Bug 1139181 (CVE-2014-4877) - CVE-2014-4877 wget: FTP symlink arbitrary filesystem access
Summary: CVE-2014-4877 wget: FTP symlink arbitrary filesystem access
Status: CLOSED ERRATA
Alias: CVE-2014-4877
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
(Show other bugs)
Version: unspecified
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20141027,repor...
Keywords: Security
Depends On: 1156133 1156134 1156135 1156136 1157633 1169860
Blocks: 1139182
TreeView+ depends on / blocked
 
Reported: 2014-09-08 10:26 UTC by Vasyl Kaigorodov
Modified: 2018-12-09 18:31 UTC (History)
15 users (show)

Fixed In Version: wget 1.16
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way Wget handled symbolic links. A malicious FTP server could allow Wget running in the mirror mode (using the '-m' command line option) to write an arbitrary file to a location writable to by the user running Wget, possibly leading to code execution.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-10-09 12:51:36 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
proposed fix (6.51 KB, patch)
2014-09-09 08:26 UTC, Giuseppe Scrivano
no flags Details | Diff
updated fix (7.49 KB, patch)
2014-09-12 10:40 UTC, Giuseppe Scrivano
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1764 normal SHIPPED_LIVE Moderate: wget security update 2014-10-31 00:37:35 UTC
Red Hat Product Errata RHSA-2014:1955 normal SHIPPED_LIVE Moderate: wget security update 2014-12-03 22:21:40 UTC

Description Vasyl Kaigorodov 2014-09-08 10:26:03 UTC
It was found that wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP.

Comment 1 Giuseppe Scrivano 2014-09-09 08:26:12 UTC
Created attachment 935576 [details]
proposed fix

Comment 5 Stefan Cornelius 2014-09-09 12:20:13 UTC
Acknowledgements:

Red Hat would like to thank the GNU Wget project for reporting this issue. Upstream acknowledges HD Moore of Rapid7, Inc as the original reporter.

Comment 6 Giuseppe Scrivano 2014-09-12 10:40:43 UTC
Created attachment 936905 [details]
updated fix

updated version for the proposed fix

Comment 13 Tomas Hoger 2014-10-23 19:58:42 UTC
Statement:

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 15 Tomas Hoger 2014-10-27 11:36:01 UTC
A related commit is:

http://git.savannah.gnu.org/cgit/wget.git/commit/?id=69c45cba4382fcaabe3d86876bd5463dc34f442c

It adds a sanity check for the FTP directory listings to reject duplicate listings of the same file, which is one attack vector against this flaw.

Comment 16 Tomas Hoger 2014-10-27 11:36:28 UTC
This issue was fixed upstream in GNU wget 1.16:

http://lists.gnu.org/archive/html/bug-wget/2014-10/msg00150.html

Comment 17 Tomas Hoger 2014-10-27 11:45:58 UTC
This issue can be mitigated by ensuring that all invocations of wget in the mirror mode also specify --retr-symlinks command line option.  Doing so is equivalent to applying the upstream commit linked in comment 14, which changes the default for the retr-symlinks options from off/no to on/yes, preventing creation of symbolic links locally.

In addition to changing arguments in all scripts or programs that invoke wget, it is possible to enable retr-symlinks option via wget configuration file - either global /etc/wgetrc, or user specific ~/.wgetrc - by adding the following line:

  retr-symlinks=on

Comment 18 Tomas Hoger 2014-10-27 11:48:14 UTC
Created wget tracking bugs for this issue:

Affects: fedora-all [bug 1157633]

Comment 21 errata-xmlrpc 2014-10-30 20:37:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2014:1764 https://rhn.redhat.com/errata/RHSA-2014-1764.html

Comment 22 Fedora Update System 2014-11-22 12:34:26 UTC
wget-1.16-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2014-12-01 19:07:28 UTC
wget-1.16-3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 24 Martin Prpič 2014-12-02 17:23:24 UTC
IssueDescription:

A flaw was found in the way Wget handled symbolic links. A malicious FTP server could allow Wget running in the mirror mode (using the '-m' command line option) to write an arbitrary file to a location writable to by the user running Wget, possibly leading to code execution.

Comment 25 errata-xmlrpc 2014-12-03 17:21:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 EUS - Server and Compute Node Only

Via RHSA-2014:1955 https://rhn.redhat.com/errata/RHSA-2014-1955.html

Comment 26 Fedora Update System 2014-12-06 10:47:34 UTC
wget-1.16-3.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 27 Ronaldo 2015-02-05 13:55:21 UTC
After update to this version, sssd + ldap + sudo stop working.

Comment 28 Ronaldo 2015-02-05 14:00:00 UTC
Sorry, wrong bug.


Note You need to log in before you can comment on or make changes to this bug.