GNU Wget: heap overflow in HTTP protocol handling
Summary
| CVE | CVE-2017-13090 |
|---|---|
| State | PUBLISHED |
| Assigner | certcc |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2017-10-27 19:29:00 UTC |
| Updated | 2025-04-20 01:37:25 UTC |
| Description | The retr.c:fd_read_body() function is called when processing OK responses. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to read the chunk in pieces of 8192 bytes by using the MIN() macro, but ends up passing the negative chunk length to retr.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument. The attacker can corrupt malloc metadata after the allocated buffer. |
Risk And Classification
Primary CVSS: v3.0 8.8 HIGH from [email protected]
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Problem Types: CWE-122 | CWE-119 | CWE-122 CWE-122: Heap-based Buffer Overflow
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.0 | [email protected] | Primary | 8.8 | HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| 3.0 | [email protected] | Secondary | 8.8 | HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| 3.0 | CNA | DECLARED | 8.8 | HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| 2.0 | [email protected] | Primary | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C |
CVSS v3.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
RequiredScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
MediumAuthentication
NoneConfidentiality
CompleteIntegrity
CompleteAvailability
CompleteAV:N/AC:M/Au:N/C:C/I:C/A:C
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 8.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Application | Gnu | Wget | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | GNU Project | Wget | affected prior to 1.19.2 | any |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Debian -- Security Information -- DSA-4008-1 wget | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | Issue Tracking, Third Party Advisory |
| GNU Wget: Multiple vulnerabilities (GLSA 201711-06) — Gentoo Security | af854a3a-2127-422b-91ae-364da2661108 | security.gentoo.org | Issue Tracking, Third Party Advisory |
| GNU wget CVE-2017-13090 Heap Buffer Overflow Vulnerability | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | Issue Tracking, Third Party Advisory, VDB Entry |
| wget.git - GNU Wget | af854a3a-2127-422b-91ae-364da2661108 | git.savannah.gnu.org | Issue Tracking, Patch, Third Party Advisory |
| wget Buffer Overflows in Processing HTTP Data Lets Remote Users Execute Arbitrary Code - SecurityTracker | af854a3a-2127-422b-91ae-364da2661108 | www.securitytracker.com | Issue Tracking, Third Party Advisory, VDB Entry |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | access.redhat.com | |
| Synology-SA-17:62 Wget | Synology Inc. | af854a3a-2127-422b-91ae-364da2661108 | www.synology.com | |
| Viestintävirasto - Critical vulnerabilities in Wget | af854a3a-2127-422b-91ae-364da2661108 | www.viestintavirasto.fi | Issue Tracking, Patch, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Antti Levomäki, Christian Jalio, Joonas Pihlaja from Forcepoint (en)