rpms/wget
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update to 1.24.5 [release 1.24.5-1mamba;Thu Oct 10 2024]

Browse Source
This commit is contained in:
Silvan Calarco 2024-10-11 09:40:57 +02:00
parent 02785afade
commit daab8d54a9
10 changed files with 85 additions and 364 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

104
wget-1.10-ctype.patch
View File

@ -1,104 +0,0 @@
OpenSSL 0.9.7 now includes ctype.h, and because OpenSSL's headers are included
after safe-ctype.h, compilation bombs out. We include ctype.h to force the
double-inclusion checks in ctype.h to be triggered when we include OpenSSL's
headers, avoiding the whole mess.
--- wget-1.8.2/src/ftp.c 2002-12-13 20:27:59.000000000 -0500
+++ wget-1.8.2/src/ftp.c 2002-12-13 20:27:54.000000000 -0500
@@ -30,6 +30,8 @@
#include <config.h>
+#include <ctype.h>
+
#include <stdio.h>
#include <stdlib.h>
#ifdef HAVE_STRING_H
--- wget-1.8.2/src/ftp-basic.c 2002-12-13 20:28:18.000000000 -0500
+++ wget-1.8.2/src/ftp-basic.c 2002-12-13 20:28:12.000000000 -0500
@@ -29,6 +29,8 @@
#include <config.h>
+#include <ctype.h>
+
#include <assert.h>
#include <stdio.h>
#include <stdlib.h>
--- wget-1.8.2/src/ftp-ls.c 2002-12-13 20:28:36.000000000 -0500
+++ wget-1.8.2/src/ftp-ls.c 2002-12-13 20:28:31.000000000 -0500
@@ -30,6 +30,8 @@
#include <config.h>
+#include <ctype.h>
+
#include <stdio.h>
#include <stdlib.h>
#ifdef HAVE_STRING_H
--- wget-1.8.2/src/http.c 2002-12-13 20:29:07.000000000 -0500
+++ wget-1.8.2/src/http.c 2002-12-13 20:29:13.000000000 -0500
@@ -30,6 +30,8 @@
#include <config.h>
+#include <ctype.h>
+
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
--- wget-1.8.2/src/retr.c 2002-12-13 20:29:49.000000000 -0500
+++ wget-1.8.2/src/retr.c 2002-12-13 20:29:55.000000000 -0500
@@ -29,6 +29,8 @@
#include <config.h>
+#include <ctype.h>
+
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
--- wget-1.8.2/src/main.c 2002-12-13 20:30:14.000000000 -0500
+++ wget-1.8.2/src/main.c 2002-12-13 20:30:17.000000000 -0500
@@ -30,6 +30,8 @@
#include <config.h>
+#include <ctype.h>
+
#include <stdio.h>
#include <stdlib.h>
#ifdef HAVE_UNISTD_H
--- wget-1.8.2/src/progress.c 2002-12-13 20:30:07.000000000 -0500
+++ wget-1.8.2/src/progress.c 2002-12-13 20:30:03.000000000 -0500
@@ -29,6 +29,8 @@
#include <config.h>
+#include <ctype.h>
+
#include <stdio.h>
#include <stdlib.h>
#ifdef HAVE_STRING_H
--- wget-1.8.2/src/recur.c 2002-12-13 20:30:46.000000000 -0500
+++ wget-1.8.2/src/recur.c 2002-12-13 20:30:43.000000000 -0500
@@ -29,6 +29,8 @@
#include <config.h>
+#include <ctype.h>
+
#include <stdio.h>
#include <stdlib.h>
#ifdef HAVE_STRING_H
--- wget-1.8.2/src/res.c 2002-12-13 20:31:02.000000000 -0500
+++ wget-1.8.2/src/res.c 2002-12-13 20:30:59.000000000 -0500
@@ -71,6 +71,8 @@
# include <config.h>
#endif
+#include <ctype.h>
+
#include <stdio.h>
#include <stdlib.h>
#ifdef HAVE_STRING_H

15
wget-1.10.2-CVE-2006-6719.patch
View File

@ -1,15 +0,0 @@
Fixes NULL pointer dereference (CVE-2006-6719) (bz #221483)
--- wget-1.10.2/src/ftp-basic.c.orig 2007-01-04 19:30:31.000000000 +0100
+++ wget-1.10.2/src/ftp-basic.c 2007-01-04 19:31:48.000000000 +0100
@@ -1038,7 +1038,9 @@ ftp_syst (int csock, enum stype *server_
first word of the server response)? */
request = strtok (NULL, " ");
- if (!strcasecmp (request, "VMS"))
+ if (request == NULL)
+ *server_type = ST_OTHER;
+ else if (!strcasecmp (request, "VMS"))
*server_type = ST_VMS;
else if (!strcasecmp (request, "UNIX"))
*server_type = ST_UNIX;

27
wget-1.11.4-logstdout.patch
View File

@ -1,27 +0,0 @@
diff -Nru wget-1.11.4.orig/src/log.c wget-1.11.4/src/log.c
--- wget-1.11.4.orig/src/log.c 2008-04-27 06:48:23.000000000 +0200
+++ wget-1.11.4/src/log.c 2008-09-08 02:44:19.000000000 +0200
@@ -516,12 +516,19 @@
{
if (file)
{
- logfp = fopen (file, appendp ? "a" : "w");
- if (!logfp)
+ if (strcmp(file, "-"))
{
- fprintf (stderr, "%s: %s: %s\n", exec_name, file, strerror (errno));
- exit (1);
+ logfp = fopen (file, appendp ? "a" : "w");
+ if (!logfp)
+ {
+ fprintf (stderr, "%s: %s: %s\n", exec_name, file, strerror (errno));
+ exit (1);
+ }
}
+ else
+ {
+ logfp = stdout;
+ }
}
else
{

11
wget-1.11.4-passive_ftp.patch
View File

@ -1,11 +0,0 @@
diff -Nru wget-1.11.4.orig/doc/sample.wgetrc wget-1.11.4/doc/sample.wgetrc
--- wget-1.11.4.orig/doc/sample.wgetrc 2008-09-08 02:36:16.000000000 +0200
+++ wget-1.11.4/doc/sample.wgetrc 2008-09-08 02:37:05.000000000 +0200
@@ -43,6 +43,7 @@
# problems supporting passive transfer. If you are in such
# environment, use "passive_ftp = off" to revert to active FTP.
#passive_ftp = off
+passive_ftp = on
# The "wait" command below makes Wget wait between every connection.
# If, instead, you want Wget to wait only between retries of failed

40
wget-1.13-etc.patch
View File

@ -1,40 +0,0 @@
diff -Nru wget-1.13.orig/doc/wget.texi wget-1.13/doc/wget.texi
--- wget-1.13.orig/doc/wget.texi 2011-08-06 12:22:58.000000000 +0200
+++ wget-1.13/doc/wget.texi 2011-08-12 11:42:02.549749776 +0200
@@ -190,14 +190,14 @@
Most of the features are fully configurable, either through command line
options, or via the initialization file @file{.wgetrc} (@pxref{Startup
File}). Wget allows you to define @dfn{global} startup files
-(@file{/usr/local/etc/wgetrc} by default) for site settings. You can also
+(@file{/etc/wgetrc} by default) for site settings. You can also
specify the location of a startup file with the --config option.
@ignore
@c man begin FILES
@table @samp
-@item /usr/local/etc/wgetrc
+@item /etc/wgetrc
Default location of the @dfn{global} startup file.
@item .wgetrc
@@ -2696,8 +2696,8 @@
@cindex location of wgetrc
When initializing, Wget will look for a @dfn{global} startup file,
-@file{/usr/local/etc/wgetrc} by default (or some prefix other than
-@file{/usr/local}, if Wget was not installed there) and read commands
+@file{/etc/wgetrc} by default (or some prefix other than
+@file{/etc}, if Wget was not installed there) and read commands
from there, if it exists.
Then it will look for the user's file. If the environmental variable
@@ -2708,7 +2708,7 @@
The fact that user's settings are loaded after the system-wide ones
means that in case of collision user's wgetrc @emph{overrides} the
-system-wide wgetrc (in @file{/usr/local/etc/wgetrc} by default).
+system-wide wgetrc (in @file{/etc/wgetrc} by default).
Fascist admins, away!
@node Wgetrc Syntax, Wgetrc Commands, Wgetrc Location, Startup File

94
wget-1.16.1-libproxy.patch
View File

@ -1,94 +0,0 @@
Index: configure.ac
===================================================================
--- configure.ac.orig
+++ configure.ac
@@ -338,6 +338,22 @@ else
fi
fi
+dnl
+dnl libproxy support
+dnl
+AC_ARG_ENABLE(libproxy,
+ [ --enable-libproxy libproxy support for system wide proxy configuration])
+if test "${enable_libproxy}" != "no"
+then
+ PKG_CHECK_MODULES([libproxy], [libproxy-1.0], [enable_libproxy=yes], [enable_libproxy=no])
+fi
+if test "${enable_libproxy}" = "yes"
+then
+ AC_SUBST(libproxy_CFLAGS)
+ AC_SUBST(libproxy_LIBS)
+ AC_DEFINE([HAVE_LIBPROXY], 1, [Define when using libproxy])
+fi
+
dnl **********************************************************************
dnl Checks for IPv6
dnl **********************************************************************
Index: src/retr.c
===================================================================
--- src/retr.c.orig
+++ src/retr.c
@@ -54,6 +54,10 @@ as that of the covered work. */
#include "html-url.h"
#include "iri.h"
+#ifdef HAVE_LIBPROXY
+#include "proxy.h"
+#endif
+
/* Total size of downloaded files. Used to enforce quota. */
SUM_SIZE_INT total_downloaded_bytes;
@@ -1182,7 +1186,40 @@ getproxy (struct url *u)
break;
}
if (!proxy || !*proxy)
+#ifdef HAVE_LIBPROXY
+ {
+ pxProxyFactory *pf = px_proxy_factory_new();
+ if (!pf)
+ {
+ logprintf (LOG_VERBOSE, _("Allocating memory for libproxy failed"));
+ return NULL;
+ }
+ int i;
+ char direct[] = "direct://";
+
+ logprintf (LOG_VERBOSE, _("asking libproxy about url '%s'\n"), u->url);
+ char **proxies = px_proxy_factory_get_proxies(pf, u->url);
+ if (proxies[0])
+ {
+ char *check = NULL;
+ asprintf(&check , "%s", proxies[0]);
+ logprintf (LOG_VERBOSE, _("libproxy suggest to use '%s'\n"), check);
+ if(strcmp(check ,direct) != 0)
+ {
+ asprintf(&proxy , "%s", proxies[0]);
+ logprintf (LOG_VERBOSE, _("case 2: libproxy setting to use '%s'\n"), proxy);
+ }
+ }
+ for(i=0;proxies[i];i++) free(proxies[i]);
+ free(proxies);
+ free(pf);
+
+ if (!proxy || !*proxy)
+ return NULL;
+ }
+#else
return NULL;
+#endif
/* Handle shorthands. `rewritten_storage' is a kludge to allow
getproxy() to return static storage. */
--- src/Makefile.am.orig 2015-01-01 20:47:13.060196379 +0100
+++ src/Makefile.am 2015-01-02 01:36:25.417762869 +0100
@@ -37,7 +37,7 @@
# The following line is losing on some versions of make!
DEFS = @DEFS@ -DSYSTEM_WGETRC=\"$(sysconfdir)/wgetrc\" -DLOCALEDIR=\"$(localedir)\"
-LIBS = @LIBICONV@ @LIBINTL@ @LIBS@ $(LIB_CLOCK_GETTIME)
+LIBS = @LIBICONV@ @LIBINTL@ @LIBS@ @libproxy_LIBS@ $(LIB_CLOCK_GETTIME)
EXTRA_DIST = css.l css.c css_.c build_info.c.in

75
wget-1.24.5-CVE-2024-38428.patch Normal file
View File

@ -0,0 +1,75 @@
From ed0c7c7e0e8f7298352646b2fd6e06a11e242ace Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Sun, 2 Jun 2024 12:40:16 +0200
Subject: Properly re-implement userinfo parsing (rfc2396)
* src/url.c (url_skip_credentials): Properly re-implement userinfo parsing (rfc2396)
The reason why the implementation is based on RFC 2396, an outdated standard,
is that the whole file is based on that RFC, and mixing standard here might be
dangerous.
---
src/url.c | 40 ++++++++++++++++++++++++++++++++++------
1 file changed, 34 insertions(+), 6 deletions(-)
diff --git a/src/url.c b/src/url.c
index 69e948b..07c3bc8 100644
--- a/src/url.c
+++ b/src/url.c
@@ -41,6 +41,7 @@ as that of the covered work. */
#include "url.h"
#include "host.h" /* for is_valid_ipv6_address */
#include "c-strcase.h"
+#include "c-ctype.h"
#ifdef HAVE_ICONV
# include <iconv.h>
@@ -526,12 +527,39 @@ scheme_leading_string (enum url_scheme scheme)
static const char *
url_skip_credentials (const char *url)
{
- /* Look for '@' that comes before terminators, such as '/', '?',
- '#', or ';'. */
- const char *p = (const char *)strpbrk (url, "@/?#;");
- if (!p || *p != '@')
- return url;
- return p + 1;
+ /*
+ * This whole file implements https://www.rfc-editor.org/rfc/rfc2396 .
+ * RFC 2396 is outdated since 2005 and needs a rewrite or a thorough re-visit.
+ *
+ * The RFC says
+ * server = [ [ userinfo "@" ] hostport ]
+ * userinfo = *( unreserved | escaped | ";" | ":" | "&" | "=" | "+" | "$" | "," )
+ * unreserved = alphanum | mark
+ * mark = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")"
+ */
+ static const char *allowed = "-_.!~*'();:&=+$,";
+
+ for (const char *p = url; *p; p++)
+ {
+ if (c_isalnum(*p))
+ continue;
+
+ if (strchr(allowed, *p))
+ continue;
+
+ if (*p == '%' && c_isxdigit(p[1]) && c_isxdigit(p[2]))
+ {
+ p += 2;
+ continue;
+ }
+
+ if (*p == '@')
+ return p + 1;
+
+ break;
+ }
+
+ return url;
}
/* Parse credentials contained in [BEG, END). The region is expected
--
cgit v1.1

14
wget-1.8.2-msec.patch
View File

@ -1,14 +0,0 @@
--- wget-1.9.1/src/retr.c 2003-10-11 15:57:11.000000000 +0200
+++ wget-1.9.1/src/retr.c.patched 2004-03-01 17:19:23.000000000 +0100
@@ -288,7 +288,10 @@
{
double dlrate;
- assert (msecs >= 0);
+ /* fix msec for machines with non ordinal clock */
+ if (msecs < 0)
+ msecs = 0;
+
assert (bytes >= 0);
if (msecs == 0)

45
wget-1.9.1-can-2004-1487_1488.patch
View File

@ -1,45 +0,0 @@
--- wget-1.9.1/src/http.c
+++ wget-1.9.1/src/http.c
@@ -1479,6 +1479,7 @@
/* Open the local file. */
if (!opt.dfp)
{
+ sanitize_path(*hs->local_file);
mkalldirs (*hs->local_file);
if (opt.backups)
rotate_backups (*hs->local_file);
--- wget-1.9.1/src/utils.c
+++ wget-1.9.1/src/utils.c
@@ -554,6 +554,22 @@
#endif
}
+
+char *
+sanitize_path(char *path)
+{
+ char *str = NULL;
+
+ /* evilhost/.bashrc and evilhost/.. */
+ while ((str = strstr(path, "/.")) != NULL)
+ str[1] = '_';
+ /* .bashrc */
+ if (*path == '.')
+ *path = '_';
+ return path;
+}
+
+
/* Returns 0 if PATH is a directory, 1 otherwise (any kind of file).
Returns 0 on error. */
int
--- wget-1.9.1/src/utils.h
+++ wget-1.9.1/src/utils.h
@@ -75,6 +75,7 @@
int make_directory PARAMS ((const char *));
char *unique_name PARAMS ((const char *, int));
char *file_merge PARAMS ((const char *, const char *));
+char *sanitize_path PARAMS ((char *));
int acceptable PARAMS ((const char *));
int accdir PARAMS ((const char *s, enum accd));

24
wget.spec
View File

@ -1,8 +1,6 @@
%define with_ssl 1
Name: wget
Version: 1.21.2
Release: 2mamba
Version: 1.24.5
Release: 1mamba
Epoch: 1
Summary: A utility for retrieving files using the HTTP or FTP protocols
Group: Applications/Networking
@ -11,16 +9,8 @@ Distribution: openmamba
Packager: Silvan Calarco <silvan.calarco@mambasoft.it>
URL: http://ftp.gnu.org/gnu/wget/
Source: http://ftp.gnu.org/gnu/wget/%{name}-%{version}.tar.gz
Patch0: %{name}-1.8.2-msec.patch
Patch1: %{name}-1.11.4-passive_ftp.patch
Patch2: %{name}-1.13-etc.patch
Patch3: %{name}-1.11.4-logstdout.patch
Patch4: %{name}-1.9.1-can-2004-1487_1488.patch
Patch5: %{name}-1.10-ctype.patch
Patch6: %{name}-1.10.2-CVE-2006-6719.patch
Patch7: wget-1.16.1-libproxy.patch
Patch0: wget-1.24.5-CVE-2024-38428.patch
License: GPL
Requires(post): %{__install_info}
## AUTOBUILDREQ-BEGIN
BuildRequires: glibc-devel
BuildRequires: libgnutls-devel
@ -44,6 +34,8 @@ Wget features include the ability to work in the background while you're logged
%prep
%setup -q
%patch 0 -p1 -b .CVE-2024-38428
cat >> doc/sample.wgetrc <<EOF
# default root certs location
@ -69,10 +61,11 @@ EOF
%install
[ "%{buildroot}" != / ] && rm -rf "%{buildroot}"
%makeinstall
#install -m755 util/rmold.pl %{buildroot}%{_bindir}/rmold
%find_lang %{name} --all-name
rm -f %{buildroot}%{_infodir}/dir
%clean
[ "%{buildroot}" != / ] && rm -rf "%{buildroot}"
@ -92,6 +85,9 @@ exit 0
%doc AUTHORS COPYING
%changelog
* Thu Oct 10 2024 Silvan Calarco <silvan.calarco@mambasoft.it> 1.24.5-1mamba
- update to 1.24.5
* Sun Nov 28 2021 Silvan Calarco <silvan.calarco@mambasoft.it> 1.21.2-2mamba
- added ca-certificates setting to wgetrc and configure options from Fedora to fix SSL support