Package: wget Version: 1.18-5+deb9u1 Severity: important Tags: patch upstream fixed-upstream
wget 1.18 has this code in hsts_store_open(): FILE *fp = fopen (filename, "r"); if (!fp || !hsts_read_database (store, fp, false)) { /* abort! */ hsts_store_close (store); xfree (store); fclose (fp); goto out; } fclose(NULL) has undefined behaviour and in stretch the result is a SIGSEGV. So wget needs to check for NULL before calling fclose(). This is fixed in 1.19. Ben. -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.15.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages wget depends on: ii libc6 2.27-2 ii libgnutls30 3.5.18-1 ii libidn2-0 2.0.4-1.1 ii libnettle6 3.4-1 ii libpcre3 2:8.39-9 ii libpsl5 0.20.1-1 ii libuuid1 2.31.1-0.5 ii zlib1g 1:1.2.8.dfsg-5 Versions of packages wget recommends: ii ca-certificates 20170717 wget suggests no packages. -- no debconf information
Author: Ben Hutchings <b...@decadent.org.uk> Date: Tue, 17 Apr 2018 02:55:33 +0100 Description: wget: Fix fclose(NULL) in hsts_store_open() fclose(NULL) has undefined behaviour, so only call fclose() if fp != NULL. --- a/src/hsts.c +++ b/src/hsts.c @@ -510,7 +510,8 @@ hsts_store_open (const char *filename) /* abort! */ hsts_store_close (store); xfree (store); - fclose (fp); + if (fp) + fclose (fp); goto out; }