Source: wget
Version: 1.25.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for wget.

CVE-2026-58469[0]:
| GNU Wget through 1.25.0, fixed in commit 37a40fc, contains a heap
| buffer underread vulnerability in the clean_metalink_string()
| function within src/metalink.c that allows a malicious server to
| trigger memory corruption by serving a Metalink document containing
| a whitespace-only URL. Attackers can cause the function to decrement
| a pointer past the start of the buffer when processing an all-
| whitespace Metalink URL, potentially leading to abnormal program
| behavior.


CVE-2026-58470[1]:
| GNU Wget through 1.25.0, fixed in commit 43d3ba9, contains an
| integer overflow vulnerability in the parse_content_range() function
| within src/http.c that allows server-controlled values to cause
| signed integer arithmetic to overflow. Attackers can supply
| malicious Content-Range header values to trigger undefined behavior
| and download desynchronization in the affected client.


CVE-2026-58471[2]:
| GNU Wget through 1.25.0, fixed in commit c2640fe, contains a heap
| buffer overflow vulnerability in the convert_fname() function within
| src/url.c that allows remote attackers to trigger memory corruption
| through a server-supplied filename requiring character set
| conversion. When the output buffer is too small during iconv E2BIG
| reallocation, the reallocation logic miscalculates the remaining
| space, leading to a heap buffer overflow that can be exploited via a
| maliciously crafted server response.


CVE-2026-58472[3]:
| GNU Wget through 1.25.0, fixed in commit dd692d9, contains a heap
| buffer overflow vulnerability in the html_quote_string() function in
| src/convert.c that allows a remote attacker to trigger memory
| corruption by supplying a crafted HTML attribute with a large number
| of characters requiring entity encoding. A server-supplied HTML
| attribute causes a signed integer counter to overflow during output
| size accumulation, resulting in an undersized heap allocation and
| subsequent heap buffer overflow during the copy phase.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-58469
    https://www.cve.org/CVERecord?id=CVE-2026-58469
[1] https://security-tracker.debian.org/tracker/CVE-2026-58470
    https://www.cve.org/CVERecord?id=CVE-2026-58470
[2] https://security-tracker.debian.org/tracker/CVE-2026-58471
    https://www.cve.org/CVERecord?id=CVE-2026-58471
[3] https://security-tracker.debian.org/tracker/CVE-2026-58472
    https://www.cve.org/CVERecord?id=CVE-2026-58472

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to