i am not going to publish a complete security advisory on this topic, but i think wget users deserve a little bit more information about the security vulnerability that was fixed yesterday, october 13th 2005.
yesterday i was notified by iDEFENSE of a remotely exploitable buffer overflow in the NTLM authentication code. this vulnerability could allow a malicious website to run arbitrary code on the machine running the wget client.
the only two versions of wget vulnerable to this flaw are 1.10 and 1.10.1 with NTLM authentication support enabled. wget binaries compiled without NTLM support are not vulnerable. in addition, NTLM support requires OpenSSL, so wget binaries built without SSL support are not affected by the vulnerability as well.
the same vulnerability applies to cURL and libcURL, as the NTLM code in wget was donated by Daniel Stenberg, (lib)cURL's maintainer. Daniel sent me a fix for the flaw which was included in wget 1.10.2, released immediately after i received the vulnerability report and the fix.
although there is no known exploit at the time of this writing, i strongly recommend anyone using a wget 1.10 or 1.10.1 binary with NTLM authentication enabled to upgrade to wget 1.10.2 or to recompile their binary without NTLM support.
-- Aequam memento rebus in arduis servare mentem... Mauro Tortonesi http://www.tortonesi.com University of Ferrara - Dept. of Eng. http://www.ing.unife.it GNU Wget - HTTP/FTP file retrieval tool http://www.gnu.org/software/wget Deep Space 6 - IPv6 for Linux http://www.deepspace6.net Ferrara Linux User Group http://www.ferrara.linux.it
