CVE-2017-13090

Priority
Medium
Description
The retr.c:fd_read_body() function is called when processing OK responses.
When the response is sent chunked in wget before 1.19.2, the chunk parser
uses strtol() to read each chunk's length, but doesn't check that the chunk
length is a non-negative number. The code then tries to read the chunk in
pieces of 8192 bytes by using the MIN() macro, but ends up passing the
negative chunk length to retr.c:fd_read(). As fd_read() takes an int
argument, the high 32 bits of the chunk length are discarded, leaving
fd_read() with a completely attacker controlled length argument. The
attacker can corrupt malloc metadata after the allocated buffer.
References
Assigned-to
mdeslaur
Package
Source: wget (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 17.10 (Artful Aardvark):released (1.19.1-3ubuntu1.1)
Ubuntu 18.04 LTS (Bionic Beaver):released (1.19.1-3ubuntu1.1)
Ubuntu 12.04 ESM (Precise Pangolin):released (1.13.4-2ubuntu1.5)
Ubuntu 14.04 LTS (Trusty Tahr):released (1.15-1ubuntu1.14.04.3)
Ubuntu 16.04 LTS (Xenial Xerus):released (1.17.1-1ubuntu1.3)
Ubuntu 17.04 (Zesty Zapus):released (1.18-2ubuntu1.1)
Patches:
Upstream:http://git.savannah.gnu.org/cgit/wget.git/commit/?id=ba6b44f6745b14dce414761a8e4b35d31b176bba
More Information

Updated: 2017-11-01 12:14:52 UTC (commit 13621)