Hello community, here is the log from the commit of package wget for openSUSE:Factory checked in at 2017-10-25 17:44:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/wget (Old) and /work/SRC/openSUSE:Factory/.wget.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "wget" Wed Oct 25 17:44:47 2017 rev:48 rq:536254 version:1.19.1 Changes: -------- --- /work/SRC/openSUSE:Factory/wget/wget.changes 2017-09-25 13:54:20.293703921 +0200 +++ /work/SRC/openSUSE:Factory/.wget.new/wget.changes 2017-10-25 17:44:49.475009202 +0200 @@ -1,0 +2,9 @@ +Tue Oct 24 07:07:32 UTC 2017 - [email protected] + +- Fixed two stack overflow vulnerabilities if a chunksize is + negative. + [bsc#1064715,wget-stack-overflow-on-negative-chunksize-CVE-2017-13089.patch, + bsc#1064716,wget-stack-overflow-on-negative-chunksize-CVE-2017-13090.patch, + CVE-2017-13089,CVE-2017-13090] + +------------------------------------------------------------------- New: ---- wget-stack-overflow-on-negative-chunksize-CVE-2017-13089.patch wget-stack-overflow-on-negative-chunksize-CVE-2017-13090.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ wget.spec ++++++ --- /var/tmp/diff_new_pack.vGvqzn/_old 2017-10-25 17:44:50.310969967 +0200 +++ /var/tmp/diff_new_pack.vGvqzn/_new 2017-10-25 17:44:50.310969967 +0200 @@ -35,6 +35,8 @@ Patch8: wget-errno-clobber.patch Patch9: wget-CVE-2017-6508.patch Patch10: wget-416-but-file-not-complete.patch +Patch11: wget-stack-overflow-on-negative-chunksize-CVE-2017-13089.patch +Patch12: wget-stack-overflow-on-negative-chunksize-CVE-2017-13090.patch BuildRequires: automake BuildRequires: gpgme-devel >= 0.4.2 BuildRequires: libcares-devel @@ -83,6 +85,8 @@ %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 +%patch12 -p1 %build %if 0%{?suse_version} > 1110 ++++++ wget-stack-overflow-on-negative-chunksize-CVE-2017-13089.patch ++++++ >From 3dbc2e06ad487862c2fcc64d4891ff8aeb254bad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20R=C3=BChsen?= <[email protected]> Date: Fri, 20 Oct 2017 10:59:38 +0200 Subject: [PATCH 1/2] Fix stack overflow in HTTP protocol handling (CVE-2017-13089) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * src/http.c (skip_short_body): Return error on negative chunk size Reported-by: Antti Levomäki, Christian Jalio, Joonas Pihlaja from Forcepoint Reported-by: Juhani Eronen from Finnish National Cyber Security Centre --- src/http.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/http.c b/src/http.c index 55367688..dc318231 100644 --- a/src/http.c +++ b/src/http.c @@ -973,6 +973,9 @@ skip_short_body (int fd, wgint contlen, bool chunked) remaining_chunk_size = strtol (line, &endl, 16); xfree (line); + if (remaining_chunk_size < 0) + return false; + if (remaining_chunk_size == 0) { line = fd_read_line (fd); ++++++ wget-stack-overflow-on-negative-chunksize-CVE-2017-13090.patch ++++++ >From 28925c37b72867c0819799c6f35caf9439080f83 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20R=C3=BChsen?= <[email protected]> Date: Fri, 20 Oct 2017 15:15:47 +0200 Subject: [PATCH 2/2] Fix heap overflow in HTTP protocol handling (CVE-2017-13090) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * src/retr.c (fd_read_body): Stop processing on negative chunk size Reported-by: Antti Levomäki, Christian Jalio, Joonas Pihlaja from Forcepoint Reported-by: Juhani Eronen from Finnish National Cyber Security Centre --- src/retr.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/retr.c b/src/retr.c index a27d58af..723ac725 100644 --- a/src/retr.c +++ b/src/retr.c @@ -378,6 +378,12 @@ fd_read_body (const char *downloaded_filename, int fd, FILE *out, wgint toread, remaining_chunk_size = strtol (line, &endl, 16); xfree (line); + if (remaining_chunk_size < 0) + { + ret = -1; + break; + } + if (remaining_chunk_size == 0) { ret = 0;
