Re: [Bug-wget] [Secunia Research] GNU wget Vulnerability Report - Request for Details
On 4/4/19 4:42 PM, Josef Moellers wrote: > On 04.04.19 09:27, Tim Rühsen wrote: >> On 4/4/19 3:14 AM, Secunia Research wrote: >>> Hello, >>> >>> We are currently processing a report published by a third-party [1] for GNU >>> wget and are currently evaluating it to publish a Secunia Advisory for this. >>> Please see the original report for details. >>> >>> We would appreciate to receive your comments on those issues before we >>> publish our advisory based on this information. >>> >>> * Can you confirm the vulnerability? >> >> Yes > > Can you please elaborate what EXACTLY the vulnerability is? I have > searched through the (quite hefty) diff between 1.20.1 and 1.20.2 and > have found only 4 differences that may be viewed as these, but the > changes in > src/ftp-ls.c and > src/http.c > do not fix a vulnerability. > The CVE-entry is not quite helpful, to say the least ;-) Well, I could tell you details since I have a PoC and I made the fix. But maybe there is a reason why the JVN people dont't include the PoC within their report. I am asking them... Regards, Tim signature.asc Description: OpenPGP digital signature
Re: [Bug-wget] [Secunia Research] GNU wget Vulnerability Report - Request for Details
On 04.04.19 09:27, Tim Rühsen wrote: > On 4/4/19 3:14 AM, Secunia Research wrote: >> Hello, >> >> We are currently processing a report published by a third-party [1] for GNU >> wget and are currently evaluating it to publish a Secunia Advisory for this. >> Please see the original report for details. >> >> We would appreciate to receive your comments on those issues before we >> publish our advisory based on this information. >> >> * Can you confirm the vulnerability? > > Yes Can you please elaborate what EXACTLY the vulnerability is? I have searched through the (quite hefty) diff between 1.20.1 and 1.20.2 and have found only 4 differences that may be viewed as these, but the changes in src/ftp-ls.c and src/http.c do not fix a vulnerability. The CVE-entry is not quite helpful, to say the least ;-) Thanks, Josef -- SUSE Linux GmbH Maxfeldstrasse 5 90409 Nuernberg Germany GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 21284 (AG Nürnberg) signature.asc Description: OpenPGP digital signature
Re: [Bug-wget] [Secunia Research] GNU wget Vulnerability Report - Request for Details
On 4/4/19 3:14 AM, Secunia Research wrote: > Hello, > > We are currently processing a report published by a third-party [1] for GNU > wget and are currently evaluating it to publish a Secunia Advisory for this. > Please see the original report for details. > > We would appreciate to receive your comments on those issues before we > publish our advisory based on this information. > > * Can you confirm the vulnerability? Yes > * Which products and versions are affected by the vulnerability? GNU Wget < 1.20.2 > * When do you expect to release fixed versions? 1.20.2 has been released on 1st April 2019 > * Are there any mitigating factors or recommended workarounds? Mitigate by updating to GNU Wget 1.20.2. If updating is not possible, as far as I can say: Use only trusted IRIs as input, do not *recursively* download from untrusted servers. Regards, Tim signature.asc Description: OpenPGP digital signature
