Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #10858 from BKPepe/wget-18.06

Browse source 
[OpenWrt 18.06] wget: fix CVE-2019-5953
This commit is contained in:
tripolar 2019-12-30 14:03:47 +01:00 committed by GitHub
commit 8304a768cb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 76 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
net/wget/Makefile
View file

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=wget PKG_NAME:=wget
PKG_VERSION:=1.19.5 PKG_VERSION:=1.19.5
PKG_RELEASE:=3 PKG_RELEASE:=4
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=@GNU/$(PKG_NAME) PKG_SOURCE_URL:=@GNU/$(PKG_NAME)

43
net/wget/patches/030-CVE-2019-5953-fix-buffer-overflow.patch Normal file
View file

@ -0,0 +1,43 @@
From 692d5c5215de0db482c252492a92fc424cc6a97c Mon Sep 17 00:00:00 2001
From: Tim Ruehsen <tim.ruehsen@gmx.de>
Date: Fri, 5 Apr 2019 11:50:44 +0200
Subject: Fix a buffer overflow vulnerability
* src/iri.c(do_conversion): Reallocate the output buffer to a larger
size if it is already full
---
src/iri.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/src/iri.c
+++ b/src/iri.c
@@ -151,8 +151,11 @@ do_conversion (const char *tocode, const
*out = s = xmalloc (outlen + 1);
done = 0;
+ DEBUGP (("iconv %s -> %s\n", tocode, fromcode));
+
for (;;)
{
+ DEBUGP (("iconv outlen=%d inlen=%d\n", outlen, inlen));
if (iconv (cd, (ICONV_CONST char **) &in, &inlen, out, &outlen) != (size_t)(-1) &&
iconv (cd, NULL, NULL, out, &outlen) != (size_t)(-1))
{
@@ -187,11 +190,14 @@ do_conversion (const char *tocode, const
}
else if (errno == E2BIG) /* Output buffer full */
{
+ logprintf (LOG_VERBOSE,
+ _("Reallocate output buffer len=%d outlen=%d inlen=%d\n"), len, outlen, inlen);
tooshort++;
done = len;
- len = outlen = done + inlen * 2;
- s = xrealloc (s, outlen + 1);
- *out = s + done;
+ len = done + inlen * 2;
+ s = xrealloc (s, len + 1);
+ *out = s + done - outlen;
+ outlen += inlen * 2;
}
else /* Weird, we got an unspecified error */
{

32
net/wget/patches/040-remove-unneeded-debug-lines.patch Normal file
View file

@ -0,0 +1,32 @@
From 562eacb76a2b64d5dc80a443f0f739bc9ef76c17 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Fri, 5 Apr 2019 13:01:57 +0200
Subject: * src/iri.c (do_conversion): Remove unneeded debug lines
---
src/iri.c | 5 -----
1 file changed, 5 deletions(-)
--- a/src/iri.c
+++ b/src/iri.c
@@ -151,11 +151,8 @@ do_conversion (const char *tocode, const
*out = s = xmalloc (outlen + 1);
done = 0;
- DEBUGP (("iconv %s -> %s\n", tocode, fromcode));
-
for (;;)
{
- DEBUGP (("iconv outlen=%d inlen=%d\n", outlen, inlen));
if (iconv (cd, (ICONV_CONST char **) &in, &inlen, out, &outlen) != (size_t)(-1) &&
iconv (cd, NULL, NULL, out, &outlen) != (size_t)(-1))
{
@@ -190,8 +187,6 @@ do_conversion (const char *tocode, const
}
else if (errno == E2BIG) /* Output buffer full */
{
- logprintf (LOG_VERBOSE,
- _("Reallocate output buffer len=%d outlen=%d inlen=%d\n"), len, outlen, inlen);
tooshort++;
done = len;
len = done + inlen * 2;