Red Hat Bugzilla – Bug 183330
wget crashes with buffer overflow if server returns negative file length
Last modified: 2007-11-30 17:11:25 EST
When I try to download FC4-i386-DVD.iso from a particular mirror, I get a buffer
$ strace wget http://mirrors.playboy.com/fedora/4/i386/iso/FC4-i386-DVD.iso
*** buffer overflow detected ***: strace terminated
Using curl works.
which wget version is that ? You need at least wget-1.10.2-0.fc4 for files
> 2GB such as DVD ISOs.
As I said, the other mirrors work fine.
wget is not sanity checking information returned by the server.
Okay, so the example I gave above does not work any more since the host no
However, there likely exists a security hole in wget, because it is wrongly
making an assumption about the length that a server will return, i.e. that it is
not going to be negative.
Can you mark this as security please? It's six months old.
I think this is CVE-2006-6719, which has been fixed in wget-1.10.2-11.fc7 and
In that case, why was this security vulnerability, which I reported a year ago,
left open despite the big red warning "wget is not sanity checking information
returned by the server." and "Can you mark this as security please"?
It was considered as a minor issue as
- it is a only denial of service, not hackable
- you'd have to deliberately connect to a malicious server
(In reply to comment #7)
> It was considered as a minor issue as
> - it is a only denial of service, not hackable
In hindsight, yes. But you didn't know this (otherwise you would have patched wget).
> - you'd have to deliberately connect to a malicious server
You've phrased this misleadingly, and on purpose too.
You mean "Connect to a server".
You would never "deliberately connect to a mailicious server", you would only
"connect to a server", and later find out that it was malicious (perhaps).
Stop talking your way around things or you'll end up like your rivals.