Bug 221469 - CVE-2006-6719 Wget attempts to dereference NULL pointer upon response from malicious FTP server
CVE-2006-6719 Wget attempts to dereference NULL pointer upon response from ma...
Product: Fedora
Classification: Fedora
Component: wget (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Karsten Hopp
: Security
Depends On:
  Show dependency treegraph
Reported: 2007-01-04 13:53 EST by Lubomir Kundrak
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: wget-1.10.2-8.fc6.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-01-10 06:09:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Lubomir Kundrak 2007-01-04 13:53:33 EST
+++ This bug was initially created as a clone of Bug #221459 +++

Description of problem:

NULL pointer dereference occurs in case a numerical FTP repsonse code
is present, but response text is missing while wget is expecting a reply
to SYST command in ftp-basic.c:ftp_syst().

Version-Release number of selected component (if applicable):

Wget in all supported releases seems to contain the flawed code.

How reproducible:


Steps to Reproduce:
1. Run the attached perl script, it listens to localhost:21 by default
2. Attempt to wget ftp://localhost/
Actual results:

Wget receives a SIGSEGV.

Expected results:

Wget should save us from the time of trial and deliver us from evil.

Additional info:

Upstream didn't fix the issue yet and for it's fairly simple I doubt
they know about it.

-- Additional comment from lkundrak@redhat.com on 2007-01-04 13:24 EST --
Created an attachment (id=144827)
Reproducer for CVE-2006-6719 wget flaw

-- Additional comment from lkundrak@redhat.com on 2007-01-04 13:29 EST --
Here's the stack trace:

#0  *__GI___strcasecmp (s1=0x0, s2=0x428a79 "VMS") at strcasecmp.c:65
#1  0x000000000040b6bb in ftp_syst (csock=<value optimized out>,
server_type=0x7fff685d6988) at ftp-basic.c:1041
#2  0x0000000000408a88 in getftp (u=0x83a050, len=0x7fff685d6748, restval=0,
con=0x7fff685d6970) at ftp.c:351
#3  0x0000000000409b58 in ftp_loop_internal (u=0x83a050, f=0x0,
con=0x7fff685d6970) at ftp.c:1173
#4  0x000000000040a01c in ftp_get_listing (u=0x83a050, con=0x7fff685d6970,
f=0x7fff685d69a8) at ftp.c:1317
#5  0x000000000040a553 in ftp_loop (u=0x83a050, dt=0x7fff685d6bb0, proxy=<value
optimized out>, recursive=false, glob=false) at ftp.c:1798
#6  0x000000000041eab7 in retrieve_url (origurl=0x83a0c0 "ftp://localhost/",
file=0x7fff685d6ba8, newloc=0x7fff685d6ba0, refurl=0x0, dt=0x7fff685d6bb0,
    recursive=false) at retr.c:691
#7  0x000000000041a740 in main (argc=2, argv=0x7fff685d6cd8) at main.c:961
#8  0x0000003def81da44 in __libc_start_main (main=0x41a050 <main>, argc=2,
ubp_av=0x7fff685d6cd8, init=<value optimized out>, fini=<value optimized out>,
    rtld_fini=<value optimized out>, stack_end=0x7fff685d6cc8) at libc-start.c:231
#9  0x00000000004039b9 in _start ()

And the relevand faulty code:

1034      /* Skip the number (215, but 200 (!!!) in case of VMS) */
1035      strtok (respline, " ");
1037      /* Which system type has been reported (we are interested just in the
1038         first word of the server response)?  */
1039      request = strtok (NULL, " ");

Here request gets set to NULL, as there are no more tokens in the reponse

1041      if (!strcasecmp (request, "VMS"))

And here we compare the NULL string

1042        *server_type = ST_VMS;
1043      else if (!strcasecmp (request, "UNIX"))
1044        *server_type = ST_UNIX;

-- Additional comment from lkundrak@redhat.com on 2007-01-04 13:44 EST --
Created an attachment (id=144828)
Patch for CVE-2006-6719 wget flaw

And, because it's Christmas, here's the patch for you.
And please report upstream.
Comment 1 Karsten Hopp 2007-01-10 06:09:44 EST
Update with a fix is on its way: wget-1.10.2-8.fc6.1
Comment 2 Fedora Update System 2007-01-10 11:06:18 EST
wget-1.10.2-8.fc6.1 has been pushed for fc6, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.