Source: wget Source-Version: 1.20.1-1 On Wed, Dec 26, 2018 at 09:24:23PM +0100, Salvatore Bonaccorso wrote: > Source: wget > Version: 1.20-1 > Severity: important > Tags: security upstream > > Hi, > > The following vulnerability was published for wget. > > CVE-2018-20483[0]: > | set_file_metadata in xattr.c in GNU Wget through 1.20 stores a file's > | origin URL in the user.xdg.origin.url metadata attribute of the > | extended attributes of the downloaded file, which allows local users to > | obtain sensitive information (e.g., credentials contained in the URL) > | by reading this attribute, as demonstrated by getfattr. This also > | applies to Referer information in the user.xdg.referrer.url metadata > | attribute. According to 2016-07-22 in the Wget ChangeLog, > | user.xdg.origin.url was partially based on the behavior of fwrite_xattr > | in tool_xattr.c in curl.
Fixed with the 1.20.1 upstream version upload to sid today. Regards, Salvatore
