head 1.2; access; symbols pkgsrc-2017Q3:1.1.0.2; locks; strict; comment @# @; 1.2 date 2017.11.23.16.03.29; author wiz; state dead; branches; next 1.1; commitid sD2sTkHf1l3H2bgA; 1.1 date 2017.10.26.15.01.38; author tez; state Exp; branches 1.1.2.1; next ; commitid UxGW5DPV8Tn9BzcA; 1.1.2.1 date 2017.10.26.15.01.38; author spz; state dead; branches; next 1.1.2.2; commitid rRNAykdOK6LoSQcA; 1.1.2.2 date 2017.10.28.19.03.45; author spz; state Exp; branches; next ; commitid rRNAykdOK6LoSQcA; desc @@ 1.2 log @wget: update to 1.19.2. * Changes in Wget 1.19.2 * Fix CVE-2017-13089 (Stack overflow in HTTP protocol handling) * Fix CVE-2017-13090 (Heap overflow in HTTP protocol handling) * New option --compression for gzip Content-Encoding * New option --[no]-netrc to control .netrc parsing * Added GNU extensions to .netrc parsing * Improved IDNA 2003 compatibility * Fix VPATH issues * Improved and extended the test suite * Support Wayback Machine's X-Archive-Orig-last-modified * Several bug fixes @ text @$NetBSD: patch-CVE-2017-13089,v 1.1 2017/10/26 15:01:38 tez Exp $ From 3dbc2e06ad487862c2fcc64d4891ff8aeb254bad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20R=C3=BChsen?= Date: Fri, 20 Oct 2017 10:59:38 +0200 Subject: [PATCH 1/2] Fix stack overflow in HTTP protocol handling (CVE-2017-13089) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * src/http.c (skip_short_body): Return error on negative chunk size Reported-by: Antti Levomäki, Christian Jalio, Joonas Pihlaja from Forcepoint Reported-by: Juhani Eronen from Finnish National Cyber Security Centre --- src/http.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/http.c b/src/http.c index 55367688..dc318231 100644 --- src/http.c +++ src/http.c @@@@ -973,6 +973,9 @@@@ skip_short_body (int fd, wgint contlen, bool chunked) remaining_chunk_size = strtol (line, &endl, 16); xfree (line); + if (remaining_chunk_size < 0) + return false; + if (remaining_chunk_size == 0) { line = fd_read_line (fd); -- 2.15.0.rc1 @ 1.1 log @wget: patches for VE-2017-13089 and CVE-2017-13090 @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-CVE-2017-13089 was added on branch pkgsrc-2017Q3 on 2017-10-28 19:03:45 +0000 @ text @d1 36 @ 1.1.2.2 log @Pullup ticket #5589 - requested by tez net/wget: security patch Revisions pulled up: - net/wget/Makefile 1.136 - net/wget/distinfo 1.55 - net/wget/patches/patch-CVE-2017-13089 1.1 - net/wget/patches/patch-CVE-2017-13090 1.1 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: tez Date: Thu Oct 26 15:01:39 UTC 2017 Modified Files: pkgsrc/net/wget: Makefile distinfo Added Files: pkgsrc/net/wget/patches: patch-CVE-2017-13089 patch-CVE-2017-13090 Log Message: wget: patches for CVE-2017-13089 and CVE-2017-13090 To generate a diff of this commit: cvs rdiff -u -r1.135 -r1.136 pkgsrc/net/wget/Makefile cvs rdiff -u -r1.54 -r1.55 pkgsrc/net/wget/distinfo cvs rdiff -u -r0 -r1.1 pkgsrc/net/wget/patches/patch-CVE-2017-13089 \ pkgsrc/net/wget/patches/patch-CVE-2017-13090 @ text @a0 36 $NetBSD$ From 3dbc2e06ad487862c2fcc64d4891ff8aeb254bad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20R=C3=BChsen?= Date: Fri, 20 Oct 2017 10:59:38 +0200 Subject: [PATCH 1/2] Fix stack overflow in HTTP protocol handling (CVE-2017-13089) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * src/http.c (skip_short_body): Return error on negative chunk size Reported-by: Antti Levomäki, Christian Jalio, Joonas Pihlaja from Forcepoint Reported-by: Juhani Eronen from Finnish National Cyber Security Centre --- src/http.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/http.c b/src/http.c index 55367688..dc318231 100644 --- src/http.c +++ src/http.c @@@@ -973,6 +973,9 @@@@ skip_short_body (int fd, wgint contlen, bool chunked) remaining_chunk_size = strtol (line, &endl, 16); xfree (line); + if (remaining_chunk_size < 0) + return false; + if (remaining_chunk_size == 0) { line = fd_read_line (fd); -- 2.15.0.rc1 @