wget: Security fix for CVE-2019-5953

Source: http://git.savannah.gnu.org/cgit/wget.git MR: 89341 Type: Security Fix Disposition: Backport from http://git.savannah.gnu.org/cgit/wget.git/commit/?id=692d5c5215de0db482c252492a92fc424cc6a97c ChangeID: 1c19a2fd7ead88cc4ee92d425179d60d4635864b Description: Fixes CVE-2019-5953 Affects: < 1.20.1 (From OE-Core rev: c897b862c6cfaa341cc6155b2c9d98ea7ad02884) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2019-06-05 13:26:58 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-07-27 18:05:18 +0100
commit: 21188466bc0d40bcca0ac74363177e2e3632d457 (patch)
tree: 97c2fe10071735bc8db5849aff9c538b3b340e9d
parent: f2d2148adba3d989f5f061b194fe57bd67ee215b (diff)
download: poky-21188466bc0d40bcca0ac74363177e2e3632d457.tar.gz
2 files changed, 52 insertions, 0 deletions
diff --git a/meta/recipes-extended/wget/wget/CVE-2019-5953.patch b/meta/recipes-extended/wget/wget/CVE-2019-5953.patch
new file mode 100644
index 0000000000..e43e8e545b
--- /dev/null
+++ b/meta/recipes-extended/wget/wget/CVE-2019-5953.patch
@@ -0,0 +1,51 @@
+From 692d5c5215de0db482c252492a92fc424cc6a97c Mon Sep 17 00:00:00 2001
+From: Tim Ruehsen <tim.ruehsen@gmx.de>
+Date: Fri, 5 Apr 2019 11:50:44 +0200
+Subject: [PATCH] Fix a buffer overflow vulnerability
+* src/iri.c(do_conversion): Reallocate the output buffer to a larger
+  size if it is already full
+Upstream-Status: Backport
+http://git.savannah.gnu.org/cgit/wget.git/commit/?id=692d5c5215de0db482c252492a92fc424cc6a97c
+CVE: CVE-2019-5953
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ src/iri.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+Index: wget-1.19.5/src/iri.c
+===================================================================
+--- wget-1.19.5.orig/src/iri.c
+++ wget-1.19.5/src/iri.c
+@@ -151,8 +151,11 @@ do_conversion (const char *tocode, const
+   *out = s = xmalloc (outlen + 1);
+   done = 0;
+ 
+  DEBUGP (("iconv %s -> %s\n", tocode, fromcode));
+
+   for (;;)
+     {
+      DEBUGP (("iconv outlen=%d inlen=%d\n", outlen, inlen));
+       if (iconv (cd, (ICONV_CONST char **) &in, &inlen, out, &outlen) != (size_t)(-1) &&
+           iconv (cd, NULL, NULL, out, &outlen) != (size_t)(-1))
+         {
+@@ -187,11 +190,14 @@ do_conversion (const char *tocode, const
+         }
+       else if (errno == E2BIG) /* Output buffer full */
+         {
+          logprintf (LOG_VERBOSE,
+                    _("Reallocate output buffer len=%d outlen=%d inlen=%d\n"), len, outlen, inlen);
+           tooshort++;
+           done = len;
+-          len = outlen = done + inlen * 2;
+-          s = xrealloc (s, outlen + 1);
+-          *out = s + done;
+          len = done + inlen * 2;
+          s = xrealloc (s, len + 1);
+          *out = s + done - outlen;
+          outlen += inlen * 2;
+         }
+       else /* Weird, we got an unspecified error */
+         {
diff --git a/meta/recipes-extended/wget/wget_1.19.5.bb b/meta/recipes-extended/wget/wget_1.19.5.bb
index e37d8c7847..920b74de1b 100644
--- a/meta/recipes-extended/wget/wget_1.19.5.bb
+++ b/meta/recipes-extended/wget/wget_1.19.5.bb
@@ -1,6 +1,7 @@
 SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \
           file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
           file://0002-improve-reproducibility.patch \
+           file://CVE-2019-5953.patch \
          "
 SRC_URI[md5sum] = "2db6f03d655041f82eb64b8c8a1fa7da"
author	Armin Kuster <akuster@mvista.com>	2019-06-05 13:26:58 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-27 18:05:18 +0100
commit	21188466bc0d40bcca0ac74363177e2e3632d457 (patch)
tree	97c2fe10071735bc8db5849aff9c538b3b340e9d
parent	f2d2148adba3d989f5f061b194fe57bd67ee215b (diff)
download	poky-21188466bc0d40bcca0ac74363177e2e3632d457.tar.gz

diff --git a/meta/recipes-extended/wget/wget/CVE-2019-5953.patch b/meta/recipes-extended/wget/wget/CVE-2019-5953.patch new file mode 100644 index 0000000000..e43e8e545b --- /dev/null +++ b/meta/recipes-extended/wget/wget/CVE-2019-5953.patch
@@ -0,0 +1,51 @@
		1	From 692d5c5215de0db482c252492a92fc424cc6a97c Mon Sep 17 00:00:00 2001
		2	From: Tim Ruehsen <tim.ruehsen@gmx.de>
		3	Date: Fri, 5 Apr 2019 11:50:44 +0200
		4	Subject: [PATCH] Fix a buffer overflow vulnerability
		5
		6	* src/iri.c(do_conversion): Reallocate the output buffer to a larger
		7	size if it is already full
		8
		9	Upstream-Status: Backport
		10	http://git.savannah.gnu.org/cgit/wget.git/commit/?id=692d5c5215de0db482c252492a92fc424cc6a97c
		11	CVE: CVE-2019-5953
		12	Signed-off-by: Armin Kuster <akuster@mvista.com>
		13
		14	---
		15	src/iri.c \| 12 +++++++++---
		16	1 file changed, 9 insertions(+), 3 deletions(-)
		17
		18	Index: wget-1.19.5/src/iri.c
		19	===================================================================
		20	--- wget-1.19.5.orig/src/iri.c
		21	+++ wget-1.19.5/src/iri.c
		22	@@ -151,8 +151,11 @@ do_conversion (const char *tocode, const
		23	*out = s = xmalloc (outlen + 1);
		24	done = 0;
		25
		26	+ DEBUGP (("iconv %s -> %s\n", tocode, fromcode));
		27	+
		28	for (;;)
		29	{
		30	+ DEBUGP (("iconv outlen=%d inlen=%d\n", outlen, inlen));
		31	if (iconv (cd, (ICONV_CONST char **) &in, &inlen, out, &outlen) != (size_t)(-1) &&
		32	iconv (cd, NULL, NULL, out, &outlen) != (size_t)(-1))
		33	{
		34	@@ -187,11 +190,14 @@ do_conversion (const char *tocode, const
		35	}
		36	else if (errno == E2BIG) /* Output buffer full */
		37	{
		38	+ logprintf (LOG_VERBOSE,
		39	+ _("Reallocate output buffer len=%d outlen=%d inlen=%d\n"), len, outlen, inlen);
		40	tooshort++;
		41	done = len;
		42	- len = outlen = done + inlen * 2;
		43	- s = xrealloc (s, outlen + 1);
		44	- *out = s + done;
		45	+ len = done + inlen * 2;
		46	+ s = xrealloc (s, len + 1);
		47	+ *out = s + done - outlen;
		48	+ outlen += inlen * 2;
		49	}
		50	else /* Weird, we got an unspecified error */
		51	{


diff --git a/meta/recipes-extended/wget/wget_1.19.5.bb b/meta/recipes-extended/wget/wget_1.19.5.bb index e37d8c7847..920b74de1b 100644 --- a/meta/recipes-extended/wget/wget_1.19.5.bb +++ b/meta/recipes-extended/wget/wget_1.19.5.bb
@@ -1,6 +1,7 @@
1	SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \	1	SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \
2	file://0001-Unset-need_charset_alias-when-building-for-musl.patch \	2	file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
3	file://0002-improve-reproducibility.patch \	3	file://0002-improve-reproducibility.patch \
		4	file://CVE-2019-5953.patch \
4	"	5	"
5		6
6	SRC_URI[md5sum] = "2db6f03d655041f82eb64b8c8a1fa7da"	7	SRC_URI[md5sum] = "2db6f03d655041f82eb64b8c8a1fa7da"