CVE-2019-5953

NameCVE-2019-5953
DescriptionBuffer overflow in GNU Wget 1.20.1 and earlier allows remote attackers to cause a denial-of-service (DoS) or may execute an arbitrary code via unspecified vectors.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1760-1, DSA-4425-1
NVD severityhigh (attack range: remote)
Debian Bugs926389

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
wget (PTS)jessie1.16-1+deb8u5vulnerable
jessie (security)1.16-1+deb8u6fixed
stretch (security), stretch1.18-5+deb9u3fixed
buster1.20.1-1.1fixed
bullseye, sid1.20.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
wgetsource(unstable)1.20.1-1.1high926389
wgetsourcejessie1.16-1+deb8u6highDLA-1760-1
wgetsourcestretch1.18-5+deb9u3highDSA-4425-1

Notes

https://jvn.jp/en/jp/JVN25261088/
https://lists.gnu.org/archive/html/bug-wget/2019-04/msg00001.html
https://lists.gnu.org/archive/html/bug-wget/2019-04/msg00012.html
https://git.savannah.gnu.org/cgit/wget.git/commit/?id=692d5c5215de0db482c252492a92fc424cc6a97c
https://git.savannah.gnu.org/cgit/wget.git/commit/?id=562eacb76a2b64d5dc80a443f0f739bc9ef76c17 (removed unneeded debug lines in fixing commit)
Fixed in 1.20.3

Search for package or bug name: Reporting problems