Hi No??l On Fri, Apr 05, 2019 at 02:42:48PM +0200, Salvatore Bonaccorso wrote: > Hi, > > On Thu, Apr 04, 2019 at 01:07:37PM +0200, Salvatore Bonaccorso wrote: > > Hi, > > > > On Thu, Apr 04, 2019 at 12:40:32PM +0200, Salvatore Bonaccorso wrote: > > > Source: wget > > > Version: 1.20.1-1 > > > Severity: important > > > Tags: security upstream fixed-upstream > > > > > > Hi, > > > > > > The following vulnerability was published for wget. > > > > > > CVE-2019-5953[0]: > > > Buffer overflow vulnerability > > > > > > It was mentioned in the 1.20.2 release, [1]. It might be related to > > > [2], but not sure as the references do not give much details. > > > > > > If you fix the vulnerability please also make sure to include the > > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > > > For further information see: > > > > > > [0] https://security-tracker.debian.org/tracker/CVE-2019-5953 > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5953 > > > [1] https://lists.gnu.org/archive/html/bug-wget/2019-04/msg00012.html > > > [2] > > > https://git.savannah.gnu.org/cgit/wget.git/commit/?id=5d87635c66aaa01bdf95f6b093b66c3d2768b696 > > > > Sorry, just to be clear, it is not confirmed that either > > 5d87635c66aaa01bdf95f6b093b66c3d2768b696 or maybe would be meant. > > CVE-2019-5953 is associated with a 'buffer overflow vulnerability' > > fixed in 1.20.2 but is without details so far. > > Actually given > https://git.savannah.gnu.org/cgit/wget.git/commit/?id=a220ead43505bc3e0ea8efb1572919111dbbf6dc > the real fix would be > https://git.savannah.gnu.org/cgit/wget.git/commit/?id=692d5c5215de0db482c252492a92fc424cc6a97c > and is only in 1.20.3 but not in 1.20.2.
I have uploaded 1.18-5+deb9u3 for stretch-security with the attached patch. Attached is as well proposed debdiff for unstable (and to reach buster after an unblock). Are you fine if I upload that or would you like to take care of it? Regards, Salvatore
From: Tim Ruehsen <tim.rueh...@gmx.de> Date: Fri, 5 Apr 2019 11:50:44 +0200 Subject: Fix a buffer overflow vulnerability Origin: https://git.savannah.gnu.org/cgit/wget.git/commit/?id=692d5c5215de0db482c252492a92fc424cc6a97c, https://git.savannah.gnu.org/cgit/wget.git/commit/?id=562eacb76a2b64d5dc80a443f0f739bc9ef76c17 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-5953 Bug-Debian: https://bugs.debian.org/926389 * src/iri.c(do_conversion): Reallocate the output buffer to a larger size if it is already full --- src/iri.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) --- a/src/iri.c +++ b/src/iri.c @@ -182,9 +182,10 @@ do_conversion (const char *tocode, const { tooshort++; done = len; - len = outlen = done + inlen * 2; - s = xrealloc (s, outlen + 1); - *out = s + done; + len = done + inlen * 2; + s = xrealloc (s, len + 1); + *out = s + done - outlen; + outlen += inlen * 2; } else /* Weird, we got an unspecified error */ {
diff -Nru wget-1.20.1/debian/changelog wget-1.20.1/debian/changelog --- wget-1.20.1/debian/changelog 2018-12-27 18:53:18.000000000 +0100 +++ wget-1.20.1/debian/changelog 2019-04-05 15:36:38.000000000 +0200 @@ -1,3 +1,10 @@ +wget (1.20.1-1.1) unstable; urgency=high + + * Non-maintainer upload. + * Fix a buffer overflow vulnerability (CVE-2019-5953) (Closes: #926389) + + -- Salvatore Bonaccorso <car...@debian.org> Fri, 05 Apr 2019 15:36:38 +0200 + wget (1.20.1-1) unstable; urgency=high * new upstream release 2018-12-26 diff -Nru wget-1.20.1/debian/patches/Fix-a-buffer-overflow-vulnerability.patch wget-1.20.1/debian/patches/Fix-a-buffer-overflow-vulnerability.patch --- wget-1.20.1/debian/patches/Fix-a-buffer-overflow-vulnerability.patch 1970-01-01 01:00:00.000000000 +0100 +++ wget-1.20.1/debian/patches/Fix-a-buffer-overflow-vulnerability.patch 2019-04-05 15:36:38.000000000 +0200 @@ -0,0 +1,30 @@ +From: Tim Ruehsen <tim.rueh...@gmx.de> +Date: Fri, 5 Apr 2019 11:50:44 +0200 +Subject: Fix a buffer overflow vulnerability +Origin: https://git.savannah.gnu.org/cgit/wget.git/commit/?id=692d5c5215de0db482c252492a92fc424cc6a97c, + https://git.savannah.gnu.org/cgit/wget.git/commit/?id=562eacb76a2b64d5dc80a443f0f739bc9ef76c17 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-5953 +Bug-Debian: https://bugs.debian.org/926389 + +* src/iri.c(do_conversion): Reallocate the output buffer to a larger + size if it is already full +--- + src/iri.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/src/iri.c ++++ b/src/iri.c +@@ -189,9 +189,10 @@ do_conversion (const char *tocode, const + { + tooshort++; + done = len; +- len = outlen = done + inlen * 2; +- s = xrealloc (s, outlen + 1); +- *out = s + done; ++ len = done + inlen * 2; ++ s = xrealloc (s, len + 1); ++ *out = s + done - outlen; ++ outlen += inlen * 2; + } + else /* Weird, we got an unspecified error */ + { diff -Nru wget-1.20.1/debian/patches/series wget-1.20.1/debian/patches/series --- wget-1.20.1/debian/patches/series 2018-12-15 18:07:46.000000000 +0100 +++ wget-1.20.1/debian/patches/series 2019-04-05 15:36:38.000000000 +0200 @@ -1,3 +1,4 @@ wget-doc-remove-usr-local-in-sample.wgetrc wget-doc-remove-usr-local-in-wget.texi wget-passive_ftp-default +Fix-a-buffer-overflow-vulnerability.patch
