GNU Wget: stack overflow in HTTP protocol handling

Summary

CVE	CVE-2017-13089
State	PUBLISHED
Assigner	certcc
Source Priority	CVE Program / NVD first with legacy fallback
Published	2017-10-27 19:29:00 UTC
Updated	2025-04-20 01:37:25 UTC
Description	The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to skip the chunk in pieces of 512 bytes by using the MIN() macro, but ends up passing the negative chunk length to connect.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument.

Risk And Classification

Primary CVSS: v3.0 8.8 HIGH from [email protected]

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem Types: CWE-121 | CWE-119 | CWE-121 CWE-121: Stack-based Buffer Overflow

Version	Source	Type	Score	Severity	Vector
3.0	[email protected]	Primary	8.8	HIGH	`CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`
3.0	[email protected]	Secondary	8.8	HIGH	`CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`
3.0	CNA	DECLARED	8.8	HIGH	`CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`
2.0	[email protected]	Primary	9.3		`AV:N/AC:M/Au:N/C:C/I:C/A:C`

CVSS v3.0 Breakdown

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2.0 Breakdown

Access Vector

Network

Access Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

AV:N/AC:M/Au:N/C:C/I:C/A:C

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	8.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Application	Gnu	Wget	All	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	GNU Project	Wget	affected prior to 1.19.2	any

References

Reference	Source	Link	Tags
Debian -- Security Information -- DSA-4008-1 wget	af854a3a-2127-422b-91ae-364da2661108	www.debian.org	Issue Tracking, Third Party Advisory
GNU Wget: Multiple vulnerabilities (GLSA 201711-06) — Gentoo Security	af854a3a-2127-422b-91ae-364da2661108	security.gentoo.org	Issue Tracking, Third Party Advisory
wget Buffer Overflows in Processing HTTP Data Lets Remote Users Execute Arbitrary Code - SecurityTracker	af854a3a-2127-422b-91ae-364da2661108	www.securitytracker.com	Issue Tracking, Third Party Advisory, VDB Entry
wget.git - GNU Wget	af854a3a-2127-422b-91ae-364da2661108	git.savannah.gnu.org	Issue Tracking, Patch, Third Party Advisory
Red Hat Customer Portal	af854a3a-2127-422b-91ae-364da2661108	access.redhat.com
Synology-SA-17:62 Wget \| Synology Inc.	af854a3a-2127-422b-91ae-364da2661108	www.synology.com
Viestintävirasto - Critical vulnerabilities in Wget	af854a3a-2127-422b-91ae-364da2661108	www.viestintavirasto.fi	Issue Tracking, Patch, Third Party Advisory
GitHub - r1b/CVE-2017-13089: PoC for wget v1.19.1	af854a3a-2127-422b-91ae-364da2661108	github.com	Issue Tracking, Third Party Advisory
GNU wget CVE-2017-13089 Stack Buffer Overflow Vulnerability	af854a3a-2127-422b-91ae-364da2661108	www.securityfocus.com	Issue Tracking, Third Party Advisory, VDB Entry
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

GNU Wget: stack overflow in HTTP protocol handling

Summary

Risk And Classification

CVSS v3.0 Breakdown

CVSS v2.0 Breakdown

NVD Known Affected Configurations (CPE 2.3)

Vendor Declared Affected Products

References

Vendor Comments And Credit

Discovery Credit

Legacy QID Mappings