GNU Wget: Arbitrary code execution — GLSA 201411-05

An absolute path traversal vulnerability could lead to arbitrary code execution.

Affected packages

net-misc/wget on all architectures
Affected versions < 1.16
Unaffected versions >= 1.16

Background

GNU Wget is a free software package for retrieving files using HTTP, HTTPS and FTP, the most widely-used Internet protocols.

Description

An absolute path traversal vulnerability has been found in GNU Wget.

Impact

A remote FTP server is able to write to arbitrary files, and consequently execute arbitrary code.

Workaround

There is no known workaround at this time.

Resolution

All GNU Wget users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-misc/wget-1.16"
 

References

Release date
November 16, 2014

Latest revision
November 16, 2014: 1

Severity
normal

Exploitable
remote

Bugzilla entries