Browse code
wget : Fix CVE-2017-13089 and CVE-2017-13090
Change-Id: I0e596c207bf6011326cd6698fa053795aea1384a
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/4357
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
xiaolin-vmware authored on 2017/11/21 10:25:31Showing 3 changed files
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,33 @@ |
| 0 |
+From d892291fb8ace4c3b734ea5125770989c215df3f Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de> |
|
| 2 |
+Date: Fri, 20 Oct 2017 10:59:38 +0200 |
|
| 3 |
+Subject: Fix stack overflow in HTTP protocol handling (CVE-2017-13089) |
|
| 4 |
+MIME-Version: 1.0 |
|
| 5 |
+Content-Type: text/plain; charset=UTF-8 |
|
| 6 |
+Content-Transfer-Encoding: 8bit |
|
| 7 |
+ |
|
| 8 |
+* src/http.c (skip_short_body): Return error on negative chunk size |
|
| 9 |
+ |
|
| 10 |
+Reported-by: Antti Levomäki, Christian Jalio, Joonas Pihlaja from Forcepoint |
|
| 11 |
+Reported-by: Juhani Eronen from Finnish National Cyber Security Centre |
|
| 12 |
+--- |
|
| 13 |
+ src/http.c | 3 +++ |
|
| 14 |
+ 1 file changed, 3 insertions(+) |
|
| 15 |
+ |
|
| 16 |
+diff --git a/src/http.c b/src/http.c |
|
| 17 |
+index 5536768..dc31823 100644 |
|
| 18 |
+--- a/src/http.c |
|
| 19 |
+@@ -973,6 +973,9 @@ skip_short_body (int fd, wgint contlen, bool chunked) |
|
| 20 |
+ remaining_chunk_size = strtol (line, &endl, 16); |
|
| 21 |
+ xfree (line); |
|
| 22 |
+ |
|
| 23 |
++ if (remaining_chunk_size < 0) |
|
| 24 |
++ return false; |
|
| 25 |
++ |
|
| 26 |
+ if (remaining_chunk_size == 0) |
|
| 27 |
+ {
|
|
| 28 |
+ line = fd_read_line (fd); |
|
| 29 |
+-- |
|
| 30 |
+cgit v1.0-41-gc330 |
|
| 31 |
+ |
| 0 | 32 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,36 @@ |
| 0 |
+From ba6b44f6745b14dce414761a8e4b35d31b176bba Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de> |
|
| 2 |
+Date: Fri, 20 Oct 2017 15:15:47 +0200 |
|
| 3 |
+Subject: Fix heap overflow in HTTP protocol handling (CVE-2017-13090) |
|
| 4 |
+MIME-Version: 1.0 |
|
| 5 |
+Content-Type: text/plain; charset=UTF-8 |
|
| 6 |
+Content-Transfer-Encoding: 8bit |
|
| 7 |
+ |
|
| 8 |
+* src/retr.c (fd_read_body): Stop processing on negative chunk size |
|
| 9 |
+ |
|
| 10 |
+Reported-by: Antti Levomäki, Christian Jalio, Joonas Pihlaja from Forcepoint |
|
| 11 |
+Reported-by: Juhani Eronen from Finnish National Cyber Security Centre |
|
| 12 |
+--- |
|
| 13 |
+ src/retr.c | 6 ++++++ |
|
| 14 |
+ 1 file changed, 6 insertions(+) |
|
| 15 |
+ |
|
| 16 |
+diff --git a/src/retr.c b/src/retr.c |
|
| 17 |
+index c1bc600..6555ed4 100644 |
|
| 18 |
+--- a/src/retr.c |
|
| 19 |
+@@ -378,6 +378,12 @@ fd_read_body (const char *downloaded_filename, int fd, FILE *out, wgint toread, |
|
| 20 |
+ remaining_chunk_size = strtol (line, &endl, 16); |
|
| 21 |
+ xfree (line); |
|
| 22 |
+ |
|
| 23 |
++ if (remaining_chunk_size < 0) |
|
| 24 |
++ {
|
|
| 25 |
++ ret = -1; |
|
| 26 |
++ break; |
|
| 27 |
++ } |
|
| 28 |
++ |
|
| 29 |
+ if (remaining_chunk_size == 0) |
|
| 30 |
+ {
|
|
| 31 |
+ ret = 0; |
|
| 32 |
+-- |
|
| 33 |
+cgit v1.0-41-gc330 |
|
| 34 |
+ |
| ... | ... |
@@ -1,16 +1,17 @@ |
| 1 |
-Summary: A network utility to retrieve files from the Web |
|
| 2 |
-Name: wget |
|
| 3 |
-Version: 1.18 |
|
| 4 |
-Release: 2%{?dist}
|
|
| 5 |
-License: GPLv3+ |
|
| 6 |
-URL: http://www.gnu.org/software/wget/wget.html |
|
| 7 |
-Group: System Environment/NetworkingPrograms |
|
| 8 |
-Vendor: VMware, Inc. |
|
| 9 |
-Distribution: Photon |
|
| 10 |
-Source0: ftp://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz
|
|
| 11 |
-%define sha1 wget=02d451e658f600ee519c42cbf4d3bfe4e49b6c4f |
|
| 12 |
-Patch0: wget-CVE-2017-6508-fix.patch |
|
| 13 |
-Requires: openssl |
|
| 1 |
+Summary: A network utility to retrieve files from the Web |
|
| 2 |
+Name: wget |
|
| 3 |
+Version: 1.18 |
|
| 4 |
+Release: 3%{?dist}
|
|
| 5 |
+License: GPLv3+ |
|
| 6 |
+URL: http://www.gnu.org/software/wget/wget.html |
|
| 7 |
+Group: System Environment/NetworkingPrograms |
|
| 8 |
+Vendor: VMware, Inc. |
|
| 9 |
+Distribution: Photon |
|
| 10 |
+Source0: ftp://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz
|
|
| 11 |
+%define sha1 wget=02d451e658f600ee519c42cbf4d3bfe4e49b6c4f |
|
| 12 |
+Patch0: wget-CVE-2017-6508-fix.patch |
|
| 13 |
+Patch1: wget-CVE-2017-13089.patch |
|
| 14 |
+Patch2: wget-CVE-2017-13090.patch |
|
| 14 | 15 |
BuildRequires: openssl-devel |
| 15 | 16 |
%description |
| 16 | 17 |
The Wget package contains a utility useful for non-interactive |
| ... | ... |
@@ -18,7 +19,8 @@ downloading of files from the Web. |
| 18 | 18 |
%prep |
| 19 | 19 |
%setup -q |
| 20 | 20 |
%patch0 -p1 |
| 21 |
- |
|
| 21 |
+%patch1 -p1 |
|
| 22 |
+%patch2 -p1 |
|
| 22 | 23 |
%build |
| 23 | 24 |
./configure \ |
| 24 | 25 |
CFLAGS="%{optflags}" \
|
| ... | ... |
@@ -51,6 +53,8 @@ rm -rf %{buildroot}/*
|
| 51 | 51 |
%{_bindir}/*
|
| 52 | 52 |
%{_mandir}/man1/*
|
| 53 | 53 |
%changelog |
| 54 |
+* Mon Nov 20 2017 Xiaolin Li <xiaolinl@vmware.com> 1.18-3 |
|
| 55 |
+- Fix CVE-2017-13089 and CVE-2017-13090 |
|
| 54 | 56 |
* Fri Jun 30 2017 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 1.18-2 |
| 55 | 57 |
- Added fix for CVE-2017-6508 |
| 56 | 58 |
* Tue Nov 29 2016 Anish Swaminathan <anishs@vmware.com> 1.18-1 |