To: bugtraqat_private announceat_private security-alertsat_private full-disclosureat_private ______________________________________________________________________________ SCO Security Advisory Subject: Linux: wget directory traversal and buffer overrun vulnerabilities Advisory number: CSSA-2003-003.0 Issue date: 2003 January 16 Cross reference: ______________________________________________________________________________ 1. Problem Description Stefano Zacchiroli found a buffer overrun in the url_filename function, which would make wget segfault on very long urls. Steven M. Christey discovered that wget did not verify the FTP server response to a NLST command: it must not contain any directory information, since that can be used to make a FTP client overwrite arbitrary files. 2. Vulnerable Supported Versions System Package ---------------------------------------------------------------------- OpenLinux 3.1.1 Server prior to wget-1.7.1-3.i386.rpm OpenLinux 3.1.1 Workstation prior to wget-1.7.1-3.i386.rpm OpenLinux 3.1 Server prior to wget-1.7.1-3.i386.rpm OpenLinux 3.1 Workstation prior to wget-1.7.1-3.i386.rpm 3. Solution The proper solution is to install the latest packages. Many customers find it easier to use the Caldera System Updater, called cupdate (or kcupdate under the KDE environment), to update these packages rather than downloading and installing them by hand. 4. OpenLinux 3.1.1 Server 4.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-003.0/RPMS 4.2 Packages 0adc5e5568cc589b9ab90ebb0e181e65 wget-1.7.1-3.i386.rpm 4.3 Installation rpm -Fvh wget-1.7.1-3.i386.rpm 4.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-003.0/SRPMS 4.5 Source Packages b443ec3aa56abaa8236a88bffebba036 wget-1.7.1-3.src.rpm 5. OpenLinux 3.1.1 Workstation 5.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-003.0/RPMS 5.2 Packages d5ef7e346ec79bead0cba20189904a11 wget-1.7.1-3.i386.rpm 5.3 Installation rpm -Fvh wget-1.7.1-3.i386.rpm 5.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-003.0/SRPMS 5.5 Source Packages 02c04170cbdef2de1b1f2c1a478681f7 wget-1.7.1-3.src.rpm 6. OpenLinux 3.1 Server 6.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-003.0/RPMS 6.2 Packages 7c2901898d0cc4d0bbb6132d82fefd0e wget-1.7.1-3.i386.rpm 6.3 Installation rpm -Fvh wget-1.7.1-3.i386.rpm 6.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-003.0/SRPMS 6.5 Source Packages b19f59dedcd9b2382a41c8af3cf056d0 wget-1.7.1-3.src.rpm 7. OpenLinux 3.1 Workstation 7.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-003.0/RPMS 7.2 Packages fbba3488352d9617a0b3b6507633c312 wget-1.7.1-3.i386.rpm 7.3 Installation rpm -Fvh wget-1.7.1-3.i386.rpm 7.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-003.0/SRPMS 7.5 Source Packages 7a30085d938ad07bde1f67267910a71d wget-1.7.1-3.src.rpm 8. References Specific references for this advisory: http://marc.theaimsgroup.com/?l=bugtraq&m=103962838628940&w=2 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1344 http://www.kb.cert.org/vuls/id/210148 SCO security resources: http://www.sco.com/support/security/index.html This security fix closes SCO incidents sr872622, fz526854, erg712181. 9. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 10. Acknowledgements Stefano Zacchiroli and Steve Christey (coleyat_private) discovered and researched these vulnerabilities. ______________________________________________________________________________
This archive was generated by hypermail 2b30 : Fri Jan 17 2003 - 12:18:20 PST