Jump to content

Security Advisories (MDKSA-2005:204): wget


aru
 Share

Recommended Posts

Mandriva Security Advisories MDKSA-2005:204 : wget

 

Updated wget packages fix vulnerability

November 1st, 2005

 

Hugo Vazquez Carames discovered a race condition when writing output files in wget.After wget determined the output file name, but before the file was actually opened, a local attacker with write permissions to the download directory could create a symbolic link with the name of the output file.This could be exploited to overwrite arbitrary files with the permissions of the user invoking wget.The time window of opportunity for the attacker is determined solely by the delay of the first received data packet. The updated packages have been patched to correct this issue.

 

 

The released versions of Mandriva GNU/Linux affected are:

  • 10.1
  • CS3.0
  • MNF2.0
  • 10.2

Full information about this advisory, including the updated packages, is available at:

www.mandriva.com/security/advisories?name=MDKSA-2005:204

 

Other references:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2014

 

Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)

Link to comment
Share on other sites

 Share

×
×
  • Create New...