[Buildroot] [PATCH] wget: security bump to version 1.19.2
Peter Korsgaard
peter at korsgaard.com
Sat Oct 28 07:10:17 UTC 2017
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> Fixes the following security issues:
> CVE-2017-13089: The http.c:skip_short_body() function is called in some
> circumstances, such as when processing redirects. When the response is sent
> chunked, the chunk parser uses strtol() to read each chunk's length, but
> doesn't check that the chunk length is a non-negative number. The code then
> tries to skip the chunk in pieces of 512 bytes by using the MIN() macro, but
> ends up passing the negative chunk length to connect.c:fd_read(). As
> fd_read() takes an int argument, the high 32 bits of the chunk length are
> discarded, leaving fd_read() with a completely attacker controlled length
> argument.
> CVE-2017-13090: The retr.c:fd_read_body() function is called when processing
> OK responses. When the response is sent chunked, the chunk parser uses
> strtol() to read each chunk's length, but doesn't check that the chunk
> length is a non-negative number. The code then tries to read the chunk in
> pieces of 8192 bytes by using the MIN() macro, but ends up passing the
> negative chunk length to retr.c:fd_read(). As fd_read() takes an int
> argument, the high 32 bits of the chunk length are discarded, leaving
> fd_read() with a completely attacker controlled length argument. The
> attacker can corrupt malloc metadata after the allocated buffer.
> Drop now upstreamed patch and change to .tar.lz as .tar.xz is no longer
> available.
> Also add a hash for the license file while we're at it.
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list