[Buildroot] [PATCH] wget: security bump to version 1.19.2

Peter Korsgaard peter at korsgaard.com
Sat Oct 28 07:10:17 UTC 2017


>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > Fixes the following security issues:
 > CVE-2017-13089: The http.c:skip_short_body() function is called in some
 > circumstances, such as when processing redirects.  When the response is sent
 > chunked, the chunk parser uses strtol() to read each chunk's length, but
 > doesn't check that the chunk length is a non-negative number.  The code then
 > tries to skip the chunk in pieces of 512 bytes by using the MIN() macro, but
 > ends up passing the negative chunk length to connect.c:fd_read().  As
 > fd_read() takes an int argument, the high 32 bits of the chunk length are
 > discarded, leaving fd_read() with a completely attacker controlled length
 > argument.

 > CVE-2017-13090: The retr.c:fd_read_body() function is called when processing
 > OK responses.  When the response is sent chunked, the chunk parser uses
 > strtol() to read each chunk's length, but doesn't check that the chunk
 > length is a non-negative number.  The code then tries to read the chunk in
 > pieces of 8192 bytes by using the MIN() macro, but ends up passing the
 > negative chunk length to retr.c:fd_read().  As fd_read() takes an int
 > argument, the high 32 bits of the chunk length are discarded, leaving
 > fd_read() with a completely attacker controlled length argument.  The
 > attacker can corrupt malloc metadata after the allocated buffer.

 > Drop now upstreamed patch and change to .tar.lz as .tar.xz is no longer
 > available.

 > Also add a hash for the license file while we're at it.

 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard


More information about the buildroot mailing list