Home > Security > Advisories


Mandriva Advisories

Package name wget
Date November 1st, 2005
Advisory ID MDKSA-2005:204
Affected versions 10.1, CS3.0, MNF2.0, 10.2
Synopsis Updated wget packages fix vulnerability

Problem Description

Hugo Vazquez Carames discovered a race condition when writing output
files in wget. After wget determined the output file name, but before
the file was actually opened, a local attacker with write permissions
to the download directory could create a symbolic link with the name
of the output file. This could be exploited to overwrite arbitrary
files with the permissions of the user invoking wget. The time window
of opportunity for the attacker is determined solely by the delay of
the first received data packet.

The updated packages have been patched to correct this issue.

Updated Packages

Mandrakelinux 10.1

 28b67f788c7ed5f28ca7e752b15a9eb8  10.1/RPMS/wget-1.9.1-4.3.101mdk.i586.rpm
 b0b856e5eeb63f608476877942f6a216  10.1/SRPMS/wget-1.9.1-4.3.101mdk.src.rpm

Mandrakelinux 10.1/X86_64

 d2fc09595e4bf4267c7cc7d9d5def8ee  x86_64/10.1/RPMS/wget-1.9.1-4.3.101mdk.x86_64.rpm
 b0b856e5eeb63f608476877942f6a216  x86_64/10.1/SRPMS/wget-1.9.1-4.3.101mdk.src.rpm

Corporate Server 3.0

 91f8d363d41afb43943f3f5569e2e83c  corporate/3.0/RPMS/wget-1.9.1-4.3.C30mdk.i586.rpm
 8ce78a19c89331fdb7527e6a4674376c  corporate/3.0/SRPMS/wget-1.9.1-4.3.C30mdk.src.rpm

Corporate Server 3.0/X86_64

 e3796c54a067d9ef54d08f779fe3ec9d  x86_64/corporate/3.0/RPMS/wget-1.9.1-4.3.C30mdk.x86_64.rpm
 8ce78a19c89331fdb7527e6a4674376c  x86_64/corporate/3.0/SRPMS/wget-1.9.1-4.3.C30mdk.src.rpm

Multi Network Firewall 2.0

 f834aa6b814014c20b6d97fd7a893ea6  mnf/2.0/RPMS/wget-1.9.1-4.3.M20mdk.i586.rpm
 00f1b8920df39e3f4fc35eea07879168  mnf/2.0/SRPMS/wget-1.9.1-4.3.M20mdk.src.rpm

Mandriva Linux LE2005

 36dfb01a50fcdec20d379001f2054ba4  10.2/RPMS/wget-1.9.1-5.2.102mdk.i586.rpm
 82584cb410bcb5104f44d3429675e7e5  10.2/SRPMS/wget-1.9.1-5.2.102mdk.src.rpm

Mandriva Linux LE2005/X86_64

 36dfb01a50fcdec20d379001f2054ba4  x86_64/10.2/RPMS/wget-1.9.1-5.2.102mdk.i586.rpm
 82584cb410bcb5104f44d3429675e7e5  x86_64/10.2/SRPMS/wget-1.9.1-5.2.102mdk.src.rpm




To upgrade automatically, use MandrivaUpdate.


Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.