From daab8d54a961c89f0bce34af5b3f0768270dd1ae Mon Sep 17 00:00:00 2001 From: Silvan Calarco Date: Fri, 11 Oct 2024 09:40:57 +0200 Subject: [PATCH] update to 1.24.5 [release 1.24.5-1mamba;Thu Oct 10 2024] --- wget-1.10-ctype.patch | 104 ---------------------------- wget-1.10.2-CVE-2006-6719.patch | 15 ---- wget-1.11.4-logstdout.patch | 27 -------- wget-1.11.4-passive_ftp.patch | 11 --- wget-1.13-etc.patch | 40 ----------- wget-1.16.1-libproxy.patch | 94 ------------------------- wget-1.24.5-CVE-2024-38428.patch | 75 ++++++++++++++++++++ wget-1.8.2-msec.patch | 14 ---- wget-1.9.1-can-2004-1487_1488.patch | 45 ------------ wget.spec | 24 +++---- 10 files changed, 85 insertions(+), 364 deletions(-) delete mode 100644 wget-1.10-ctype.patch delete mode 100644 wget-1.10.2-CVE-2006-6719.patch delete mode 100644 wget-1.11.4-logstdout.patch delete mode 100644 wget-1.11.4-passive_ftp.patch delete mode 100644 wget-1.13-etc.patch delete mode 100644 wget-1.16.1-libproxy.patch create mode 100644 wget-1.24.5-CVE-2024-38428.patch delete mode 100644 wget-1.8.2-msec.patch delete mode 100644 wget-1.9.1-can-2004-1487_1488.patch diff --git a/wget-1.10-ctype.patch b/wget-1.10-ctype.patch deleted file mode 100644 index f1644f3..0000000 --- a/wget-1.10-ctype.patch +++ /dev/null @@ -1,104 +0,0 @@ -OpenSSL 0.9.7 now includes ctype.h, and because OpenSSL's headers are included -after safe-ctype.h, compilation bombs out. We include ctype.h to force the -double-inclusion checks in ctype.h to be triggered when we include OpenSSL's -headers, avoiding the whole mess. - ---- wget-1.8.2/src/ftp.c 2002-12-13 20:27:59.000000000 -0500 -+++ wget-1.8.2/src/ftp.c 2002-12-13 20:27:54.000000000 -0500 -@@ -30,6 +30,8 @@ - - #include - -+#include -+ - #include - #include - #ifdef HAVE_STRING_H ---- wget-1.8.2/src/ftp-basic.c 2002-12-13 20:28:18.000000000 -0500 -+++ wget-1.8.2/src/ftp-basic.c 2002-12-13 20:28:12.000000000 -0500 -@@ -29,6 +29,8 @@ - - #include - -+#include -+ - #include - #include - #include ---- wget-1.8.2/src/ftp-ls.c 2002-12-13 20:28:36.000000000 -0500 -+++ wget-1.8.2/src/ftp-ls.c 2002-12-13 20:28:31.000000000 -0500 -@@ -30,6 +30,8 @@ - - #include - -+#include -+ - #include - #include - #ifdef HAVE_STRING_H ---- wget-1.8.2/src/http.c 2002-12-13 20:29:07.000000000 -0500 -+++ wget-1.8.2/src/http.c 2002-12-13 20:29:13.000000000 -0500 -@@ -30,6 +30,8 @@ - - #include - -+#include -+ - #include - #include - #include ---- wget-1.8.2/src/retr.c 2002-12-13 20:29:49.000000000 -0500 -+++ wget-1.8.2/src/retr.c 2002-12-13 20:29:55.000000000 -0500 -@@ -29,6 +29,8 @@ - - #include - -+#include -+ - #include - #include - #include ---- wget-1.8.2/src/main.c 2002-12-13 20:30:14.000000000 -0500 -+++ wget-1.8.2/src/main.c 2002-12-13 20:30:17.000000000 -0500 -@@ -30,6 +30,8 @@ - - #include - -+#include -+ - #include - #include - #ifdef HAVE_UNISTD_H ---- wget-1.8.2/src/progress.c 2002-12-13 20:30:07.000000000 -0500 -+++ wget-1.8.2/src/progress.c 2002-12-13 20:30:03.000000000 -0500 -@@ -29,6 +29,8 @@ - - #include - -+#include -+ - #include - #include - #ifdef HAVE_STRING_H ---- wget-1.8.2/src/recur.c 2002-12-13 20:30:46.000000000 -0500 -+++ wget-1.8.2/src/recur.c 2002-12-13 20:30:43.000000000 -0500 -@@ -29,6 +29,8 @@ - - #include - -+#include -+ - #include - #include - #ifdef HAVE_STRING_H ---- wget-1.8.2/src/res.c 2002-12-13 20:31:02.000000000 -0500 -+++ wget-1.8.2/src/res.c 2002-12-13 20:30:59.000000000 -0500 -@@ -71,6 +71,8 @@ - # include - #endif - -+#include -+ - #include - #include - #ifdef HAVE_STRING_H diff --git a/wget-1.10.2-CVE-2006-6719.patch b/wget-1.10.2-CVE-2006-6719.patch deleted file mode 100644 index 7781261..0000000 --- a/wget-1.10.2-CVE-2006-6719.patch +++ /dev/null @@ -1,15 +0,0 @@ -Fixes NULL pointer dereference (CVE-2006-6719) (bz #221483) - ---- wget-1.10.2/src/ftp-basic.c.orig 2007-01-04 19:30:31.000000000 +0100 -+++ wget-1.10.2/src/ftp-basic.c 2007-01-04 19:31:48.000000000 +0100 -@@ -1038,7 +1038,9 @@ ftp_syst (int csock, enum stype *server_ - first word of the server response)? */ - request = strtok (NULL, " "); - -- if (!strcasecmp (request, "VMS")) -+ if (request == NULL) -+ *server_type = ST_OTHER; -+ else if (!strcasecmp (request, "VMS")) - *server_type = ST_VMS; - else if (!strcasecmp (request, "UNIX")) - *server_type = ST_UNIX; diff --git a/wget-1.11.4-logstdout.patch b/wget-1.11.4-logstdout.patch deleted file mode 100644 index 0b276ac..0000000 --- a/wget-1.11.4-logstdout.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff -Nru wget-1.11.4.orig/src/log.c wget-1.11.4/src/log.c ---- wget-1.11.4.orig/src/log.c 2008-04-27 06:48:23.000000000 +0200 -+++ wget-1.11.4/src/log.c 2008-09-08 02:44:19.000000000 +0200 -@@ -516,12 +516,19 @@ - { - if (file) - { -- logfp = fopen (file, appendp ? "a" : "w"); -- if (!logfp) -+ if (strcmp(file, "-")) - { -- fprintf (stderr, "%s: %s: %s\n", exec_name, file, strerror (errno)); -- exit (1); -+ logfp = fopen (file, appendp ? "a" : "w"); -+ if (!logfp) -+ { -+ fprintf (stderr, "%s: %s: %s\n", exec_name, file, strerror (errno)); -+ exit (1); -+ } - } -+ else -+ { -+ logfp = stdout; -+ } - } - else - { diff --git a/wget-1.11.4-passive_ftp.patch b/wget-1.11.4-passive_ftp.patch deleted file mode 100644 index 6ed81df..0000000 --- a/wget-1.11.4-passive_ftp.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -Nru wget-1.11.4.orig/doc/sample.wgetrc wget-1.11.4/doc/sample.wgetrc ---- wget-1.11.4.orig/doc/sample.wgetrc 2008-09-08 02:36:16.000000000 +0200 -+++ wget-1.11.4/doc/sample.wgetrc 2008-09-08 02:37:05.000000000 +0200 -@@ -43,6 +43,7 @@ - # problems supporting passive transfer. If you are in such - # environment, use "passive_ftp = off" to revert to active FTP. - #passive_ftp = off -+passive_ftp = on - - # The "wait" command below makes Wget wait between every connection. - # If, instead, you want Wget to wait only between retries of failed diff --git a/wget-1.13-etc.patch b/wget-1.13-etc.patch deleted file mode 100644 index ac26e94..0000000 --- a/wget-1.13-etc.patch +++ /dev/null @@ -1,40 +0,0 @@ -diff -Nru wget-1.13.orig/doc/wget.texi wget-1.13/doc/wget.texi ---- wget-1.13.orig/doc/wget.texi 2011-08-06 12:22:58.000000000 +0200 -+++ wget-1.13/doc/wget.texi 2011-08-12 11:42:02.549749776 +0200 -@@ -190,14 +190,14 @@ - Most of the features are fully configurable, either through command line - options, or via the initialization file @file{.wgetrc} (@pxref{Startup - File}). Wget allows you to define @dfn{global} startup files --(@file{/usr/local/etc/wgetrc} by default) for site settings. You can also -+(@file{/etc/wgetrc} by default) for site settings. You can also - specify the location of a startup file with the --config option. - - - @ignore - @c man begin FILES - @table @samp --@item /usr/local/etc/wgetrc -+@item /etc/wgetrc - Default location of the @dfn{global} startup file. - - @item .wgetrc -@@ -2696,8 +2696,8 @@ - @cindex location of wgetrc - - When initializing, Wget will look for a @dfn{global} startup file, --@file{/usr/local/etc/wgetrc} by default (or some prefix other than --@file{/usr/local}, if Wget was not installed there) and read commands -+@file{/etc/wgetrc} by default (or some prefix other than -+@file{/etc}, if Wget was not installed there) and read commands - from there, if it exists. - - Then it will look for the user's file. If the environmental variable -@@ -2708,7 +2708,7 @@ - - The fact that user's settings are loaded after the system-wide ones - means that in case of collision user's wgetrc @emph{overrides} the --system-wide wgetrc (in @file{/usr/local/etc/wgetrc} by default). -+system-wide wgetrc (in @file{/etc/wgetrc} by default). - Fascist admins, away! - - @node Wgetrc Syntax, Wgetrc Commands, Wgetrc Location, Startup File diff --git a/wget-1.16.1-libproxy.patch b/wget-1.16.1-libproxy.patch deleted file mode 100644 index 044a2a2..0000000 --- a/wget-1.16.1-libproxy.patch +++ /dev/null @@ -1,94 +0,0 @@ -Index: configure.ac -=================================================================== ---- configure.ac.orig -+++ configure.ac -@@ -338,6 +338,22 @@ else - fi - fi - -+dnl -+dnl libproxy support -+dnl -+AC_ARG_ENABLE(libproxy, -+ [ --enable-libproxy libproxy support for system wide proxy configuration]) -+if test "${enable_libproxy}" != "no" -+then -+ PKG_CHECK_MODULES([libproxy], [libproxy-1.0], [enable_libproxy=yes], [enable_libproxy=no]) -+fi -+if test "${enable_libproxy}" = "yes" -+then -+ AC_SUBST(libproxy_CFLAGS) -+ AC_SUBST(libproxy_LIBS) -+ AC_DEFINE([HAVE_LIBPROXY], 1, [Define when using libproxy]) -+fi -+ - dnl ********************************************************************** - dnl Checks for IPv6 - dnl ********************************************************************** -Index: src/retr.c -=================================================================== ---- src/retr.c.orig -+++ src/retr.c -@@ -54,6 +54,10 @@ as that of the covered work. */ - #include "html-url.h" - #include "iri.h" - -+#ifdef HAVE_LIBPROXY -+#include "proxy.h" -+#endif -+ - /* Total size of downloaded files. Used to enforce quota. */ - SUM_SIZE_INT total_downloaded_bytes; - -@@ -1182,7 +1186,40 @@ getproxy (struct url *u) - break; - } - if (!proxy || !*proxy) -+#ifdef HAVE_LIBPROXY -+ { -+ pxProxyFactory *pf = px_proxy_factory_new(); -+ if (!pf) -+ { -+ logprintf (LOG_VERBOSE, _("Allocating memory for libproxy failed")); -+ return NULL; -+ } -+ int i; -+ char direct[] = "direct://"; -+ -+ logprintf (LOG_VERBOSE, _("asking libproxy about url '%s'\n"), u->url); -+ char **proxies = px_proxy_factory_get_proxies(pf, u->url); -+ if (proxies[0]) -+ { -+ char *check = NULL; -+ asprintf(&check , "%s", proxies[0]); -+ logprintf (LOG_VERBOSE, _("libproxy suggest to use '%s'\n"), check); -+ if(strcmp(check ,direct) != 0) -+ { -+ asprintf(&proxy , "%s", proxies[0]); -+ logprintf (LOG_VERBOSE, _("case 2: libproxy setting to use '%s'\n"), proxy); -+ } -+ } -+ for(i=0;proxies[i];i++) free(proxies[i]); -+ free(proxies); -+ free(pf); -+ -+ if (!proxy || !*proxy) -+ return NULL; -+ } -+#else - return NULL; -+#endif - - /* Handle shorthands. `rewritten_storage' is a kludge to allow - getproxy() to return static storage. */ ---- src/Makefile.am.orig 2015-01-01 20:47:13.060196379 +0100 -+++ src/Makefile.am 2015-01-02 01:36:25.417762869 +0100 -@@ -37,7 +37,7 @@ - - # The following line is losing on some versions of make! - DEFS = @DEFS@ -DSYSTEM_WGETRC=\"$(sysconfdir)/wgetrc\" -DLOCALEDIR=\"$(localedir)\" --LIBS = @LIBICONV@ @LIBINTL@ @LIBS@ $(LIB_CLOCK_GETTIME) -+LIBS = @LIBICONV@ @LIBINTL@ @LIBS@ @libproxy_LIBS@ $(LIB_CLOCK_GETTIME) - - EXTRA_DIST = css.l css.c css_.c build_info.c.in - diff --git a/wget-1.24.5-CVE-2024-38428.patch b/wget-1.24.5-CVE-2024-38428.patch new file mode 100644 index 0000000..b27f1cb --- /dev/null +++ b/wget-1.24.5-CVE-2024-38428.patch @@ -0,0 +1,75 @@ +From ed0c7c7e0e8f7298352646b2fd6e06a11e242ace Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= +Date: Sun, 2 Jun 2024 12:40:16 +0200 +Subject: Properly re-implement userinfo parsing (rfc2396) + +* src/url.c (url_skip_credentials): Properly re-implement userinfo parsing (rfc2396) + +The reason why the implementation is based on RFC 2396, an outdated standard, +is that the whole file is based on that RFC, and mixing standard here might be +dangerous. +--- + src/url.c | 40 ++++++++++++++++++++++++++++++++++------ + 1 file changed, 34 insertions(+), 6 deletions(-) + +diff --git a/src/url.c b/src/url.c +index 69e948b..07c3bc8 100644 +--- a/src/url.c ++++ b/src/url.c +@@ -41,6 +41,7 @@ as that of the covered work. */ + #include "url.h" + #include "host.h" /* for is_valid_ipv6_address */ + #include "c-strcase.h" ++#include "c-ctype.h" + + #ifdef HAVE_ICONV + # include +@@ -526,12 +527,39 @@ scheme_leading_string (enum url_scheme scheme) + static const char * + url_skip_credentials (const char *url) + { +- /* Look for '@' that comes before terminators, such as '/', '?', +- '#', or ';'. */ +- const char *p = (const char *)strpbrk (url, "@/?#;"); +- if (!p || *p != '@') +- return url; +- return p + 1; ++ /* ++ * This whole file implements https://www.rfc-editor.org/rfc/rfc2396 . ++ * RFC 2396 is outdated since 2005 and needs a rewrite or a thorough re-visit. ++ * ++ * The RFC says ++ * server = [ [ userinfo "@" ] hostport ] ++ * userinfo = *( unreserved | escaped | ";" | ":" | "&" | "=" | "+" | "$" | "," ) ++ * unreserved = alphanum | mark ++ * mark = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")" ++ */ ++ static const char *allowed = "-_.!~*'();:&=+$,"; ++ ++ for (const char *p = url; *p; p++) ++ { ++ if (c_isalnum(*p)) ++ continue; ++ ++ if (strchr(allowed, *p)) ++ continue; ++ ++ if (*p == '%' && c_isxdigit(p[1]) && c_isxdigit(p[2])) ++ { ++ p += 2; ++ continue; ++ } ++ ++ if (*p == '@') ++ return p + 1; ++ ++ break; ++ } ++ ++ return url; + } + + /* Parse credentials contained in [BEG, END). The region is expected +-- +cgit v1.1 + diff --git a/wget-1.8.2-msec.patch b/wget-1.8.2-msec.patch deleted file mode 100644 index 7eca56d..0000000 --- a/wget-1.8.2-msec.patch +++ /dev/null @@ -1,14 +0,0 @@ ---- wget-1.9.1/src/retr.c 2003-10-11 15:57:11.000000000 +0200 -+++ wget-1.9.1/src/retr.c.patched 2004-03-01 17:19:23.000000000 +0100 -@@ -288,7 +288,10 @@ - { - double dlrate; - -- assert (msecs >= 0); -+ /* fix msec for machines with non ordinal clock */ -+ if (msecs < 0) -+ msecs = 0; -+ - assert (bytes >= 0); - - if (msecs == 0) diff --git a/wget-1.9.1-can-2004-1487_1488.patch b/wget-1.9.1-can-2004-1487_1488.patch deleted file mode 100644 index f299351..0000000 --- a/wget-1.9.1-can-2004-1487_1488.patch +++ /dev/null @@ -1,45 +0,0 @@ ---- wget-1.9.1/src/http.c -+++ wget-1.9.1/src/http.c -@@ -1479,6 +1479,7 @@ - /* Open the local file. */ - if (!opt.dfp) - { -+ sanitize_path(*hs->local_file); - mkalldirs (*hs->local_file); - if (opt.backups) - rotate_backups (*hs->local_file); ---- wget-1.9.1/src/utils.c -+++ wget-1.9.1/src/utils.c -@@ -554,6 +554,22 @@ - #endif - } - -+ -+char * -+sanitize_path(char *path) -+{ -+ char *str = NULL; -+ -+ /* evilhost/.bashrc and evilhost/.. */ -+ while ((str = strstr(path, "/.")) != NULL) -+ str[1] = '_'; -+ /* .bashrc */ -+ if (*path == '.') -+ *path = '_'; -+ return path; -+} -+ -+ - /* Returns 0 if PATH is a directory, 1 otherwise (any kind of file). - Returns 0 on error. */ - int ---- wget-1.9.1/src/utils.h -+++ wget-1.9.1/src/utils.h -@@ -75,6 +75,7 @@ - int make_directory PARAMS ((const char *)); - char *unique_name PARAMS ((const char *, int)); - char *file_merge PARAMS ((const char *, const char *)); -+char *sanitize_path PARAMS ((char *)); - - int acceptable PARAMS ((const char *)); - int accdir PARAMS ((const char *s, enum accd)); diff --git a/wget.spec b/wget.spec index a2812eb..04ba220 100644 --- a/wget.spec +++ b/wget.spec @@ -1,8 +1,6 @@ -%define with_ssl 1 - Name: wget -Version: 1.21.2 -Release: 2mamba +Version: 1.24.5 +Release: 1mamba Epoch: 1 Summary: A utility for retrieving files using the HTTP or FTP protocols Group: Applications/Networking @@ -11,16 +9,8 @@ Distribution: openmamba Packager: Silvan Calarco URL: http://ftp.gnu.org/gnu/wget/ Source: http://ftp.gnu.org/gnu/wget/%{name}-%{version}.tar.gz -Patch0: %{name}-1.8.2-msec.patch -Patch1: %{name}-1.11.4-passive_ftp.patch -Patch2: %{name}-1.13-etc.patch -Patch3: %{name}-1.11.4-logstdout.patch -Patch4: %{name}-1.9.1-can-2004-1487_1488.patch -Patch5: %{name}-1.10-ctype.patch -Patch6: %{name}-1.10.2-CVE-2006-6719.patch -Patch7: wget-1.16.1-libproxy.patch +Patch0: wget-1.24.5-CVE-2024-38428.patch License: GPL -Requires(post): %{__install_info} ## AUTOBUILDREQ-BEGIN BuildRequires: glibc-devel BuildRequires: libgnutls-devel @@ -44,6 +34,8 @@ Wget features include the ability to work in the background while you're logged %prep %setup -q +%patch 0 -p1 -b .CVE-2024-38428 + cat >> doc/sample.wgetrc < 1.24.5-1mamba +- update to 1.24.5 + * Sun Nov 28 2021 Silvan Calarco 1.21.2-2mamba - added ca-certificates setting to wgetrc and configure options from Fedora to fix SSL support