1 files changed, 59 insertions, 0 deletions
diff --git a/recipes-core/busybox/busybox/CVE-2018-1000517--wget-check-chunk-length-for-overflowing-off_t.patch b/recipes-core/busybox/busybox/CVE-2018-1000517--wget-check-chunk-length-for-overflowing-off_t.patch
new file mode 100644
index 0000000..c05c75b
--- /dev/null
+++ b/recipes-core/busybox/busybox/CVE-2018-1000517--wget-check-chunk-length-for-overflowing-off_t.patch
@@ -0,0 +1,59 @@
+From 7935de14ce61f5a5c1c845925873379ae2e2f45a Mon Sep 17 00:00:00 2001
+From: Andreas Wellving <andreas.wellving@enea.com>
+Date: Mon, 22 Oct 2018 13:13:07 +0200
+Subject: [PATCH] wget: check chunk length for overflowing off_t
+function                                             old     new   delta
+retrieve_file_data                                   428     465     +37
+wget_main                                           2386    2389      +3
+------------------------------------------------------------------------------
+(add/remove: 0/0 grow/shrink: 2/0 up/down: 40/0)               Total: 40 bytes
+CVE: CVE-2018-1000517
+Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e]
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ networking/wget.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+diff --git a/networking/wget.c b/networking/wget.c
+index d4a9c0c..b525d6a 100644
+--- a/networking/wget.c
+++ b/networking/wget.c
+@@ -566,7 +566,7 @@ static FILE* prepare_ftp_session(FILE **dfpp, struct host_info *target, len_and_
+        if (ftpcmd("SIZE ", target->path, sfp) == 213) {
+                G.content_len = BB_STRTOOFF(G.wget_buf + 4, NULL, 10);
+                if (G.content_len < 0 || errno) {
+-                       bb_error_msg_and_die("SIZE value is garbage");
+                       bb_error_msg_and_die("bad SIZE value '%s'", G.wget_buf + 4);
+                }
+                G.got_clen = 1;
+        }
+@@ -821,12 +821,20 @@ static void NOINLINE retrieve_file_data(FILE *dfp)
+ #endif
+                if (!G.chunked)
+                        break;
+-
+-               fgets_and_trim(dfp); /* Eat empty line */
+               
+               /* Each chunk ends with "\r\n" - eat it */
+               fgets_and_trim(dfp);
+  get_clen:
+               /* chunk size format is "HEXNUM[;name[=val]]\r\n" */
+                fgets_and_trim(dfp);
+               errno = 0;
+                G.content_len = STRTOOFF(G.wget_buf, NULL, 16);
+-               /* FIXME: error check? */
+               /*
+                * Had a bug with inputs like "ffffffff0001f400"
+                * smashing the heap later. Ensure >= 0.
+                */
+               if (G.content_len < 0 || errno)
+                       bb_error_msg_and_die("bad chunk length '%s'", G.wget_buf);
+                if (G.content_len == 0)
+                        break; /* all done! */
+                G.got_clen = 1;

diff --git a/recipes-core/busybox/busybox/CVE-2018-1000517--wget-check-chunk-length-for-overflowing-off_t.patch b/recipes-core/busybox/busybox/CVE-2018-1000517--wget-check-chunk-length-for-overflowing-off_t.patch new file mode 100644 index 0000000..c05c75b --- /dev/null +++ b/recipes-core/busybox/busybox/CVE-2018-1000517--wget-check-chunk-length-for-overflowing-off_t.patch
@@ -0,0 +1,59 @@
	1	From 7935de14ce61f5a5c1c845925873379ae2e2f45a Mon Sep 17 00:00:00 2001
	2	From: Andreas Wellving <andreas.wellving@enea.com>
	3	Date: Mon, 22 Oct 2018 13:13:07 +0200
	4	Subject: [PATCH] wget: check chunk length for overflowing off_t
	5
	6	function old new delta
	7	retrieve_file_data 428 465 +37
	8	wget_main 2386 2389 +3
	9	------------------------------------------------------------------------------
	10	(add/remove: 0/0 grow/shrink: 2/0 up/down: 40/0) Total: 40 bytes
	11
	12	CVE: CVE-2018-1000517
	13	Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e]
	14
	15	Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
	16	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	17	---
	18	networking/wget.c \| 16 ++++++++++++----
	19	1 file changed, 12 insertions(+), 4 deletions(-)
	20
	21	diff --git a/networking/wget.c b/networking/wget.c
	22	index d4a9c0c..b525d6a 100644
	23	--- a/networking/wget.c
	24	+++ b/networking/wget.c
	25	@@ -566,7 +566,7 @@ static FILE* prepare_ftp_session(FILE *dfpp, struct host_info target, len_and_
	26	if (ftpcmd("SIZE ", target->path, sfp) == 213) {
	27	G.content_len = BB_STRTOOFF(G.wget_buf + 4, NULL, 10);
	28	if (G.content_len < 0 \|\| errno) {
	29	- bb_error_msg_and_die("SIZE value is garbage");
	30	+ bb_error_msg_and_die("bad SIZE value '%s'", G.wget_buf + 4);
	31	}
	32	G.got_clen = 1;
	33	}
	34	@@ -821,12 +821,20 @@ static void NOINLINE retrieve_file_data(FILE *dfp)
	35	#endif
	36	if (!G.chunked)
	37	break;
	38	-
	39	- fgets_and_trim(dfp); /* Eat empty line */
	40	+
	41	+ /* Each chunk ends with "\r\n" - eat it */
	42	+ fgets_and_trim(dfp);
	43	get_clen:
	44	+ /* chunk size format is "HEXNUM[;name[=val]]\r\n" */
	45	fgets_and_trim(dfp);
	46	+ errno = 0;
	47	G.content_len = STRTOOFF(G.wget_buf, NULL, 16);
	48	- /* FIXME: error check? */
	49	+ /*
	50	+ * Had a bug with inputs like "ffffffff0001f400"
	51	+ * smashing the heap later. Ensure >= 0.
	52	+ */
	53	+ if (G.content_len < 0 \|\| errno)
	54	+ bb_error_msg_and_die("bad chunk length '%s'", G.wget_buf);
	55	if (G.content_len == 0)
	56	break; /* all done! */
	57	G.got_clen = 1;
	58
	59