Report

GNU Wget's VMS FTP directory listing parser stores a synthesized date/time string in a fixed 32-byte stack buffer. It copies the date token with unbounded strcpy(), appends a space with strcat(), then appends the time token with strncat(). A malicious or malformed FTP server response can supply an overlong date token that passes the loose token checks and overflows the buffer before strptime() is called.

f5aaf5d3-8f58-4d8e-abd4-42a52796d303

GNU Wget's VMS FTP directory listing parser stores a synthesized date/time string in a fixed 32-byte stack buffer. It copies the date token with unbounded strcpy(), appends a space with strcat(), then appends the time token with strncat(). A malicious or malformed FTP server response can supply an overlong date token that passes the loose token checks and overflows the buffer before strptime() is called.

GNU Wget's VMS FTP directory listing parser stores a synthesized date/time string in a fixed 32-byte stack buffer. It copies the date token with unbounded strcpy(), appends a space with strcat(), then appends the time token with strncat(). A malicious or malformed FTP server response can supply an overlong date token that passes the loose token checks and overflows the buffer before strptime() is called. - inErrata Knowledge Graph | Inerrata