diff options
| author | Jakub Jirutka <jakub@jirutka.cz> | 2018-05-13 19:29:04 +0000 |
|---|---|---|
| committer | Jakub Jirutka <jakub@jirutka.cz> | 2018-05-13 21:32:06 +0200 |
| commit | 216de6f087c9096374a5b94d109a6fac300d7495 (patch) | |
| tree | dae0d77b4251a7544a13b3e27bb4465a21248fe8 | |
| parent | e10ec9bc1b1ba649892df0d8f7c116a1172e51a3 (diff) | |
| download | aports-216de6f087c9096374a5b94d109a6fac300d7495.tar.bz2 aports-216de6f087c9096374a5b94d109a6fac300d7495.tar.xz | |
main/wget: fix CVE-2018-0494
| -rw-r--r-- | main/wget/APKBUILD | 14 | ||||
| -rw-r--r-- | main/wget/CVE-2018-0494.patch | 65 |
2 files changed, 75 insertions, 4 deletions
diff --git a/main/wget/APKBUILD b/main/wget/APKBUILD index 6327eb9188..d17d784ce0 100644 --- a/main/wget/APKBUILD +++ b/main/wget/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: Carlo Landmeter <clandmeter@gmail.com> pkgname=wget pkgver=1.18 -pkgrel=2 +pkgrel=3 pkgdesc="A network utility to retrieve files from the Web" url="http://www.gnu.org/software/wget/wget.html" arch="all" @@ -16,10 +16,13 @@ source="ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz CVE-2017-6508.patch CVE-2017-13089.patch CVE-2017-13090.patch + CVE-2018-0494.patch " # secfixes: # 1.18-r3: +# - CVE-2018-0494 +# 1.18-r2: # - CVE-2017-13089 # - CVE-2017-13090 # 1.18-r1: @@ -64,12 +67,15 @@ package() { md5sums="fc2debd8399e3b933a9b226794e2a886 wget-1.18.tar.gz 142f1d01db302e1429673701472df182 CVE-2017-6508.patch 61d7441aca33e5d241fe11446e24788c CVE-2017-13089.patch -878db4645e5f3fc4530451082ba3fdea CVE-2017-13090.patch" +878db4645e5f3fc4530451082ba3fdea CVE-2017-13090.patch +f94bf8d4b9cc860bdba673675c6c6af1 CVE-2018-0494.patch" sha256sums="a00a65fab84cc46e24c53ce88c45604668a7a479276e037dc2f558e34717fb2d wget-1.18.tar.gz f298bc740e32a5b14b61ff08a40a671221e7e8238268624211751174092b5451 CVE-2017-6508.patch aa96a018d22bee3dbe74dde79fed22dbd98eec9ed9f44a4f808b88f301a2fbd3 CVE-2017-13089.patch -62313e680d66869b2ecb72031cd3695dedcd626b551bc92dfe62695c2c456317 CVE-2017-13090.patch" +62313e680d66869b2ecb72031cd3695dedcd626b551bc92dfe62695c2c456317 CVE-2017-13090.patch +01bce320cbdf101fd8e892b7cc3ebfe906330c21a3c0f0b0dfdad8b2945a0ea2 CVE-2018-0494.patch" sha512sums="a6c31ea7161e5af1552713edc6d9e386e4d63e53660bedbc4b099c7a4c7bbbdfedb4fc8abea67158899dee82b6331c87b1f2a9cb14cbcbcfa6e19a7fdf26b0a1 wget-1.18.tar.gz b640db3aaadb6d25b8391bbf1b6c4d8d07bd7200f9dd21502ff9533e4e356a1c55dd252c9bc2c6e27dcc8d41596e0890ff460c80a0a06166c7bb63e112824e1b CVE-2017-6508.patch 558133780d0b0f86f7a623c8c3924a11f9ccea711437a6b42e54177d2a6fa5889748f4317e4551a5d6ae576ff96e3915e3e8cd490cf12b6894b2d16c36a23233 CVE-2017-13089.patch -2c43dccc17458cc4765e5f5d15a45c7d7581440e6e09b9eb164e976659132f34f1bfb3b0c4e2b0d588520cc43f60b718fcbfa5d1c4c21e203289b033b48f0fab CVE-2017-13090.patch" +2c43dccc17458cc4765e5f5d15a45c7d7581440e6e09b9eb164e976659132f34f1bfb3b0c4e2b0d588520cc43f60b718fcbfa5d1c4c21e203289b033b48f0fab CVE-2017-13090.patch +9137c687475eb107c5b6aba7e31ab20d6bf8da1937359bc956b1d3160f9153e4a13f19c4311e9c478533dc23d4a0c0d006404d9b21c973aded70ce1aa4e78160 CVE-2018-0494.patch" diff --git a/main/wget/CVE-2018-0494.patch b/main/wget/CVE-2018-0494.patch new file mode 100644 index 0000000000..50887cecd9 --- /dev/null +++ b/main/wget/CVE-2018-0494.patch @@ -0,0 +1,65 @@ +From 1fc9c95ec144499e69dc8ec76dbe07799d7d82cd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de> +Date: Fri, 27 Apr 2018 10:41:56 +0200 +Subject: Fix cookie injection (CVE-2018-0494) + +* src/http.c (resp_new): Replace \r\n by space in continuation lines + +Fixes #53763 + "Malicious website can write arbitrary cookie entries to cookie jar" + +HTTP header parsing left the \r\n from continuation line intact. +The Set-Cookie code didn't check and could be tricked to write +\r\n into the cookie jar, allowing a server to generate cookies at will. + +Patch-Source: https://git.savannah.gnu.org/cgit/wget.git/commit/?id=1fc9c95ec144499e69dc8ec76dbe07799d7d82cd +--- + src/http.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/src/http.c b/src/http.c +index c8960f1..77bdbbe 100644 +--- a/src/http.c ++++ b/src/http.c +@@ -613,9 +613,9 @@ struct response { + resp_header_*. */ + + static struct response * +-resp_new (const char *head) ++resp_new (char *head) + { +- const char *hdr; ++ char *hdr; + int count, size; + + struct response *resp = xnew0 (struct response); +@@ -644,15 +644,23 @@ resp_new (const char *head) + break; + + /* Find the end of HDR, including continuations. */ +- do ++ for (;;) + { +- const char *end = strchr (hdr, '\n'); ++ char *end = strchr (hdr, '\n'); ++ + if (end) + hdr = end + 1; + else + hdr += strlen (hdr); ++ ++ if (*hdr != ' ' && *hdr != '\t') ++ break; ++ ++ // continuation, transform \r and \n into spaces ++ *end = ' '; ++ if (end > head && end[-1] == '\r') ++ end[-1] = ' '; + } +- while (*hdr == ' ' || *hdr == '\t'); + } + DO_REALLOC (resp->headers, size, count + 1, const char *); + resp->headers[count] = NULL; +-- +cgit v1.0-41-gc330 + |