Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 674170 (CVE-2018-20483) - <net-misc/wget-1.20.1: password and metadata leak via extended filesystem attributes (CVE-2018-20483)
Summary: <net-misc/wget-1.20.1: password and metadata leak via extended filesystem att...
Status: RESOLVED FIXED
Alias: CVE-2018-20483
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://lists.gnu.org/archive/html/bu...
Whiteboard: A2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-12-31 12:17 UTC by Hanno Böck
Modified: 2019-03-10 20:50 UTC (History)
1 user (show)

See Also:
Package list:
net-misc/wget-1.20.1
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2018-12-31 12:17:34 UTC 
wget stores download URLs (and included in them potentially HTTP authentication passwords) in its extended attributes.

Upstream 1.20.1 disables this behavior by default and adds some safeguards, see:
https://lists.gnu.org/archive/html/bug-wget/2018-12/msg00034.html

It's already in the tree, I suggest stabilizing 1.20.1 asap.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2018-12-31 16:44:46 UTC 
x86 stable
Comment 2 Rolf Eike Beer archtester 2019-01-01 11:08:09 UTC 
sparc stable
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2019-01-01 12:20:07 UTC 
ppc stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2019-01-01 12:22:07 UTC 
ppc64 stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2019-01-01 12:30:54 UTC 
commit db55a059572de84d5bb25032009711b652f2d527
Author: Jeroen Roovers <jer@gentoo.org>
Date:   Mon Dec 31 18:00:32 2018 +0100

    net-misc/wget: Stable for HPPA too.
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2019-01-01 12:36:30 UTC 
ia64 stable
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-01-02 09:59:37 UTC 
amd64 stable
Comment 8 Mart Raudsepp gentoo-dev 2019-01-07 18:49:04 UTC 
arm64 stable
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2019-03-10 06:21:40 UTC 
Arches and Maintainer(s), Thank you for your work.
New GLSA Request filed.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2019-03-10 20:50:40 UTC 
This issue was resolved and addressed in
 GLSA 201903-08 at https://security.gentoo.org/glsa/201903-08
by GLSA coordinator Aaron Bauman (b-man).