[OE-core] [thud] 20/30] wget: Security fix for CVE-2019-5953
Armin Kuster
akuster808 at gmail.com
Sun Jul 21 14:25:09 UTC 2019
From: Armin Kuster <akuster at mvista.com>
Source: http://git.savannah.gnu.org/cgit/wget.git
MR: 89341
Type: Security Fix
Disposition: Backport from http://git.savannah.gnu.org/cgit/wget.git/commit/?id=692d5c5215de0db482c252492a92fc424cc6a97c
ChangeID: 1c19a2fd7ead88cc4ee92d425179d60d4635864b
Description:
Fixes CVE-2019-5953
Affects: < 1.20.1
Signed-off-by: Armin Kuster <akuster at mvista.com>
---
.../recipes-extended/wget/wget/CVE-2019-5953.patch | 51 ++++++++++++++++++++++
meta/recipes-extended/wget/wget_1.19.5.bb | 1 +
2 files changed, 52 insertions(+)
create mode 100644 meta/recipes-extended/wget/wget/CVE-2019-5953.patch
diff --git a/meta/recipes-extended/wget/wget/CVE-2019-5953.patch b/meta/recipes-extended/wget/wget/CVE-2019-5953.patch
new file mode 100644
index 0000000..e43e8e5
--- /dev/null
+++ b/meta/recipes-extended/wget/wget/CVE-2019-5953.patch
@@ -0,0 +1,51 @@
+From 692d5c5215de0db482c252492a92fc424cc6a97c Mon Sep 17 00:00:00 2001
+From: Tim Ruehsen <tim.ruehsen at gmx.de>
+Date: Fri, 5 Apr 2019 11:50:44 +0200
+Subject: [PATCH] Fix a buffer overflow vulnerability
+
+* src/iri.c(do_conversion): Reallocate the output buffer to a larger
+ size if it is already full
+
+Upstream-Status: Backport
+http://git.savannah.gnu.org/cgit/wget.git/commit/?id=692d5c5215de0db482c252492a92fc424cc6a97c
+CVE: CVE-2019-5953
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ src/iri.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+Index: wget-1.19.5/src/iri.c
+===================================================================
+--- wget-1.19.5.orig/src/iri.c
++++ wget-1.19.5/src/iri.c
+@@ -151,8 +151,11 @@ do_conversion (const char *tocode, const
+ *out = s = xmalloc (outlen + 1);
+ done = 0;
+
++ DEBUGP (("iconv %s -> %s\n", tocode, fromcode));
++
+ for (;;)
+ {
++ DEBUGP (("iconv outlen=%d inlen=%d\n", outlen, inlen));
+ if (iconv (cd, (ICONV_CONST char **) &in, &inlen, out, &outlen) != (size_t)(-1) &&
+ iconv (cd, NULL, NULL, out, &outlen) != (size_t)(-1))
+ {
+@@ -187,11 +190,14 @@ do_conversion (const char *tocode, const
+ }
+ else if (errno == E2BIG) /* Output buffer full */
+ {
++ logprintf (LOG_VERBOSE,
++ _("Reallocate output buffer len=%d outlen=%d inlen=%d\n"), len, outlen, inlen);
+ tooshort++;
+ done = len;
+- len = outlen = done + inlen * 2;
+- s = xrealloc (s, outlen + 1);
+- *out = s + done;
++ len = done + inlen * 2;
++ s = xrealloc (s, len + 1);
++ *out = s + done - outlen;
++ outlen += inlen * 2;
+ }
+ else /* Weird, we got an unspecified error */
+ {
diff --git a/meta/recipes-extended/wget/wget_1.19.5.bb b/meta/recipes-extended/wget/wget_1.19.5.bb
index e37d8c7..920b74d 100644
--- a/meta/recipes-extended/wget/wget_1.19.5.bb
+++ b/meta/recipes-extended/wget/wget_1.19.5.bb
@@ -1,6 +1,7 @@
SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \
file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
file://0002-improve-reproducibility.patch \
+ file://CVE-2019-5953.patch \
"
SRC_URI[md5sum] = "2db6f03d655041f82eb64b8c8a1fa7da"
--
2.7.4
More information about the Openembedded-core
mailing list