Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2014-4877

Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink.

Related bugs and status

CVE-2014-4877 (Candidate) is related to these bugs:

Bug #1386711: CVE-2014-4877 symlink arbitrary filesystem access

Summary				In	Importance	Status
	1386711	CVE-2014-4877 symlink arbitrary filesystem access		wget (Ubuntu)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

References

MLIST: [bug-wget] 20141027 GN...
MISC: https://community.rapi...
MISC: https://github.com/rap...
CONFIRM: http://git.savannah.gn...
CONFIRM: http://git.savannah.gn...
CONFIRM: https://bugzilla.redha...
CERT-VN: VU#685996
REDHAT: RHSA-2014:1764
UBUNTU: USN-2393-1
DEBIAN: DSA-3062
SUSE: SUSE-SU-2014:1366
SUSE: openSUSE-SU-2014:1380
SUSE: SUSE-SU-2014:1408
GENTOO: GLSA-201411-05
REDHAT: RHSA-2014:1955
CONFIRM: http://advisories.mage...
MANDRIVA: MDVSA-2015:121
CONFIRM: http://www.oracle.com/...
CONFIRM: https://h20566.www2.hp...
BID: 70751
CONFIRM: https://h20566.www2.hp...
CONFIRM: https://kc.mcafee.com/...