Bug 183330 - wget crashes with buffer overflow if server returns negative file length
wget crashes with buffer overflow if server returns negative file length
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: wget (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Karsten Hopp
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-02-28 05:18 EST by Need Real Name
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: wget-1.10.2-8.fc6.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-01-12 07:55:22 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2006-02-28 05:18:15 EST
When I try to download FC4-i386-DVD.iso from a particular mirror, I get a buffer
overflow.

$ strace wget http://mirrors.playboy.com/fedora/4/i386/iso/FC4-i386-DVD.iso
*** buffer overflow detected ***: strace terminated

ftp://alviss.et.tudelft.nl/pub/fedora/core/4/i386/iso/FC4-i386-DVD.iso works

Using curl works.
Comment 1 Karsten Hopp 2006-02-28 05:34:41 EST
which wget version is that ? You need at least wget-1.10.2-0.fc4 for files
  > 2GB such as DVD ISOs.
Comment 2 Need Real Name 2006-02-28 05:46:11 EST
wget-1.10.2-0.fc4
As I said, the other mirrors work fine.
Comment 3 Need Real Name 2006-04-21 07:52:09 EDT
wget is not sanity checking information returned by the server.
Comment 4 Need Real Name 2006-10-16 16:09:11 EDT
Okay, so the example I gave above does not work any more since the host no
longer exists.

However, there likely exists a security hole in wget, because it is wrongly
making an assumption about the length that a server will return, i.e. that it is
not going to be negative.

Can you mark this as security please? It's six months old.
Comment 5 Karsten Hopp 2007-01-10 05:56:40 EST
I think this is CVE-2006-6719, which has been fixed in wget-1.10.2-11.fc7 and
wget-1.10.2-8.fc6.1
Comment 6 Need Real Name 2007-01-11 14:07:00 EST
In that case, why was this security vulnerability, which I reported a year ago,
left open despite the big red warning "wget is not sanity checking information
returned by the server." and "Can you mark this as security please"?
Comment 7 Karsten Hopp 2007-01-12 07:55:22 EST
It was considered as a minor issue as 
- it is a only denial of service, not hackable
- you'd have to deliberately connect to a malicious server
Comment 8 Need Real Name 2007-01-12 18:55:17 EST
(In reply to comment #7)
> It was considered as a minor issue as 
> - it is a only denial of service, not hackable
In hindsight, yes. But you didn't know this (otherwise you would have patched wget).

> - you'd have to deliberately connect to a malicious server
You've phrased this misleadingly, and on purpose too.

You mean "Connect to a server".

You would never "deliberately connect to a mailicious server", you would only
"connect to a server", and later find out that it was malicious (perhaps).

Stop talking your way around things or you'll end up like your rivals.

Note You need to log in before you can comment on or make changes to this bug.