File wget-CVE-2015-2059.patch of Package wget.10862
Index: wget-1.14/src/iri.c
===================================================================
--- wget-1.14.orig/src/iri.c
+++ wget-1.14/src/iri.c
@@ -205,6 +205,50 @@ do_conversion (iconv_t cd, char *in, siz
return false;
}
+/*
+ * Work around a libidn <= 1.30 vulnerability.
+ *
+ * The function checks for a valid UTF-8 character sequence before
+ * passing it to idna_to_ascii_8z().
+ *
+ * [1] http://lists.gnu.org/archive/html/help-libidn/2015-05/msg00002.html
+ * [2] https://lists.gnu.org/archive/html/bug-wget/2015-06/msg00002.html
+ * [3] http://curl.haxx.se/mail/lib-2015-06/0143.html
+ */
+static bool
+_utf8_is_valid(const char *utf8)
+{
+ const unsigned char *s = (const unsigned char *) utf8;
+
+ while (*s)
+ {
+ if ((*s & 0x80) == 0) /* 0xxxxxxx ASCII char */
+ s++;
+ else if ((*s & 0xE0) == 0xC0) /* 110xxxxx 10xxxxxx */
+ {
+ if ((s[1] & 0xC0) != 0x80)
+ return false;
+ s+=2;
+ }
+ else if ((*s & 0xF0) == 0xE0) /* 1110xxxx 10xxxxxx 10xxxxxx */
+ {
+ if ((s[1] & 0xC0) != 0x80 || (s[2] & 0xC0) != 0x80)
+ return false;
+ s+=3;
+ }
+ else if ((*s & 0xF8) == 0xF0) /* 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx */
+ {
+ if ((s[1] & 0xC0) != 0x80 || (s[2] & 0xC0) != 0x80 || (s[3] & 0xC0) != 0x80)
+ return false;
+ s+=4;
+ }
+ else
+ return false;
+ }
+
+ return true;
+}
+
/* Try to "ASCII encode" UTF-8 host. Return the new domain on success or NULL
on error. */
char *
@@ -221,6 +265,13 @@ idn_encode (struct iri *i, char *host)
host = new;
}
+ if (!_utf8_is_valid(host))
+ {
+ logprintf (LOG_VERBOSE, _("Invalid UTF-8 sequence: %s\n"),
+ quote(host));
+ return NULL;
+ }
+
/* toASCII UTF-8 NULL terminated string */
ret = idna_to_ascii_8z (host, &new, IDNA_FLAGS);
if (ret != IDNA_SUCCESS)
{
