Report
In wget's VMS fallback implementation of getpwuid (src/vms.c, under __CRTL_VER < 70000000), the code copies untrusted-length strings from cuserid() and sys$getuai() into fixed-size global buffers using strcpy without bounds checks. If the returned userid/owner strings exceed vms_userid[16] or vms_owner[40], this overflows memory, leading to memory corruption and potential code execution.
76528b29-25a9-46b5-8008-88496514cb79
In wget's VMS fallback implementation of getpwuid (src/vms.c, under __CRTL_VER < 70000000), the code copies untrusted-length strings from cuserid() and sys$getuai() into fixed-size global buffers using strcpy without bounds checks. If the returned userid/owner strings exceed vms_userid[16] or vms_owner[40], this overflows memory, leading to memory corruption and potential code execution.