Am Montag, den 05.09.2005, 16:41 +0100 schrieb Ian Jackson: > In http://bugzilla.ubuntu.com/show_bug.cgi?id=12604 a user reported a > problem with Ubuntu's version of wget which examination of the Debian > source shows is present there too. > > Basically, three calls to xrealloc do not update the variable used to > remember where the buffer is, which obviously breaks (and may be a > security problem) if xrealloc moves the buffer. > > $ find wget-1.9.1 -name '*.[ch]' | xargs grep 'realloc (dest' > wget-1.9.1/src/log.c: xrealloc (dest, (len *= 2 + > MB_CUR_MAX)); > wget-1.9.1/src/log.c: xrealloc (dest, (len *= 2 + > 4 * MB_CUR_MAX)); > wget-1.9.1/src/log.c: xrealloc (dest, (j + MB_CUR_MAX)); > > Note that this is in wget-1.9.1-12 after debian/rules build. The bug > was introduced in a security patch. wget-1.10 does not have the same > problem because it doesn't need the same security patch. > > The patch I applied to the Ubuntu package is enclosed for your comfort > and convenience.
thx for your report. I talked to Debian security and the stable release manager and asked if this is a security problem for Debian but the answer was: "From a first glance I'd say no unless somebody proves otherwise." -- Noèl Köthe <noel debian.org> Debian GNU/Linux, www.debian.org
signature.asc
Description: This is a digitally signed message part