Debian: DSA-209-1 Critical: Wget Directory Traversal and Buffer Overflow
debian
December 13, 2002
There are two buffer overflow vulnerabilites that have been found in the wget package.
Topics Covered
Summary
Package : wget
Problem type : directory traversal
buffer overflow
Debian-specific: no
CVEs : CAN-2002-1344
Two problems have been found in the wget package as distributed in
Debian GNU/Linux:
* Stefano Zacchiroli found a buffer overrun in the url_filename function,
which would make wget segfault on very long URLs
* Steven M. Christey discovered that wget did not verify the FTP server
response to a NLST command: it must not contain any directory information,
since that can be used to make a FTP client overwrite arbitrary files.
Both problems have been fixed in version 1.5.3-3.1 for Debian GNU/Linux
2.2/potato and version 1.8.1-6.1 for Debian GNU/Linux 3.0/woody.
------------------------------------------------------------------------
Obtaining updates:
By hand:
wget URL
will fetch the file for you.
dpkg -i FILENAME.deb
will install the fetched file.
With apt:
deb Debian -- Security Information stable/updates main
added to /...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!