#wgetNoSatisfaction
Software
The video is the Rolling Stones singing (I Can’t Get No) Satisfaction, for those who can’t see the iframe.
We have another corker of a Linux bug to patch on all our systems this morning, this time in the nearly-ubiquitous GNU wget. In light of the fact all vulnerabilities need catchy names now, I’m dubbing this one #wgetNoSatisfaction. You’re welcome.
Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink.
Wget 1.16 patches this. If you can’t update, enforce the --retr-symlinks option in the relevent place(s) for your system, such as:
# echo 'retr-symlinks=on' >> /usr/local/etc/wgetrc
Usually, when retrieving FTP directories recursively and a symbolic link is encountered, the linked-to file is not downloaded. Instead, a matching symbolic link is created on the local filesystem. The pointed-to file will not be downloaded unless this recursive retrieval would have encountered it separately and downloaded it anyway.
When
--retr-symlinksis specified, however, symbolic links are traversed and the pointed-to files are retrieved. At this time, this option does not cause Wget to traverse symlinks to directories and recurse through them, but in the future it should be enhanced to do this.
As with Shellshock, FreeBSD is unaffected unless you’ve pulled wget from ports.
