Package: wget / 1.18-5+deb9u3

Fix-cookie-injection-CVE-2018-0494.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Fri, 27 Apr 2018 10:41:56 +0200
Subject: Fix cookie injection (CVE-2018-0494)
Origin: https://git.savannah.gnu.org/cgit/wget.git/commit/?id=1fc9c95ec144499e69dc8ec76dbe07799d7d82cd
Bug-Debian: https://bugs.debian.org/898076
Bug: https://savannah.gnu.org/bugs/?53763
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-0494

* src/http.c (resp_new): Replace \r\n by space in continuation lines

Fixes #53763
 "Malicious website can write arbitrary cookie entries to cookie jar"

HTTP header parsing left the \r\n from continuation line intact.
The Set-Cookie code didn't check and could be tricked to write
\r\n into the cookie jar, allowing a server to generate cookies at will.
---
 src/http.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/http.c b/src/http.c
index c8960f11..77bdbbed 100644
--- a/src/http.c
+++ b/src/http.c
@@ -613,9 +613,9 @@ struct response {
    resp_header_*.  */
 
 static struct response *
-resp_new (const char *head)
+resp_new (char *head)
 {
-  const char *hdr;
+  char *hdr;
   int count, size;
 
   struct response *resp = xnew0 (struct response);
@@ -644,15 +644,23 @@ resp_new (const char *head)
         break;
 
       /* Find the end of HDR, including continuations. */
-      do
+      for (;;)
         {
-          const char *end = strchr (hdr, '\n');
+          char *end = strchr (hdr, '\n');
+
           if (end)
             hdr = end + 1;
           else
             hdr += strlen (hdr);
+
+          if (*hdr != ' ' && *hdr != '\t')
+            break;
+
+          // continuation, transform \r and \n into spaces
+          *end = ' ';
+          if (end > head && end[-1] == '\r')
+            end[-1] = ' ';
         }
-      while (*hdr == ' ' || *hdr == '\t');
     }
   DO_REALLOC (resp->headers, size, count + 1, const char *);
   resp->headers[count] = NULL;
-- 
2.17.0