SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   wget Vendors:   GNU [multiple authors]
wget Buffer Overflows in Processing HTTP Data Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1039661
SecurityTracker URL:  http://securitytracker.com/id/1039661
CVE Reference:   CVE-2017-13089, CVE-2017-13090   (Links to External Site)
Date:  Oct 26 2017
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Two vulnerabilities were reported in wget. A remote user can execute arbitrary code on the target system.

A remote server can return send specially crafted HTTP data to the connected target client user to trigger a buffer overflow and execute arbitrary code on the target client system.

A heap overflow in processing HTTP chunk size values may occur in the fd_read_body() function in 'src/retr.c' [CVE-2017-13090].

A heap overflow in processing HTTP chunk size values may occur in the skip_short_body() function in 'src/http.c' [CVE-2017-13089].

The original advisory is available at:

https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html

Antti Levomaki, Christian Jalio, Joonas Pihlaja from Forcepoint and Juhani Eronen from Finnish National Cyber Security Centre reported these vulnerabilities.

Impact:   A remote server can execute arbitrary code on the target connect client system.
Solution:   The vendor has issued a fix (1.19.2), available at:

https://ftp.gnu.org/gnu/wget/

Vendor URL:  www.gnu.org/software/wget/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Oct 26 2017 (Ubuntu Issues Fix) wget Buffer Overflows in Processing HTTP Data Lets Remote Users Execute Arbitrary Code
Ubuntu has issued a fix for Ubuntu Linux 14.04 LTS, 16.04 LTS, 17.04, and 17.10.
Oct 27 2017 (CentOS Issues Fix) wget Buffer Overflows in Processing HTTP Data Lets Remote Users Execute Arbitrary Code
CentOS has issued a fix for CentOS 7.
Nov 12 2018 (Oracle Issues Fix for Oracle Linux) wget Buffer Overflows in Processing HTTP Data Lets Remote Users Execute Arbitrary Code
Oracle has issued a fix for Oracle Linux 7.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC