diff options
| author | tez <tez@pkgsrc.org> | 2017-10-26 15:01:38 +0000 |
|---|---|---|
| committer | tez <tez@pkgsrc.org> | 2017-10-26 15:01:38 +0000 |
| commit | 77fe8e8672e1e01512121c7276b121be801d3edb (patch) | |
| tree | b470228d2177213ebdb651fb9adccd2c10fe6533 | |
| parent | b774faec5f80d0f04e5f736a46165f06847bfc9c (diff) | |
| download | pkgsrc-77fe8e8672e1e01512121c7276b121be801d3edb.tar.gz | |
wget: patches for VE-2017-13089 and CVE-2017-13090
| -rw-r--r-- | net/wget/Makefile | 4 | ||||
| -rw-r--r-- | net/wget/distinfo | 4 | ||||
| -rw-r--r-- | net/wget/patches/patch-CVE-2017-13089 | 36 | ||||
| -rw-r--r-- | net/wget/patches/patch-CVE-2017-13090 | 39 |
4 files changed, 80 insertions, 3 deletions
diff --git a/net/wget/Makefile b/net/wget/Makefile index 556332fce12..64db7573fda 100644 --- a/net/wget/Makefile +++ b/net/wget/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.135 2017/05/15 05:10:09 kim Exp $ +# $NetBSD: Makefile,v 1.136 2017/10/26 15:01:38 tez Exp $ DISTNAME= wget-1.19.1 -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= net MASTER_SITES= ${MASTER_SITE_GNU:=wget/} EXTRACT_SUFX= .tar.xz diff --git a/net/wget/distinfo b/net/wget/distinfo index 03b23650e63..838fb948d7f 100644 --- a/net/wget/distinfo +++ b/net/wget/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.54 2017/05/15 05:10:09 kim Exp $ +$NetBSD: distinfo,v 1.55 2017/10/26 15:01:38 tez Exp $ SHA1 (4d729e322fae359a1aefaafec1144764a54e8ad4) = 95acf2c162f0e413c40c5881940daafff2cca9bb RMD160 (4d729e322fae359a1aefaafec1144764a54e8ad4) = 41f0ac16a00f0837045120d1b65fd0e86c5c8618 @@ -8,4 +8,6 @@ SHA1 (wget-1.19.1.tar.xz) = cde25e99c144191644406793cbd1c69c102c6970 RMD160 (wget-1.19.1.tar.xz) = 158d759b81c0893cc9c83e4beabb104f4987f6dd SHA512 (wget-1.19.1.tar.xz) = 00864d225439bcb7c5af01d7ef19efa615427812d3320ab3f4c8f62c38191e837b1392397843f935d7dc5860a4d0ce89ee31f2730c4a729402f1f2bf3e5f64e5 Size (wget-1.19.1.tar.xz) = 2111756 bytes +SHA1 (patch-CVE-2017-13089) = 4dc004441198b6ae1cb2fb07eb6db3d55a007d1a +SHA1 (patch-CVE-2017-13090) = ad77c0406bb0e08979067649f93f5fa07328a1ea SHA1 (patch-doc_wget.texi) = 6db25b3500ff4617b5ade34d9013b1f9876104f8 diff --git a/net/wget/patches/patch-CVE-2017-13089 b/net/wget/patches/patch-CVE-2017-13089 new file mode 100644 index 00000000000..e7a9185d34f --- /dev/null +++ b/net/wget/patches/patch-CVE-2017-13089 @@ -0,0 +1,36 @@ +$NetBSD: patch-CVE-2017-13089,v 1.1 2017/10/26 15:01:38 tez Exp $ + +From 3dbc2e06ad487862c2fcc64d4891ff8aeb254bad Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de> +Date: Fri, 20 Oct 2017 10:59:38 +0200 +Subject: [PATCH 1/2] Fix stack overflow in HTTP protocol handling + (CVE-2017-13089) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +* src/http.c (skip_short_body): Return error on negative chunk size + +Reported-by: Antti Levomäki, Christian Jalio, Joonas Pihlaja from Forcepoint +Reported-by: Juhani Eronen from Finnish National Cyber Security Centre +--- + src/http.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/http.c b/src/http.c +index 55367688..dc318231 100644 +--- src/http.c ++++ src/http.c +@@ -973,6 +973,9 @@ skip_short_body (int fd, wgint contlen, bool chunked) + remaining_chunk_size = strtol (line, &endl, 16); + xfree (line); + ++ if (remaining_chunk_size < 0) ++ return false; ++ + if (remaining_chunk_size == 0) + { + line = fd_read_line (fd); +-- +2.15.0.rc1 + diff --git a/net/wget/patches/patch-CVE-2017-13090 b/net/wget/patches/patch-CVE-2017-13090 new file mode 100644 index 00000000000..88e823238e6 --- /dev/null +++ b/net/wget/patches/patch-CVE-2017-13090 @@ -0,0 +1,39 @@ +$NetBSD: patch-CVE-2017-13090,v 1.1 2017/10/26 15:01:38 tez Exp $ + +From 28925c37b72867c0819799c6f35caf9439080f83 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de> +Date: Fri, 20 Oct 2017 15:15:47 +0200 +Subject: [PATCH 2/2] Fix heap overflow in HTTP protocol handling + (CVE-2017-13090) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +* src/retr.c (fd_read_body): Stop processing on negative chunk size + +Reported-by: Antti Levomäki, Christian Jalio, Joonas Pihlaja from Forcepoint +Reported-by: Juhani Eronen from Finnish National Cyber Security Centre +--- + src/retr.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/retr.c b/src/retr.c +index a27d58af..723ac725 100644 +--- src/retr.c ++++ src/retr.c +@@ -378,6 +378,12 @@ fd_read_body (const char *downloaded_filename, int fd, FILE *out, wgint toread, + remaining_chunk_size = strtol (line, &endl, 16); + xfree (line); + ++ if (remaining_chunk_size < 0) ++ { ++ ret = -1; ++ break; ++ } ++ + if (remaining_chunk_size == 0) + { + ret = 0; +-- +2.15.0.rc1 + |