Fix cookie injection (CVE-2018-0494) * src/http.c (resp_new): Replace \r\n by space in continuation lines
Fixes #53763 "Malicious website can write arbitrary cookie entries to cookie jar" HTTP header parsing left the \r\n from continuation line intact. The Set-Cookie code didn't check and could be tricked to write \r\n into the cookie jar, allowing a server to generate cookies at will. Affects wget < 1.19.5 Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjana...@mvista.com> --- .../0001-Fix-cookie-injection-CVE-2018-0494.patch | 68 ++++++++++++++++++++++ meta/recipes-extended/wget/wget_1.19.1.bb | 1 + 2 files changed, 69 insertions(+) create mode 100644 meta/recipes-extended/wget/wget/0001-Fix-cookie-injection-CVE-2018-0494.patch diff --git a/meta/recipes-extended/wget/wget/0001-Fix-cookie-injection-CVE-2018-0494.patch b/meta/recipes-extended/wget/wget/0001-Fix-cookie-injection-CVE-2018-0494.patch new file mode 100644 index 0000000..ac163e6 --- /dev/null +++ b/meta/recipes-extended/wget/wget/0001-Fix-cookie-injection-CVE-2018-0494.patch @@ -0,0 +1,68 @@ +From 1fc9c95ec144499e69dc8ec76dbe07799d7d82cd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.rueh...@gmx.de> +Date: Fri, 27 Apr 2018 10:41:56 +0200 +Subject: [PATCH] Fix cookie injection (CVE-2018-0494) + +* src/http.c (resp_new): Replace \r\n by space in continuation lines + +Fixes #53763 + "Malicious website can write arbitrary cookie entries to cookie jar" + +HTTP header parsing left the \r\n from continuation line intact. +The Set-Cookie code didn't check and could be tricked to write +\r\n into the cookie jar, allowing a server to generate cookies at will. + +CVE: CVE-2018-0494 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/wget.git/commit/?id=1fc9c95ec144499e69dc8ec76dbe07799d7d82cd] + +Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjana...@mvista.com> +--- + src/http.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/src/http.c b/src/http.c +index c8960f11..77bdbbed 100644 +--- a/src/http.c ++++ b/src/http.c +@@ -613,9 +613,9 @@ struct response { + resp_header_*. */ + + static struct response * +-resp_new (const char *head) ++resp_new (char *head) + { +- const char *hdr; ++ char *hdr; + int count, size; + + struct response *resp = xnew0 (struct response); +@@ -644,15 +644,23 @@ resp_new (const char *head) + break; + + /* Find the end of HDR, including continuations. */ +- do ++ for (;;) + { +- const char *end = strchr (hdr, '\n'); ++ char *end = strchr (hdr, '\n'); ++ + if (end) + hdr = end + 1; + else + hdr += strlen (hdr); ++ ++ if (*hdr != ' ' && *hdr != '\t') ++ break; ++ ++ // continuation, transform \r and \n into spaces ++ *end = ' '; ++ if (end > head && end[-1] == '\r') ++ end[-1] = ' '; + } +- while (*hdr == ' ' || *hdr == '\t'); + } + DO_REALLOC (resp->headers, size, count + 1, const char *); + resp->headers[count] = NULL; +-- +2.13.3 + diff --git a/meta/recipes-extended/wget/wget_1.19.1.bb b/meta/recipes-extended/wget/wget_1.19.1.bb index 78bde95..3c484ce 100644 --- a/meta/recipes-extended/wget/wget_1.19.1.bb +++ b/meta/recipes-extended/wget/wget_1.19.1.bb @@ -1,6 +1,7 @@ SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \ file://0001-Unset-need_charset_alias-when-building-for-musl.patch \ file://CVE-2017-6508.patch \ + file://0001-Fix-cookie-injection-CVE-2018-0494.patch \ " SRC_URI[md5sum] = "87cea36b7161fd43e3fd51a4e8b89689" -- 2.7.4 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core