[OE-core] [ROCKO][PATCH V2 29/34] wget: CVE-2018-0494
Jagadeesh Krishnanjanappa
jkrishnanjanappa at mvista.com
Wed Aug 22 13:35:35 UTC 2018
Fix cookie injection (CVE-2018-0494)
* src/http.c (resp_new): Replace \r\n by space in continuation lines
Fixes #53763
"Malicious website can write arbitrary cookie entries to cookie jar"
HTTP header parsing left the \r\n from continuation line intact.
The Set-Cookie code didn't check and could be tricked to write
\r\n into the cookie jar, allowing a server to generate cookies at will.
Affects wget < 1.19.5
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa at mvista.com>
---
.../0001-Fix-cookie-injection-CVE-2018-0494.patch | 68 ++++++++++++++++++++++
meta/recipes-extended/wget/wget_1.19.1.bb | 1 +
2 files changed, 69 insertions(+)
create mode 100644 meta/recipes-extended/wget/wget/0001-Fix-cookie-injection-CVE-2018-0494.patch
diff --git a/meta/recipes-extended/wget/wget/0001-Fix-cookie-injection-CVE-2018-0494.patch b/meta/recipes-extended/wget/wget/0001-Fix-cookie-injection-CVE-2018-0494.patch
new file mode 100644
index 0000000..ac163e6
--- /dev/null
+++ b/meta/recipes-extended/wget/wget/0001-Fix-cookie-injection-CVE-2018-0494.patch
@@ -0,0 +1,68 @@
+From 1fc9c95ec144499e69dc8ec76dbe07799d7d82cd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen at gmx.de>
+Date: Fri, 27 Apr 2018 10:41:56 +0200
+Subject: [PATCH] Fix cookie injection (CVE-2018-0494)
+
+* src/http.c (resp_new): Replace \r\n by space in continuation lines
+
+Fixes #53763
+ "Malicious website can write arbitrary cookie entries to cookie jar"
+
+HTTP header parsing left the \r\n from continuation line intact.
+The Set-Cookie code didn't check and could be tricked to write
+\r\n into the cookie jar, allowing a server to generate cookies at will.
+
+CVE: CVE-2018-0494
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/wget.git/commit/?id=1fc9c95ec144499e69dc8ec76dbe07799d7d82cd]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa at mvista.com>
+---
+ src/http.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/src/http.c b/src/http.c
+index c8960f11..77bdbbed 100644
+--- a/src/http.c
++++ b/src/http.c
+@@ -613,9 +613,9 @@ struct response {
+ resp_header_*. */
+
+ static struct response *
+-resp_new (const char *head)
++resp_new (char *head)
+ {
+- const char *hdr;
++ char *hdr;
+ int count, size;
+
+ struct response *resp = xnew0 (struct response);
+@@ -644,15 +644,23 @@ resp_new (const char *head)
+ break;
+
+ /* Find the end of HDR, including continuations. */
+- do
++ for (;;)
+ {
+- const char *end = strchr (hdr, '\n');
++ char *end = strchr (hdr, '\n');
++
+ if (end)
+ hdr = end + 1;
+ else
+ hdr += strlen (hdr);
++
++ if (*hdr != ' ' && *hdr != '\t')
++ break;
++
++ // continuation, transform \r and \n into spaces
++ *end = ' ';
++ if (end > head && end[-1] == '\r')
++ end[-1] = ' ';
+ }
+- while (*hdr == ' ' || *hdr == '\t');
+ }
+ DO_REALLOC (resp->headers, size, count + 1, const char *);
+ resp->headers[count] = NULL;
+--
+2.13.3
+
diff --git a/meta/recipes-extended/wget/wget_1.19.1.bb b/meta/recipes-extended/wget/wget_1.19.1.bb
index 78bde95..3c484ce 100644
--- a/meta/recipes-extended/wget/wget_1.19.1.bb
+++ b/meta/recipes-extended/wget/wget_1.19.1.bb
@@ -1,6 +1,7 @@
SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \
file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
file://CVE-2017-6508.patch \
+ file://0001-Fix-cookie-injection-CVE-2018-0494.patch \
"
SRC_URI[md5sum] = "87cea36b7161fd43e3fd51a4e8b89689"
--
2.7.4
More information about the Openembedded-core
mailing list