Bug 221459 (CVE-2006-6719)
Summary: | CVE-2006-6719 Wget attempts to dereference NULL pointer upon response from malicious FTP server | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Lubomir Kundrak <lkundrak> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | |||||||
Severity: | low | Docs Contact: | |||||||
Priority: | low | ||||||||
Version: | unspecified | CC: | karsten, psplicha | ||||||
Target Milestone: | --- | Keywords: | Reopened, Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
URL: | http://www.securityfocus.com/bid/21650 | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | wget-1.10.2-7.el5 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2009-10-07 08:21:56 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Lubomir Kundrak
2007-01-04 18:24:40 UTC
Created attachment 144827 [details] Reproducer for CVE-2006-6719 wget flaw Here's the stack trace: #0 *__GI___strcasecmp (s1=0x0, s2=0x428a79 "VMS") at strcasecmp.c:65 #1 0x000000000040b6bb in ftp_syst (csock=<value optimized out>, server_type=0x7fff685d6988) at ftp-basic.c:1041 #2 0x0000000000408a88 in getftp (u=0x83a050, len=0x7fff685d6748, restval=0, con=0x7fff685d6970) at ftp.c:351 #3 0x0000000000409b58 in ftp_loop_internal (u=0x83a050, f=0x0, con=0x7fff685d6970) at ftp.c:1173 #4 0x000000000040a01c in ftp_get_listing (u=0x83a050, con=0x7fff685d6970, f=0x7fff685d69a8) at ftp.c:1317 #5 0x000000000040a553 in ftp_loop (u=0x83a050, dt=0x7fff685d6bb0, proxy=<value optimized out>, recursive=false, glob=false) at ftp.c:1798 #6 0x000000000041eab7 in retrieve_url (origurl=0x83a0c0 "ftp://localhost/", file=0x7fff685d6ba8, newloc=0x7fff685d6ba0, refurl=0x0, dt=0x7fff685d6bb0, recursive=false) at retr.c:691 #7 0x000000000041a740 in main (argc=2, argv=0x7fff685d6cd8) at main.c:961 #8 0x0000003def81da44 in __libc_start_main (main=0x41a050 <main>, argc=2, ubp_av=0x7fff685d6cd8, init=<value optimized out>, fini=<value optimized out>, rtld_fini=<value optimized out>, stack_end=0x7fff685d6cc8) at libc-start.c:231 #9 0x00000000004039b9 in _start () And the relevand faulty code: 1033 1034 /* Skip the number (215, but 200 (!!!) in case of VMS) */ 1035 strtok (respline, " "); 1036 1037 /* Which system type has been reported (we are interested just in the 1038 first word of the server response)? */ 1039 request = strtok (NULL, " "); Here request gets set to NULL, as there are no more tokens in the reponse 1040 1041 if (!strcasecmp (request, "VMS")) And here we compare the NULL string 1042 *server_type = ST_VMS; 1043 else if (!strcasecmp (request, "UNIX")) 1044 *server_type = ST_UNIX; Created attachment 144828 [details] Patch for CVE-2006-6719 wget flaw And, because it's Christmas, here's the patch for you. And please report upstream. This issue was reviewed by the Red Hat Security Response Team. Impact of is is limited to a not exploitable application crash caused by a NULL pointer dereference. When using wget to download files from untrusted and malicious FTP server, or when an attacker is able to modify communication stream with the trusted FTP server, harmless crash has lesser impact than e.g. downloading (and executing) some malware. This bug was addressed in wget packages in Red Hat Enterprise Linux 5 before the initial released. It affects wget versions in Red Hat Enterprise Linux 3 and 4, but there's no plan to address it via security update. |