patches/packages: wget: fix CVE-2019-5953

63cfe593 · Josef Schlehofer · 351497d3 · 63cfe593
Verified Commit 63cfe593 authored 5 years ago by Josef Schlehofer
--- a/patches/packages/to-upstream/0022-wget-fix-CVE-2019-5953.patch
+++ b/patches/packages/to-upstream/0022-wget-fix-CVE-2019-5953.patch
+From 8fe26c98555fb5f58cb3aa3a59007487d96943d0 Mon Sep 17 00:00:00 2001
+From: Josef Schlehofer <pepe.schlehofer@gmail.com>
+Date: Sat, 21 Dec 2019 19:57:15 +0100
+Subject: [PATCH] wget: fix CVE-2019-5953
+
+Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
+---
+ net/wget/Makefile                             |  2 +-
+ ...30-CVE-2019-5953-fix-buffer-overflow.patch | 43 +++++++++++++++++++
+ .../040-remove-unneeded-debug-lines.patch     | 32 ++++++++++++++
+ 3 files changed, 76 insertions(+), 1 deletion(-)
+ create mode 100644 net/wget/patches/030-CVE-2019-5953-fix-buffer-overflow.patch
+ create mode 100644 net/wget/patches/040-remove-unneeded-debug-lines.patch
+
+diff --git a/net/wget/Makefile b/net/wget/Makefile
+index 9d2f094b2..da59e04c1 100644
+--- a/net/wget/Makefile
+++ b/net/wget/Makefile
+@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
+ 
+ PKG_NAME:=wget
+ PKG_VERSION:=1.19.5
+-PKG_RELEASE:=3
+PKG_RELEASE:=4
+ 
+ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+ PKG_SOURCE_URL:=@GNU/$(PKG_NAME)
+diff --git a/net/wget/patches/030-CVE-2019-5953-fix-buffer-overflow.patch b/net/wget/patches/030-CVE-2019-5953-fix-buffer-overflow.patch
+new file mode 100644
+index 000000000..43e369ade
+--- /dev/null
+++ b/net/wget/patches/030-CVE-2019-5953-fix-buffer-overflow.patch
+@@ -0,0 +1,43 @@
+From 692d5c5215de0db482c252492a92fc424cc6a97c Mon Sep 17 00:00:00 2001
+From: Tim Ruehsen <tim.ruehsen@gmx.de>
+Date: Fri, 5 Apr 2019 11:50:44 +0200
+Subject: Fix a buffer overflow vulnerability
+
+* src/iri.c(do_conversion): Reallocate the output buffer to a larger
+  size if it is already full
+---
+ src/iri.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/src/iri.c
++++ b/src/iri.c
+@@ -151,8 +151,11 @@ do_conversion (const char *tocode, const
+   *out = s = xmalloc (outlen + 1);
+   done = 0;
+ 
++  DEBUGP (("iconv %s -> %s\n", tocode, fromcode));
++
+   for (;;)
+     {
++      DEBUGP (("iconv outlen=%d inlen=%d\n", outlen, inlen));
+       if (iconv (cd, (ICONV_CONST char **) &in, &inlen, out, &outlen) != (size_t)(-1) &&
+           iconv (cd, NULL, NULL, out, &outlen) != (size_t)(-1))
+         {
+@@ -187,11 +190,14 @@ do_conversion (const char *tocode, const
+         }
+       else if (errno == E2BIG) /* Output buffer full */
+         {
++          logprintf (LOG_VERBOSE,
++                    _("Reallocate output buffer len=%d outlen=%d inlen=%d\n"), len, outlen, inlen);
+           tooshort++;
+           done = len;
+-          len = outlen = done + inlen * 2;
+-          s = xrealloc (s, outlen + 1);
+-          *out = s + done;
++          len = done + inlen * 2;
++          s = xrealloc (s, len + 1);
++          *out = s + done - outlen;
++          outlen += inlen * 2;
+         }
+       else /* Weird, we got an unspecified error */
+         {
+diff --git a/net/wget/patches/040-remove-unneeded-debug-lines.patch b/net/wget/patches/040-remove-unneeded-debug-lines.patch
+new file mode 100644
+index 000000000..532aa288a
+--- /dev/null
+++ b/net/wget/patches/040-remove-unneeded-debug-lines.patch
+@@ -0,0 +1,32 @@
+From 562eacb76a2b64d5dc80a443f0f739bc9ef76c17 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Fri, 5 Apr 2019 13:01:57 +0200
+Subject: * src/iri.c (do_conversion): Remove unneeded debug lines
+
+---
+ src/iri.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/src/iri.c
++++ b/src/iri.c
+@@ -151,11 +151,8 @@ do_conversion (const char *tocode, const
+   *out = s = xmalloc (outlen + 1);
+   done = 0;
+ 
+-  DEBUGP (("iconv %s -> %s\n", tocode, fromcode));
+-
+   for (;;)
+     {
+-      DEBUGP (("iconv outlen=%d inlen=%d\n", outlen, inlen));
+       if (iconv (cd, (ICONV_CONST char **) &in, &inlen, out, &outlen) != (size_t)(-1) &&
+           iconv (cd, NULL, NULL, out, &outlen) != (size_t)(-1))
+         {
+@@ -190,8 +187,6 @@ do_conversion (const char *tocode, const
+         }
+       else if (errno == E2BIG) /* Output buffer full */
+         {
+-          logprintf (LOG_VERBOSE,
+-                    _("Reallocate output buffer len=%d outlen=%d inlen=%d\n"), len, outlen, inlen);
+           tooshort++;
+           done = len;
+           len = done + inlen * 2;
+-- 
+2.24.1
+