reply to SpanKY from comment #10) > > (In reply to Tiago Marques from comment #9) > > > > the bug isn't closed until a GLSA is issued. a GLSA isn't issued until > > arches have stabilized it. > > Not submitting GLSAs despite not having versions stabilized seems bad > policy. If I only use "glsa-check" to patch my systems, it should tell me if > my system has vulnerabilities or not and let me apply unstable versions. Is > this unreasonable to ask? Yes, and this bug is not the appropriate forum to discuss it. Maintainers, the GLSA is ready to be released as soon as you cleanup the vulnerable versions. When you do, please add a note here and revert the whiteboard to "A2 [glsa]". Thanks!
Old dropped (as per conversation with Chainsaw on #-dev a couple of days ago).
This issue was resolved and addressed in GLSA 201411-05 at http://security.gentoo.org/glsa/glsa-201411-05.xml by GLSA coordinator Mikle Kolyada (Zlogene).
CVE-2014-4877 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4877): Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink.