[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: wget 1.19.4 has a buffer overflow vulnerability when formating total
From: |
Tim Rühsen |
Subject: |
Re: wget 1.19.4 has a buffer overflow vulnerability when formating total download time |
Date: |
Tue, 10 Dec 2019 19:59:44 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2 |
Thanks,
it's discussed at https://savannah.gnu.org/bugs/?54126. Feel free to add
information.
Regards, Tim
On 10.12.19 08:28, JunDong Xie wrote:
> This bug is in progress.c, create_image function.
> ```
> else
> {
> /* When the download is done, print the elapsed time. */
> int nbytes;
> int ncols;
>
> /* Note to translators: this should not take up more room than
> available here (6 columns). Abbreviate if necessary. */
> strcpy (p, _(" in "));
> nbytes = strlen (p);
> ncols = count_cols (p); //(1) ncols is 9 in my environment
> bytes_cols_diff = nbytes - ncols;
> if (dl_total_time >= 10)
> ncols += sprintf (p + nbytes, "%s", eta_to_human_short ((int)
> (dl_total_time + 0.5), false)); //(2) eta_to_human_short may return a string
> like '17m 20s' which length is 7. ncols is 0x10 now.
> else
> ncols += sprintf (p + nbytes, "%ss", print_decimal (dl_total_time));
> p += ncols + bytes_cols_diff;
> memset (p, ' ', PROGRESS_ETA_LEN - ncols); // (3) PROGRESS_ETA_LEN is
> 15. so the third parameter of memset becomes -1, which cause a buffer
> overflow in heap.
> p += PROGRESS_ETA_LEN - ncols;
> }
> ```
> when the download is done, wget needs to print the elapsed time. In (1),
> ncols is assigned 9. In (2), the longest length of string returned by
> eta_to_human_short is 7, which causes ncols becomes 0x10. In (3),
> PROGRESS_ETA_LEN - ncols is less than zero and there is no check here.
> memset’s third parameter is an unsigned integer, so it is an integer
> underflow, which causes out-of-bounds write in heap.
>
> Below is my wget version.
> ```
> wget --version dddong@dddong-vm-ubuntu-18
> GNU Wget 1.19.4 在 linux-gnu 上编译。
>
> -cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls
> +ntlm +opie +psl +ssl/openssl
>
> Wgetrc:
> /etc/wgetrc (系统)
> locale:
> /usr/share/locale
> compile:
> gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc"
> -DLOCALEDIR="/usr/share/locale" -I. -I../../src -I../lib
> -I../../lib -Wdate-time -D_FORTIFY_SOURCE=2 -DHAVE_LIBSSL -DNDEBUG
> -g -O2 -fdebug-prefix-map=/build/wget-Xb5Z7Y/wget-1.19.4=.
> -fstack-protector-strong -Wformat -Werror=format-security
> -DNO_SSLv2 -D_FILE_OFFSET_BITS=64 -g -Wall
> link:
> gcc -DHAVE_LIBSSL -DNDEBUG -g -O2
> -fdebug-prefix-map=/build/wget-Xb5Z7Y/wget-1.19.4=.
> -fstack-protector-strong -Wformat -Werror=format-security
> -DNO_SSLv2 -D_FILE_OFFSET_BITS=64 -g -Wall -Wl,-Bsymbolic-functions
> -Wl,-z,relro -Wl,-z,now -lpcre -luuid -lidn2 -lssl -lcrypto -lpsl
> ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a
>
> ```
>
> It is quite annoying me when download large files which often causes wget to
> crash. Hope for your reply!
>
signature.asc
Description: OpenPGP digital signature