Source: wget Version: 1.25.0-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for wget. CVE-2026-58469[0]: | GNU Wget through 1.25.0, fixed in commit 37a40fc, contains a heap | buffer underread vulnerability in the clean_metalink_string() | function within src/metalink.c that allows a malicious server to | trigger memory corruption by serving a Metalink document containing | a whitespace-only URL. Attackers can cause the function to decrement | a pointer past the start of the buffer when processing an all- | whitespace Metalink URL, potentially leading to abnormal program | behavior. CVE-2026-58470[1]: | GNU Wget through 1.25.0, fixed in commit 43d3ba9, contains an | integer overflow vulnerability in the parse_content_range() function | within src/http.c that allows server-controlled values to cause | signed integer arithmetic to overflow. Attackers can supply | malicious Content-Range header values to trigger undefined behavior | and download desynchronization in the affected client. CVE-2026-58471[2]: | GNU Wget through 1.25.0, fixed in commit c2640fe, contains a heap | buffer overflow vulnerability in the convert_fname() function within | src/url.c that allows remote attackers to trigger memory corruption | through a server-supplied filename requiring character set | conversion. When the output buffer is too small during iconv E2BIG | reallocation, the reallocation logic miscalculates the remaining | space, leading to a heap buffer overflow that can be exploited via a | maliciously crafted server response. CVE-2026-58472[3]: | GNU Wget through 1.25.0, fixed in commit dd692d9, contains a heap | buffer overflow vulnerability in the html_quote_string() function in | src/convert.c that allows a remote attacker to trigger memory | corruption by supplying a crafted HTML attribute with a large number | of characters requiring entity encoding. A server-supplied HTML | attribute causes a signed integer counter to overflow during output | size accumulation, resulting in an undersized heap allocation and | subsequent heap buffer overflow during the copy phase. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-58469 https://www.cve.org/CVERecord?id=CVE-2026-58469 [1] https://security-tracker.debian.org/tracker/CVE-2026-58470 https://www.cve.org/CVERecord?id=CVE-2026-58470 [2] https://security-tracker.debian.org/tracker/CVE-2026-58471 https://www.cve.org/CVERecord?id=CVE-2026-58471 [3] https://security-tracker.debian.org/tracker/CVE-2026-58472 https://www.cve.org/CVERecord?id=CVE-2026-58472 Please adjust the affected versions in the BTS as needed. Regards, Salvatore

