#wgetNoSatisfaction

The video is the Rolling Stones singing (I Can’t Get No) Satisfaction, for those who can’t see the iframe.

We have another corker of a Linux bug to patch on all our systems this morning, this time in the nearly-ubiquitous GNU wget. In light of the fact all vulnerabilities need catchy names now, I’m dubbing this one #wgetNoSatisfaction. You’re welcome.

From MITRE:

Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink.

Wget 1.16 patches this. If you can’t update, enforce the --retr-symlinks option in the relevent place(s) for your system, such as:

# echo 'retr-symlinks=on' >> /usr/local/etc/wgetrc

From the Wget manpage:

Usually, when retrieving FTP directories recursively and a symbolic
link is encountered, the linked-to file is not downloaded.
Instead, a matching symbolic link is created on the local
filesystem. The pointed-to file will not be downloaded unless this
recursive retrieval would have encountered it separately and
downloaded it anyway.

When --retr-symlinks is specified, however, symbolic
links are traversed and the pointed-to files are retrieved. At this
time, this option does not cause Wget to traverse symlinks to
directories and recurse through them, but in the future it should be
enhanced to do this.

As with Shellshock, FreeBSD is unaffected unless you’ve pulled wget from ports.


Imprint

This is one of about 5000 posts on Rubénerd. View the home page for the latest, or related posts also tagged with:

If you liked this post, feel free to buy me a coffee, leave me a comment on Twitter, or email me at weblog2017@rubenschade.com. Thanks :).