bug-wget
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: wget 1.19.4 has a buffer overflow vulnerability when formating total

From: Tim Rühsen
Subject: Re: wget 1.19.4 has a buffer overflow vulnerability when formating total download time
Date: Tue, 10 Dec 2019 19:59:44 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2 
Thanks,

it's discussed at https://savannah.gnu.org/bugs/?54126. Feel free to add
information.

Regards, Tim

On 10.12.19 08:28, JunDong Xie wrote:
> This bug is in progress.c, create_image function. 
> ```
> else
>     {
>       /* When the download is done, print the elapsed time.  */
>       int nbytes;
>       int ncols;
> 
>       /* Note to translators: this should not take up more room than
>          available here (6 columns).  Abbreviate if necessary.  */
>       strcpy (p, _("    in "));
>       nbytes = strlen (p);
>       ncols  = count_cols (p); //(1) ncols is 9 in my environment
>       bytes_cols_diff = nbytes - ncols;
>       if (dl_total_time >= 10)
>         ncols += sprintf (p + nbytes, "%s",  eta_to_human_short ((int) 
> (dl_total_time + 0.5), false)); //(2) eta_to_human_short may return a string 
> like '17m 20s' which length is 7. ncols is 0x10 now. 
>       else
>         ncols += sprintf (p + nbytes, "%ss", print_decimal (dl_total_time));
>       p += ncols + bytes_cols_diff;
>       memset (p, ' ', PROGRESS_ETA_LEN - ncols); // (3) PROGRESS_ETA_LEN is 
> 15. so the third parameter of memset becomes -1, which cause a buffer 
> overflow in heap.
>       p += PROGRESS_ETA_LEN - ncols;
>     }
> ```
> when the download is done, wget needs to print the elapsed time. In (1), 
> ncols is assigned 9. In (2), the longest length of string returned by 
> eta_to_human_short is 7, which causes ncols becomes 0x10. In (3), 
> PROGRESS_ETA_LEN - ncols is less than zero and there is no check here. 
> memset’s third parameter is an unsigned integer, so it is an integer 
> underflow, which causes out-of-bounds write in heap. 
> 
> Below is my wget version.
> ```
>  wget --version           dddong@dddong-vm-ubuntu-18
> GNU Wget 1.19.4 在 linux-gnu 上编译。
> 
> -cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls
> +ntlm +opie +psl +ssl/openssl
> 
> Wgetrc:
>     /etc/wgetrc (系统)
> locale:
>     /usr/share/locale
> compile:
>     gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc"
>     -DLOCALEDIR="/usr/share/locale" -I. -I../../src -I../lib
>     -I../../lib -Wdate-time -D_FORTIFY_SOURCE=2 -DHAVE_LIBSSL -DNDEBUG
>     -g -O2 -fdebug-prefix-map=/build/wget-Xb5Z7Y/wget-1.19.4=.
>     -fstack-protector-strong -Wformat -Werror=format-security
>     -DNO_SSLv2 -D_FILE_OFFSET_BITS=64 -g -Wall
> link:
>     gcc -DHAVE_LIBSSL -DNDEBUG -g -O2
>     -fdebug-prefix-map=/build/wget-Xb5Z7Y/wget-1.19.4=.
>     -fstack-protector-strong -Wformat -Werror=format-security
>     -DNO_SSLv2 -D_FILE_OFFSET_BITS=64 -g -Wall -Wl,-Bsymbolic-functions
>     -Wl,-z,relro -Wl,-z,now -lpcre -luuid -lidn2 -lssl -lcrypto -lpsl
>     ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a
> 
> ```
> 
> It is quite annoying me when download large files which often causes wget to 
> crash. Hope for your reply! 
>

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]