Accepting request 536249 from home:jmoellers:branches:network:utilities

OBS-URL: https://build.opensuse.org/request/show/536249
OBS-URL: https://build.opensuse.org/package/show/network:utilities/wget?expand=0&rev=80
This commit is contained in:
Josef Möllers 2017-10-24 07:43:13 +00:00 committed by Git OBS Bridge
parent 4510c76e63
commit 6160b9ad9b
4 changed files with 78 additions and 0 deletions

View File

@ -0,0 +1,31 @@
From 3dbc2e06ad487862c2fcc64d4891ff8aeb254bad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Fri, 20 Oct 2017 10:59:38 +0200
Subject: [PATCH 1/2] Fix stack overflow in HTTP protocol handling
(CVE-2017-13089)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* src/http.c (skip_short_body): Return error on negative chunk size
Reported-by: Antti Levomäki, Christian Jalio, Joonas Pihlaja from Forcepoint
Reported-by: Juhani Eronen from Finnish National Cyber Security Centre
---
src/http.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/http.c b/src/http.c
index 55367688..dc318231 100644
--- a/src/http.c
+++ b/src/http.c
@@ -973,6 +973,9 @@ skip_short_body (int fd, wgint contlen, bool chunked)
remaining_chunk_size = strtol (line, &endl, 16);
xfree (line);
+ if (remaining_chunk_size < 0)
+ return false;
+
if (remaining_chunk_size == 0)
{
line = fd_read_line (fd);

View File

@ -0,0 +1,34 @@
From 28925c37b72867c0819799c6f35caf9439080f83 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Fri, 20 Oct 2017 15:15:47 +0200
Subject: [PATCH 2/2] Fix heap overflow in HTTP protocol handling
(CVE-2017-13090)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* src/retr.c (fd_read_body): Stop processing on negative chunk size
Reported-by: Antti Levomäki, Christian Jalio, Joonas Pihlaja from Forcepoint
Reported-by: Juhani Eronen from Finnish National Cyber Security Centre
---
src/retr.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/retr.c b/src/retr.c
index a27d58af..723ac725 100644
--- a/src/retr.c
+++ b/src/retr.c
@@ -378,6 +378,12 @@ fd_read_body (const char *downloaded_filename, int fd, FILE *out, wgint toread,
remaining_chunk_size = strtol (line, &endl, 16);
xfree (line);
+ if (remaining_chunk_size < 0)
+ {
+ ret = -1;
+ break;
+ }
+
if (remaining_chunk_size == 0)
{
ret = 0;

View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Tue Oct 24 07:07:32 UTC 2017 - josef.moellers@suse.com
- Fixed two stack overflow vulnerabilities if a chunksize is
negative.
[bsc#1064715,wget-stack-overflow-on-negative-chunksize-CVE-2017-13089.patch,
bsc#1064716,wget-stack-overflow-on-negative-chunksize-CVE-2017-13090.patch,
CVE-2017-13089,CVE-2017-13090]
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Sep 21 06:45:00 UTC 2017 - josef.moellers@suse.com Thu Sep 21 06:45:00 UTC 2017 - josef.moellers@suse.com

View File

@ -35,6 +35,8 @@ Patch7: wget-fix-pod-syntax.diff
Patch8: wget-errno-clobber.patch Patch8: wget-errno-clobber.patch
Patch9: wget-CVE-2017-6508.patch Patch9: wget-CVE-2017-6508.patch
Patch10: wget-416-but-file-not-complete.patch Patch10: wget-416-but-file-not-complete.patch
Patch11: wget-stack-overflow-on-negative-chunksize-CVE-2017-13089.patch
Patch12: wget-stack-overflow-on-negative-chunksize-CVE-2017-13090.patch
BuildRequires: automake BuildRequires: automake
BuildRequires: gpgme-devel >= 0.4.2 BuildRequires: gpgme-devel >= 0.4.2
BuildRequires: libcares-devel BuildRequires: libcares-devel
@ -83,6 +85,8 @@ This can be done in script files or via the command line.
%patch8 -p1 %patch8 -p1
%patch9 -p1 %patch9 -p1
%patch10 -p1 %patch10 -p1
%patch11 -p1
%patch12 -p1
%build %build
%if 0%{?suse_version} > 1110 %if 0%{?suse_version} > 1110