CVE-2017-13090
Description
The retr.c:fd_read_body() function is called when processing OK responses. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to read the chunk in pieces of 8192 bytes by using the MIN() macro, but ends up passing the negative chunk length to retr.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument. The attacker can corrupt malloc metadata after the allocated buffer.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Debian Mixed 7 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 1.19.2-1 |
| sid | Fixed | 1.19.2-1 |
| forky | Fixed | 1.19.2-1 |
| bullseye | Fixed | 1.19.2-1 |
| bookworm | Fixed | 1.19.2-1 |
| 9.0 | Affected | โ |
| 8.0 | Affected | โ |
Arch Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Fixed | 1.19.2-1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| gnu | wget | {"endIncluding":"1.19.1"} | |
References
- https://security.archlinux.org/ASA-201710-34
- http://git.savannah.gnu.org/cgit/wget.git/commit/?id=ba6b44f6745b14dce414761a8e4b35d31b176bba
- http://www.debian.org/security/2017/dsa-4008
- http://www.securityfocus.com/bid/101590
- http://www.securitytracker.com/id/1039661
- https://access.redhat.com/errata/RHSA-2017:3075
- https://security.gentoo.org/glsa/201711-06
- https://www.synology.com/support/security/Synology_SA_17_62_Wget
- https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html
- https://www.suse.com/security/cve/CVE-2017-13090.html
- https://security-tracker.debian.org/tracker/CVE-2017-13090
CWEs
CWE-122 CWE-119
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.