+++ This bug was initially created as a clone of Bug #221459 +++ Description of problem: NULL pointer dereference occurs in case a numerical FTP repsonse code is present, but response text is missing while wget is expecting a reply to SYST command in ftp-basic.c:ftp_syst(). Version-Release number of selected component (if applicable): Wget in all supported releases seems to contain the flawed code. How reproducible: Allways. Steps to Reproduce: 1. Run the attached perl script, it listens to localhost:21 by default 2. Attempt to wget ftp://localhost/ Actual results: Wget receives a SIGSEGV. Expected results: Wget should save us from the time of trial and deliver us from evil. Additional info: Upstream didn't fix the issue yet and for it's fairly simple I doubt they know about it. -- Additional comment from lkundrak on 2007-01-04 13:24 EST -- Created an attachment (id=144827) Reproducer for CVE-2006-6719 wget flaw -- Additional comment from lkundrak on 2007-01-04 13:29 EST -- Here's the stack trace: #0 *__GI___strcasecmp (s1=0x0, s2=0x428a79 "VMS") at strcasecmp.c:65 #1 0x000000000040b6bb in ftp_syst (csock=<value optimized out>, server_type=0x7fff685d6988) at ftp-basic.c:1041 #2 0x0000000000408a88 in getftp (u=0x83a050, len=0x7fff685d6748, restval=0, con=0x7fff685d6970) at ftp.c:351 #3 0x0000000000409b58 in ftp_loop_internal (u=0x83a050, f=0x0, con=0x7fff685d6970) at ftp.c:1173 #4 0x000000000040a01c in ftp_get_listing (u=0x83a050, con=0x7fff685d6970, f=0x7fff685d69a8) at ftp.c:1317 #5 0x000000000040a553 in ftp_loop (u=0x83a050, dt=0x7fff685d6bb0, proxy=<value optimized out>, recursive=false, glob=false) at ftp.c:1798 #6 0x000000000041eab7 in retrieve_url (origurl=0x83a0c0 "ftp://localhost/", file=0x7fff685d6ba8, newloc=0x7fff685d6ba0, refurl=0x0, dt=0x7fff685d6bb0, recursive=false) at retr.c:691 #7 0x000000000041a740 in main (argc=2, argv=0x7fff685d6cd8) at main.c:961 #8 0x0000003def81da44 in __libc_start_main (main=0x41a050 <main>, argc=2, ubp_av=0x7fff685d6cd8, init=<value optimized out>, fini=<value optimized out>, rtld_fini=<value optimized out>, stack_end=0x7fff685d6cc8) at libc-start.c:231 #9 0x00000000004039b9 in _start () And the relevand faulty code: 1033 1034 /* Skip the number (215, but 200 (!!!) in case of VMS) */ 1035 strtok (respline, " "); 1036 1037 /* Which system type has been reported (we are interested just in the 1038 first word of the server response)? */ 1039 request = strtok (NULL, " "); Here request gets set to NULL, as there are no more tokens in the reponse 1040 1041 if (!strcasecmp (request, "VMS")) And here we compare the NULL string 1042 *server_type = ST_VMS; 1043 else if (!strcasecmp (request, "UNIX")) 1044 *server_type = ST_UNIX; -- Additional comment from lkundrak on 2007-01-04 13:44 EST -- Created an attachment (id=144828) Patch for CVE-2006-6719 wget flaw And, because it's Christmas, here's the patch for you. And please report upstream.
fixed in wget-1.10.2-7.el5
verified in 20070111 tree