VulnerableCode Package Details - pkg:alpm/archlinux/wget@1.19.2-1

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-5xb4-3mvj-aaas	The retr.c:fd_read_body() function is called when processing OK responses. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to read the chunk in pieces of 8192 bytes by using the MIN() macro, but ends up passing the negative chunk length to retr.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument. The attacker can corrupt malloc metadata after the allocated buffer.	CVE-2017-13090
VCID-hqfh-b2fv-aaah	CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in the host subcomponent of a URL.	CVE-2017-6508
VCID-xndb-8339-aaap	The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to skip the chunk in pieces of 512 bytes by using the MIN() macro, but ends up passing the negative chunk length to connect.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument.	CVE-2017-13089

Vulnerability

Summary

Aliases

VCID-5xb4-3mvj-aaas

The retr.c:fd_read_body() function is called when processing OK responses. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to read the chunk in pieces of 8192 bytes by using the MIN() macro, but ends up passing the negative chunk length to retr.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument. The attacker can corrupt malloc metadata after the allocated buffer.

CVE-2017-13090

VCID-hqfh-b2fv-aaah

CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in the host subcomponent of a URL.

CVE-2017-6508

VCID-xndb-8339-aaap

The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to skip the chunk in pieces of 512 bytes by using the MIN() macro, but ends up passing the negative chunk length to connect.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument.

CVE-2017-13089

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-03-28T07:44:39.387170+00:00	Arch Linux Importer	Fixing	VCID-xndb-8339-aaap	https://security.archlinux.org/AVG-473	36.0.0
2025-03-28T07:44:39.352331+00:00	Arch Linux Importer	Fixing	VCID-5xb4-3mvj-aaas	https://security.archlinux.org/AVG-473	36.0.0
2025-03-28T07:44:39.319001+00:00	Arch Linux Importer	Fixing	VCID-hqfh-b2fv-aaah	https://security.archlinux.org/AVG-473	36.0.0
2024-09-18T01:59:42.897510+00:00	Arch Linux Importer	Fixing	VCID-xndb-8339-aaap	https://security.archlinux.org/AVG-473	34.0.1
2024-09-18T01:59:42.876738+00:00	Arch Linux Importer	Fixing	VCID-5xb4-3mvj-aaas	https://security.archlinux.org/AVG-473	34.0.1
2024-09-18T01:59:42.857357+00:00	Arch Linux Importer	Fixing	VCID-hqfh-b2fv-aaah	https://security.archlinux.org/AVG-473	34.0.1
2024-01-03T22:25:58.738148+00:00	Arch Linux Importer	Fixing	VCID-xndb-8339-aaap	https://security.archlinux.org/AVG-473	34.0.0rc1
2024-01-03T22:25:58.712055+00:00	Arch Linux Importer	Fixing	VCID-5xb4-3mvj-aaas	https://security.archlinux.org/AVG-473	34.0.0rc1
2024-01-03T22:25:58.687825+00:00	Arch Linux Importer	Fixing	VCID-hqfh-b2fv-aaah	https://security.archlinux.org/AVG-473	34.0.0rc1