head 1.2; access; symbols pkgsrc-2017Q3:1.1.0.2; locks; strict; comment @# @; 1.2 date 2017.11.23.16.03.29; author wiz; state dead; branches; next 1.1; commitid sD2sTkHf1l3H2bgA; 1.1 date 2017.10.26.15.01.38; author tez; state Exp; branches 1.1.2.1; next ; commitid UxGW5DPV8Tn9BzcA; 1.1.2.1 date 2017.10.26.15.01.38; author spz; state dead; branches; next 1.1.2.2; commitid rRNAykdOK6LoSQcA; 1.1.2.2 date 2017.10.28.19.03.45; author spz; state Exp; branches; next ; commitid rRNAykdOK6LoSQcA; desc @@ 1.2 log @wget: update to 1.19.2. * Changes in Wget 1.19.2 * Fix CVE-2017-13089 (Stack overflow in HTTP protocol handling) * Fix CVE-2017-13090 (Heap overflow in HTTP protocol handling) * New option --compression for gzip Content-Encoding * New option --[no]-netrc to control .netrc parsing * Added GNU extensions to .netrc parsing * Improved IDNA 2003 compatibility * Fix VPATH issues * Improved and extended the test suite * Support Wayback Machine's X-Archive-Orig-last-modified * Several bug fixes @ text @$NetBSD: patch-CVE-2017-13090,v 1.1 2017/10/26 15:01:38 tez Exp $ From 28925c37b72867c0819799c6f35caf9439080f83 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20R=C3=BChsen?= Date: Fri, 20 Oct 2017 15:15:47 +0200 Subject: [PATCH 2/2] Fix heap overflow in HTTP protocol handling (CVE-2017-13090) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * src/retr.c (fd_read_body): Stop processing on negative chunk size Reported-by: Antti Levomäki, Christian Jalio, Joonas Pihlaja from Forcepoint Reported-by: Juhani Eronen from Finnish National Cyber Security Centre --- src/retr.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/retr.c b/src/retr.c index a27d58af..723ac725 100644 --- src/retr.c +++ src/retr.c @@@@ -378,6 +378,12 @@@@ fd_read_body (const char *downloaded_filename, int fd, FILE *out, wgint toread, remaining_chunk_size = strtol (line, &endl, 16); xfree (line); + if (remaining_chunk_size < 0) + { + ret = -1; + break; + } + if (remaining_chunk_size == 0) { ret = 0; -- 2.15.0.rc1 @ 1.1 log @wget: patches for VE-2017-13089 and CVE-2017-13090 @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-CVE-2017-13090 was added on branch pkgsrc-2017Q3 on 2017-10-28 19:03:45 +0000 @ text @d1 39 @ 1.1.2.2 log @Pullup ticket #5589 - requested by tez net/wget: security patch Revisions pulled up: - net/wget/Makefile 1.136 - net/wget/distinfo 1.55 - net/wget/patches/patch-CVE-2017-13089 1.1 - net/wget/patches/patch-CVE-2017-13090 1.1 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: tez Date: Thu Oct 26 15:01:39 UTC 2017 Modified Files: pkgsrc/net/wget: Makefile distinfo Added Files: pkgsrc/net/wget/patches: patch-CVE-2017-13089 patch-CVE-2017-13090 Log Message: wget: patches for CVE-2017-13089 and CVE-2017-13090 To generate a diff of this commit: cvs rdiff -u -r1.135 -r1.136 pkgsrc/net/wget/Makefile cvs rdiff -u -r1.54 -r1.55 pkgsrc/net/wget/distinfo cvs rdiff -u -r0 -r1.1 pkgsrc/net/wget/patches/patch-CVE-2017-13089 \ pkgsrc/net/wget/patches/patch-CVE-2017-13090 @ text @a0 39 $NetBSD$ From 28925c37b72867c0819799c6f35caf9439080f83 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20R=C3=BChsen?= Date: Fri, 20 Oct 2017 15:15:47 +0200 Subject: [PATCH 2/2] Fix heap overflow in HTTP protocol handling (CVE-2017-13090) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * src/retr.c (fd_read_body): Stop processing on negative chunk size Reported-by: Antti Levomäki, Christian Jalio, Joonas Pihlaja from Forcepoint Reported-by: Juhani Eronen from Finnish National Cyber Security Centre --- src/retr.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/retr.c b/src/retr.c index a27d58af..723ac725 100644 --- src/retr.c +++ src/retr.c @@@@ -378,6 +378,12 @@@@ fd_read_body (const char *downloaded_filename, int fd, FILE *out, wgint toread, remaining_chunk_size = strtol (line, &endl, 16); xfree (line); + if (remaining_chunk_size < 0) + { + ret = -1; + break; + } + if (remaining_chunk_size == 0) { ret = 0; -- 2.15.0.rc1 @