diff options
author | Andrii Bordunov via Openembedded-core <openembedded-core@lists.openembedded.org> | 2019-10-02 23:07:35 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-10-10 16:52:30 +0100 |
commit | 93cde0830101b26e598f7366fbaccb3f493d1f7f (patch) | |
tree | 0551e52402981462132b0faa27f9fdd16ad34cd8 /meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch | |
parent | 6d5867a94c153ba058689ff33129d73cf4158a1e (diff) | |
download | poky-93cde0830101b26e598f7366fbaccb3f493d1f7f.tar.gz |
wget: Security fixes CVE-2018-20483
Source: http://git.savannah.gnu.org/cgit/wget.git/
Type: Security Fix
Disposition: Backport from http://git.savannah.gnu.org/cgit/wget.git/
Description:
Fixes CVE-2018-20483
(From OE-Core rev: c901bc8cd9de5853185af2059c6f1efeb4ccdd60)
Signed-off-by: Aviraj CJ <acj@cisco.com>
[Affects Wget before 1.20.1]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch')
-rw-r--r-- | meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch | 127 |
1 files changed, 127 insertions, 0 deletions
diff --git a/meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch b/meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch new file mode 100644 index 0000000000..72ce8a0b33 --- /dev/null +++ b/meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch | |||
@@ -0,0 +1,127 @@ | |||
1 | From 5a4ee4f3c07cc5dc7ef5f7244fcf51fd2fa3bc67 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de> | ||
3 | Date: Wed, 26 Dec 2018 14:38:18 +0100 | ||
4 | Subject: [PATCH 2/2] Don't save user/pw with --xattr | ||
5 | |||
6 | Also the Referer info is reduced to scheme+host+port. | ||
7 | |||
8 | * src/ftp.c (getftp): Change params of set_file_metadata() | ||
9 | * src/http.c (gethttp): Change params of set_file_metadata() | ||
10 | * src/xattr.c (set_file_metadata): Remove user/password from origin URL, | ||
11 | reduce Referer value to scheme/host/port. | ||
12 | * src/xattr.h: Change prototype of set_file_metadata() | ||
13 | |||
14 | CVE: CVE-2018-20483 patch 2 | ||
15 | Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/wget.git/commit/?id=3cdfb594cf75f11cdbb9702ac5e856c332ccacfa] | ||
16 | Signed-off-by: Aviraj CJ <acj@cisco.com> | ||
17 | --- | ||
18 | src/ftp.c | 2 +- | ||
19 | src/http.c | 4 ++-- | ||
20 | src/xattr.c | 24 ++++++++++++++++++++---- | ||
21 | src/xattr.h | 3 ++- | ||
22 | 4 files changed, 25 insertions(+), 8 deletions(-) | ||
23 | |||
24 | diff --git a/src/ftp.c b/src/ftp.c | ||
25 | index 69148936..db8a6267 100644 | ||
26 | --- a/src/ftp.c | ||
27 | +++ b/src/ftp.c | ||
28 | @@ -1580,7 +1580,7 @@ Error in server response, closing control connection.\n")); | ||
29 | |||
30 | #ifdef ENABLE_XATTR | ||
31 | if (opt.enable_xattr) | ||
32 | - set_file_metadata (u->url, NULL, fp); | ||
33 | + set_file_metadata (u, NULL, fp); | ||
34 | #endif | ||
35 | |||
36 | fd_close (local_sock); | ||
37 | diff --git a/src/http.c b/src/http.c | ||
38 | index 77bdbbed..472c328f 100644 | ||
39 | --- a/src/http.c | ||
40 | +++ b/src/http.c | ||
41 | @@ -4120,9 +4120,9 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs, | ||
42 | if (opt.enable_xattr) | ||
43 | { | ||
44 | if (original_url != u) | ||
45 | - set_file_metadata (u->url, original_url->url, fp); | ||
46 | + set_file_metadata (u, original_url, fp); | ||
47 | else | ||
48 | - set_file_metadata (u->url, NULL, fp); | ||
49 | + set_file_metadata (u, NULL, fp); | ||
50 | } | ||
51 | #endif | ||
52 | |||
53 | diff --git a/src/xattr.c b/src/xattr.c | ||
54 | index 66524226..0f20fadf 100644 | ||
55 | --- a/src/xattr.c | ||
56 | +++ b/src/xattr.c | ||
57 | @@ -21,6 +21,7 @@ | ||
58 | #include <string.h> | ||
59 | |||
60 | #include "log.h" | ||
61 | +#include "utils.h" | ||
62 | #include "xattr.h" | ||
63 | |||
64 | #ifdef USE_XATTR | ||
65 | @@ -57,7 +58,7 @@ write_xattr_metadata (const char *name, const char *value, FILE *fp) | ||
66 | #endif /* USE_XATTR */ | ||
67 | |||
68 | int | ||
69 | -set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp) | ||
70 | +set_file_metadata (const struct url *origin_url, const struct url *referrer_url, FILE *fp) | ||
71 | { | ||
72 | /* Save metadata about where the file came from (requested, final URLs) to | ||
73 | * user POSIX Extended Attributes of retrieved file. | ||
74 | @@ -67,13 +68,28 @@ set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp) | ||
75 | * [http://0pointer.de/lennart/projects/mod_mime_xattr/]. | ||
76 | */ | ||
77 | int retval = -1; | ||
78 | + char *value; | ||
79 | |||
80 | if (!origin_url || !fp) | ||
81 | return retval; | ||
82 | |||
83 | - retval = write_xattr_metadata ("user.xdg.origin.url", escnonprint_uri (origin_url), fp); | ||
84 | - if ((!retval) && referrer_url) | ||
85 | - retval = write_xattr_metadata ("user.xdg.referrer.url", escnonprint_uri (referrer_url), fp); | ||
86 | + value = url_string (origin_url, URL_AUTH_HIDE); | ||
87 | + retval = write_xattr_metadata ("user.xdg.origin.url", escnonprint_uri (value), fp); | ||
88 | + xfree (value); | ||
89 | + | ||
90 | + if (!retval && referrer_url) | ||
91 | + { | ||
92 | + struct url u; | ||
93 | + | ||
94 | + memset(&u, 0, sizeof(u)); | ||
95 | + u.scheme = referrer_url->scheme; | ||
96 | + u.host = referrer_url->host; | ||
97 | + u.port = referrer_url->port; | ||
98 | + | ||
99 | + value = url_string (&u, 0); | ||
100 | + retval = write_xattr_metadata ("user.xdg.referrer.url", escnonprint_uri (value), fp); | ||
101 | + xfree (value); | ||
102 | + } | ||
103 | |||
104 | return retval; | ||
105 | } | ||
106 | diff --git a/src/xattr.h b/src/xattr.h | ||
107 | index 10f3ed11..40c7a8d3 100644 | ||
108 | --- a/src/xattr.h | ||
109 | +++ b/src/xattr.h | ||
110 | @@ -16,12 +16,13 @@ | ||
111 | along with this program; if not, see <http://www.gnu.org/licenses/>. */ | ||
112 | |||
113 | #include <stdio.h> | ||
114 | +#include <url.h> | ||
115 | |||
116 | #ifndef _XATTR_H | ||
117 | #define _XATTR_H | ||
118 | |||
119 | /* Store metadata name/value attributes against fp. */ | ||
120 | -int set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp); | ||
121 | +int set_file_metadata (const struct url *origin_url, const struct url *referrer_url, FILE *fp); | ||
122 | |||
123 | #if defined(__linux) | ||
124 | /* libc on Linux has fsetxattr (5 arguments). */ | ||
125 | -- | ||
126 | 2.19.1 | ||
127 | |||