Arch Linux Security Advisory ASA-201410-14 ========================================== Severity: Medium Date : 2014-10-29 CVE-ID : CVE-2014-4877 Package : wget Type : arbitrary filesystem access Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package wget before version 1.16-2 is vulnerable to arbitrary filesystem access. Resolution ========== Upgrade to 1.16-2. # pacman -Syu "wget>=1.16-2" The problem has been fixed upstream in version 1.16. Workaround ========== Do not use the --retr-symlinks=yes option when recursively retrieving a directory from an untrusted FTP server or over an untrusted connection. Description =========== It was found that wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP. By default, when retrieving ftp directories recursively and a symbolic link is encountered, the symbolic link is traversed and the pointed-to files are retrieved. This option poses a security risk where a malicious FTP Server may cause Wget to write to files outside of the intended directories through a specially crafted .listing file. Impact ====== A malicious FTP server or a malicious attacker in position of man-in-the-middle could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP. References ========== http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4877 https://bugzilla.redhat.com/show_bug.cgi?id=1139181 http://seclists.org/oss-sec/2014/q4/453