bug-wget
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: wget 1.19.4 has a buffer overflow vulnerability when formating total

From: Tim Rühsen
Subject: Re: wget 1.19.4 has a buffer overflow vulnerability when formating total download time
Date: Thu, 12 Dec 2019 22:20:27 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.3.0 
Hi JunDong Xie,

today I fixed a bunch of issues found by fuzzing in the progress (bar +
dot) code. The 'filename scrolling' part of the progress bar needed to
be disabled and likely has to be rewritten.

The changes are in branch 'tmp-progress-fuzzer' in
https://gitlab.com/gnuwget/wget.git.

Is it possible that you build wget from that branch and test it ?
If you report success, the changes can be pushed to master.

Regards, Tim

On 11.12.19 17:18, Tim Rühsen wrote:
> Hi,
> 
> today I wrote a fuzzer to test the progress code. After fixing several
> buffer and integer overflows even more and more pop up. It looks like
> the progress code has never been thoroughly tested for non-ASCII
> locales. And this is just the "bar" progress code.
> 
> Fixing this needs more time than I currently have.
> If someone wants to work on it, I would share the fuzzer plus all the
> instructions to build and use it.
> 
> Regards, Tim
> 
> On 12/11/19 10:00 AM, Tim Rühsen wrote:
>> Oh, sorry about that.
>>
>> You are right - and thanks for your tracing/comments.
>>
>> The code is really makes some unsafe assumptions. Together with insecure
>> programming it's the best recipe for memory bugs.
>>
>> I will try to reproduce the issue with the latest sources.
>> It would be great if you can open a new issue for this in the meantime.
>>
>> Thank you, Tim
>>
>> On 12/11/19 7:44 AM, JunDong Xie wrote:
>>> Thanks, but I suppose that my issue is different from the post. It is not a 
>>> long filename related issue, it is related to the display of total download 
>>> time.  
>>> Should I open another issue to discuss this problem?
>>> Regards, dddong
>>>
>>>> 在 2019年12月11日,上午2:59,Tim Rühsen <address@hidden> 写道:
>>>>
>>>> Thanks,
>>>>
>>>> it's discussed at https://savannah.gnu.org/bugs/?54126. Feel free to add
>>>> information.
>>>>
>>>> Regards, Tim
>>>>
>>>> On 10.12.19 08:28, JunDong Xie wrote:
>>>>> This bug is in progress.c, create_image function. 
>>>>> ```
>>>>> else
>>>>>    {
>>>>>      /* When the download is done, print the elapsed time.  */
>>>>>      int nbytes;
>>>>>      int ncols;
>>>>>
>>>>>      /* Note to translators: this should not take up more room than
>>>>>         available here (6 columns).  Abbreviate if necessary.  */
>>>>>      strcpy (p, _("    in "));
>>>>>      nbytes = strlen (p);
>>>>>      ncols  = count_cols (p); //(1) ncols is 9 in my environment
>>>>>      bytes_cols_diff = nbytes - ncols;
>>>>>      if (dl_total_time >= 10)
>>>>>        ncols += sprintf (p + nbytes, "%s",  eta_to_human_short ((int) 
>>>>> (dl_total_time + 0.5), false)); //(2) eta_to_human_short may return a 
>>>>> string like '17m 20s' which length is 7. ncols is 0x10 now. 
>>>>>      else
>>>>>        ncols += sprintf (p + nbytes, "%ss", print_decimal 
>>>>> (dl_total_time));
>>>>>      p += ncols + bytes_cols_diff;
>>>>>      memset (p, ' ', PROGRESS_ETA_LEN - ncols); // (3) PROGRESS_ETA_LEN 
>>>>> is 15. so the third parameter of memset becomes -1, which cause a buffer 
>>>>> overflow in heap.
>>>>>      p += PROGRESS_ETA_LEN - ncols;
>>>>>    }
>>>>> ```
>>>>> when the download is done, wget needs to print the elapsed time. In (1), 
>>>>> ncols is assigned 9. In (2), the longest length of string returned by 
>>>>> eta_to_human_short is 7, which causes ncols becomes 0x10. In (3), 
>>>>> PROGRESS_ETA_LEN - ncols is less than zero and there is no check here. 
>>>>> memset’s third parameter is an unsigned integer, so it is an integer 
>>>>> underflow, which causes out-of-bounds write in heap. 
>>>>>
>>>>> Below is my wget version.
>>>>> ```
>>>>> wget --version           dddong@dddong-vm-ubuntu-18
>>>>> GNU Wget 1.19.4 在 linux-gnu 上编译。
>>>>>
>>>>> -cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls
>>>>> +ntlm +opie +psl +ssl/openssl
>>>>>
>>>>> Wgetrc:
>>>>>    /etc/wgetrc (系统)
>>>>> locale:
>>>>>    /usr/share/locale
>>>>> compile:
>>>>>    gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc"
>>>>>    -DLOCALEDIR="/usr/share/locale" -I. -I../../src -I../lib
>>>>>    -I../../lib -Wdate-time -D_FORTIFY_SOURCE=2 -DHAVE_LIBSSL -DNDEBUG
>>>>>    -g -O2 -fdebug-prefix-map=/build/wget-Xb5Z7Y/wget-1.19.4=.
>>>>>    -fstack-protector-strong -Wformat -Werror=format-security
>>>>>    -DNO_SSLv2 -D_FILE_OFFSET_BITS=64 -g -Wall
>>>>> link:
>>>>>    gcc -DHAVE_LIBSSL -DNDEBUG -g -O2
>>>>>    -fdebug-prefix-map=/build/wget-Xb5Z7Y/wget-1.19.4=.
>>>>>    -fstack-protector-strong -Wformat -Werror=format-security
>>>>>    -DNO_SSLv2 -D_FILE_OFFSET_BITS=64 -g -Wall -Wl,-Bsymbolic-functions
>>>>>    -Wl,-z,relro -Wl,-z,now -lpcre -luuid -lidn2 -lssl -lcrypto -lpsl
>>>>>    ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a
>>>>>
>>>>> ```
>>>>>
>>>>> It is quite annoying me when download large files which often causes wget 
>>>>> to crash. Hope for your reply! 
>>>>>
>>>>
>>>
>>
>

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]