aru Posted November 1, 2005 Report Share Posted November 1, 2005 Mandriva Security Advisories MDKSA-2005:204 : wget Updated wget packages fix vulnerability November 1st, 2005 Hugo Vazquez Carames discovered a race condition when writing output files in wget.After wget determined the output file name, but before the file was actually opened, a local attacker with write permissions to the download directory could create a symbolic link with the name of the output file.This could be exploited to overwrite arbitrary files with the permissions of the user invoking wget.The time window of opportunity for the attacker is determined solely by the delay of the first received data packet. The updated packages have been patched to correct this issue. The released versions of Mandriva GNU/Linux affected are: 10.1 CS3.0 MNF2.0 10.2 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:204 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2014 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $) Link to comment Share on other sites More sharing options...
Recommended Posts