packages/wget
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:547ef6ef4a02f74c9da2ccebf051f7fdbbd0cb34
Branches Tags
packages:main
...
compare: packages:f35d4afc1d1b03c29f34ebe26d577372e7ca3637
Branches Tags
packages:main

10 Commits
547ef6ef4a ... f35d4afc1d

Author SHA1 Message Date
openeuler-ci-bot
f35d4afc1d
!45 fix CVE-2024-10524 
From: @XWwalker 
Reviewed-by: @sunsuwan 
Signed-off-by: @sunsuwan
 2024-12-03 11:13:08 +00:00
xingwei
5d6792710d fix CVE-2024-10524 and backport related patches 2024-12-03 09:07:41 +00:00
openeuler-ci-bot
7810917b25
!31 backport CVE-2024-38428 
From: @xuchenc 
Reviewed-by: @sunsuwan 
Signed-off-by: @sunsuwan
 2024-06-18 09:04:38 +00:00
xuchenchen
d6017f71db backport CVE-2024-38428 2024-06-16 21:10:33 +08:00
openeuler-ci-bot
6cec99e512
!19 [sync] PR-18: skip some unstable ssl tests 
From: @openeuler-sync-bot 
Reviewed-by: @seuzw 
Signed-off-by: @seuzw
 2022-11-01 07:00:24 +00:00
sherlock2010
d37b5b1363 skip some unstable ssl tests 
(cherry picked from commit a5ea754f0817fab000070bb9749acc44bab49ea6)
 2022-11-01 14:36:15 +08:00
openeuler-ci-bot
bf950db57d !10 [sync] PR-9: wget rebuild 1.20.3-3 
From: @openeuler-sync-bot
Reviewed-by: @zengwefeng
Signed-off-by: @zengwefeng
 2021-03-08 14:47:13 +08:00
Your Name
ceac76e3f8 rebuild 1.20.3-3 
(cherry picked from commit 227e1fe2313c494f35dc503fe8800fed3e69e304)
 2021-03-05 19:49:58 +08:00
openeuler-ci-bot
eb991e8551 !6 bugfix and cleanup code 
Merge pull request !6 from IT砖瓦工/master
 2020-05-28 14:36:55 +08:00
IT砖瓦工
ef60525451 update fix-buffer-overflows-in-progress-bar-code.patch. 2020-05-23 14:50:53 +08:00
7 changed files with 517 additions and 4 deletions
Show Stats Expand all files Collapse all files

183
backport-CVE-2024-10524.patch Normal file
View File

@ -0,0 +1,183 @@
From c419542d956a2607bbce5df64b9d378a8588d778 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Sun, 27 Oct 2024 19:53:14 +0100
Subject: [PATCH] Fix CVE-2024-10524 (drop support for shorthand URLs)
* doc/wget.texi: Add documentation for removed support for shorthand URLs.
* src/html-url.c (src/html-url.c): Call maybe_prepend_scheme.
* src/main.c (main): Likewise.
* src/retr.c (getproxy): Likewise.
* src/url.c: Rename definition of rewrite_shorthand_url to maybe_prepend_scheme,
add new function is_valid_port.
* src/url.h: Rename declaration of rewrite_shorthand_url to maybe_prepend_scheme.
Reported-by: Goni Golan <gonig@jfrog.com>
diff --git a/doc/wget.texi b/doc/wget.texi
index 1d026d72..d46da375 100644
--- a/doc/wget.texi
+++ b/doc/wget.texi
@@ -314,8 +314,8 @@ for text files. Here is an example:
ftp://host/directory/file;type=a
@end example
-Two alternative variants of @sc{url} specification are also supported,
-because of historical (hysterical?) reasons and their widespreaded use.
+The two alternative variants of @sc{url} specifications are no longer
+supported because of security considerations:
@sc{ftp}-only syntax (supported by @code{NcFTP}):
@example
@@ -327,12 +327,8 @@ host:/dir/file
host[:port]/dir/file
@end example
-These two alternative forms are deprecated, and may cease being
-supported in the future.
-
-If you do not understand the difference between these notations, or do
-not know which one to use, just use the plain ordinary format you use
-with your favorite browser, like @code{Lynx} or @code{Netscape}.
+These two alternative forms have been deprecated long time ago,
+and support is removed with version 1.22.0.
@c man begin OPTIONS
diff --git a/src/html-url.c b/src/html-url.c
index 8e960092..99914943 100644
--- a/src/html-url.c
+++ b/src/html-url.c
@@ -932,7 +932,7 @@ get_urls_file (const char *file, bool *read_again)
url_text = merged;
}
- new_url = rewrite_shorthand_url (url_text);
+ new_url = maybe_prepend_scheme (url_text);
if (new_url)
{
xfree (url_text);
diff --git a/src/main.c b/src/main.c
index 77b1a0b6..6858d2da 100644
--- a/src/main.c
+++ b/src/main.c
@@ -2126,7 +2126,7 @@ only if outputting to a regular file.\n"));
struct iri *iri = iri_new ();
struct url *url_parsed;
- t = rewrite_shorthand_url (argv[optind]);
+ t = maybe_prepend_scheme (argv[optind]);
if (!t)
t = argv[optind];
diff --git a/src/retr.c b/src/retr.c
index 5422963c..26eb9f17 100644
--- a/src/retr.c
+++ b/src/retr.c
@@ -1546,7 +1546,7 @@ getproxy (struct url *u)
/* Handle shorthands. `rewritten_storage' is a kludge to allow
getproxy() to return static storage. */
- rewritten_url = rewrite_shorthand_url (proxy);
+ rewritten_url = maybe_prepend_scheme (proxy);
if (rewritten_url)
return rewritten_url;
diff --git a/src/url.c b/src/url.c
index 07c3bc87..2f27c48a 100644
--- a/src/url.c
+++ b/src/url.c
@@ -594,60 +594,39 @@ parse_credentials (const char *beg, const char *end, char **user, char **passwd)
return true;
}
-/* Used by main.c: detect URLs written using the "shorthand" URL forms
- originally popularized by Netscape and NcFTP. HTTP shorthands look
- like this:
-
- www.foo.com[:port]/dir/file -> http://www.foo.com[:port]/dir/file
- www.foo.com[:port] -> http://www.foo.com[:port]
-
- FTP shorthands look like this:
-
- foo.bar.com:dir/file -> ftp://foo.bar.com/dir/file
- foo.bar.com:/absdir/file -> ftp://foo.bar.com//absdir/file
+static bool is_valid_port(const char *p)
+{
+ unsigned port = (unsigned) atoi (p);
+ if (port == 0 || port > 65535)
+ return false;
- If the URL needs not or cannot be rewritten, return NULL. */
+ int digits = strspn (p, "0123456789");
+ return digits && (p[digits] == '/' || p[digits] == '\0');
+}
+/* Prepend "http://" to url if scheme is missing, otherwise return NULL. */
char *
-rewrite_shorthand_url (const char *url)
+maybe_prepend_scheme (const char *url)
{
- const char *p;
- char *ret;
-
if (url_scheme (url) != SCHEME_INVALID)
return NULL;
- /* Look for a ':' or '/'. The former signifies NcFTP syntax, the
- latter Netscape. */
- p = strpbrk (url, ":/");
+ const char *p = strchr (url, ':');
if (p == url)
return NULL;
/* If we're looking at "://", it means the URL uses a scheme we
don't support, which may include "https" when compiled without
- SSL support. Don't bogusly rewrite such URLs. */
+ SSL support. Don't bogusly prepend "http://" to such URLs. */
if (p && p[0] == ':' && p[1] == '/' && p[2] == '/')
return NULL;
- if (p && *p == ':')
- {
- /* Colon indicates ftp, as in foo.bar.com:path. Check for
- special case of http port number ("localhost:10000"). */
- int digits = strspn (p + 1, "0123456789");
- if (digits && (p[1 + digits] == '/' || p[1 + digits] == '\0'))
- goto http;
-
- /* Turn "foo.bar.com:path" to "ftp://foo.bar.com/path". */
- if ((ret = aprintf ("ftp://%s", url)) != NULL)
- ret[6 + (p - url)] = '/';
- }
- else
- {
- http:
- /* Just prepend "http://" to URL. */
- ret = aprintf ("http://%s", url);
- }
- return ret;
+ if (p && p[0] == ':' && !is_valid_port (p + 1))
+ return NULL;
+
+
+ fprintf(stderr, "Prepended http:// to '%s'\n", url);
+ return aprintf ("http://%s", url);
}
static void split_path (const char *, char **, char **);
diff --git a/src/url.h b/src/url.h
index 2dfbf30b..7796a21c 100644
--- a/src/url.h
+++ b/src/url.h
@@ -128,7 +128,7 @@ char *uri_merge (const char *, const char *);
int mkalldirs (const char *);
-char *rewrite_shorthand_url (const char *);
+char *maybe_prepend_scheme (const char *);
bool schemes_are_similar_p (enum url_scheme a, enum url_scheme b);
bool are_urls_equal (const char *u1, const char *u2);
--
2.33.0

76
backport-CVE-2024-38428.patch Normal file
View File

@ -0,0 +1,76 @@
From ed0c7c7e0e8f7298352646b2fd6e06a11e242ace Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Sun, 2 Jun 2024 12:40:16 +0200
Subject: Properly re-implement userinfo parsing (rfc2396)
* src/url.c (url_skip_credentials): Properly re-implement userinfo parsing (rfc2396)
The reason why the implementation is based on RFC 2396, an outdated standard,
is that the whole file is based on that RFC, and mixing standard here might be
dangerous.
---
src/url.c | 40 ++++++++++++++++++++++++++++++++++------
1 file changed, 34 insertions(+), 6 deletions(-)
diff --git a/src/url.c b/src/url.c
index 2c49023..8912999 100644
--- a/src/url.c
+++ b/src/url.c
@@ -41,6 +41,7 @@ as that of the covered work. */
#include "url.h"
#include "host.h" /* for is_valid_ipv6_address */
#include "c-strcase.h"
+#include "c-ctype.h"
#ifdef HAVE_ICONV
# include <iconv.h>
@@ -526,12 +527,39 @@ scheme_leading_string (enum url_scheme scheme)
static const char *
url_skip_credentials (const char *url)
{
- /* Look for '@' that comes before terminators, such as '/', '?',
- '#', or ';'. */
- const char *p = (const char *)strpbrk (url, "@/?#;");
- if (!p || *p != '@')
- return url;
- return p + 1;
+ /*
+ * This whole file implements https://www.rfc-editor.org/rfc/rfc2396 .
+ * RFC 2396 is outdated since 2005 and needs a rewrite or a thorough re-visit.
+ *
+ * The RFC says
+ * server = [ [ userinfo "@" ] hostport ]
+ * userinfo = *( unreserved | escaped | ";" | ":" | "&" | "=" | "+" | "$" | "," )
+ * unreserved = alphanum | mark
+ * mark = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")"
+ */
+ static const char *allowed = "-_.!~*'();:&=+$,";
+
+ for (const char *p = url; *p; p++)
+ {
+ if (c_isalnum(*p))
+ continue;
+
+ if (strchr(allowed, *p))
+ continue;
+
+ if (*p == '%' && c_isxdigit(p[1]) && c_isxdigit(p[2]))
+ {
+ p += 2;
+ continue;
+ }
+
+ if (*p == '@')
+ return p + 1;
+
+ break;
+ }
+
+ return url;
}
/* Parse credentials contained in [BEG, END). The region is expected
--
2.33.0

165
backport-src-main.c-main-Code-clean-reduce-allocations.patch Normal file
View File

@ -0,0 +1,165 @@
From 8610b0b355b56c87b9326a71beb21934b15dd17d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Fri, 14 Feb 2020 11:14:02 +0100
Subject: [PATCH] * src/main.c (main): Code clean, reduce allocations
diff --git a/src/main.c b/src/main.c
index 16df0671..6158c8de 100644
--- a/src/main.c
+++ b/src/main.c
@@ -1348,9 +1348,9 @@ int cleaned_up;
int
main (int argc, char **argv)
{
- char **url, **t, *p;
+ char *p;
int i, ret, longindex;
- int nurl;
+ int nurls;
int retconf;
int argstring_length;
bool use_userconfig = false;
@@ -1567,7 +1567,7 @@ main (int argc, char **argv)
longindex = -1;
}
- nurl = argc - optind;
+ nurls = argc - optind;
/* Initialize logging ASAP. */
log_init (opt.lfilename, append_to_log);
@@ -1651,7 +1651,7 @@ Can't timestamp and not clobber old files at the same time.\n"));
if (opt.output_document)
{
if ((opt.convert_links || opt.convert_file_only)
- && (nurl > 1 || opt.page_requisites || opt.recursive))
+ && (nurls > 1 || opt.page_requisites || opt.recursive))
{
fputs (_("\
Cannot specify both -k or --convert-file-only and -O if multiple URLs are given, or in combination\n\
@@ -1761,7 +1761,7 @@ for details.\n\n"));
opt.always_rest = false;
}
- if (!nurl && !opt.input_filename
+ if (!nurls && !opt.input_filename
#ifdef HAVE_METALINK
&& !opt.input_metalink
#endif
@@ -1931,23 +1931,6 @@ for details.\n\n"));
if (opt.show_progress)
set_progress_implementation (opt.progress_type);
- /* Fill in the arguments. */
- url = xmalloc (sizeof (char *) * (nurl + 1));
- if (url == NULL)
- {
- fprintf (stderr, _("Memory allocation problem\n"));
- exit (WGET_EXIT_PARSE_ERROR);
- }
- for (i = 0; i < nurl; i++, optind++)
- {
- char *rewritten = rewrite_shorthand_url (argv[optind]);
- if (rewritten)
- url[i] = rewritten;
- else
- url[i] = argv[optind];
- }
- url[i] = NULL;
-
/* Open WARC file. */
if (opt.warc_filename != 0)
warc_init ();
@@ -2110,8 +2093,9 @@ only if outputting to a regular file.\n"));
#endif
/* Retrieve the URLs from argument list. */
- for (t = url; *t; t++)
+ for (i = 0; i < nurls; i++, optind++)
{
+ char *t;
char *filename = NULL, *redirected_URL = NULL;
int dt, url_err;
/* Need to do a new struct iri every time, because
@@ -2120,13 +2104,17 @@ only if outputting to a regular file.\n"));
struct iri *iri = iri_new ();
struct url *url_parsed;
+ t = rewrite_shorthand_url (argv[optind]);
+ if (!t)
+ t = argv[optind];
+
set_uri_encoding (iri, opt.locale, true);
- url_parsed = url_parse (*t, &url_err, iri, true);
+ url_parsed = url_parse (t, &url_err, iri, true);
if (!url_parsed)
{
- char *error = url_error (*t, url_err);
- logprintf (LOG_NOTQUIET, "%s: %s.\n",*t, error);
+ char *error = url_error (t, url_err);
+ logprintf (LOG_NOTQUIET, "%s: %s.\n",t, error);
xfree (error);
inform_exit_status (URLERROR);
}
@@ -2137,9 +2125,9 @@ only if outputting to a regular file.\n"));
use_askpass (url_parsed);
if ((opt.recursive || opt.page_requisites)
- && ((url_scheme (*t) != SCHEME_FTP
+ && ((url_scheme (t) != SCHEME_FTP
#ifdef HAVE_SSL
- && url_scheme (*t) != SCHEME_FTPS
+ && url_scheme (t) != SCHEME_FTPS
#endif
)
|| url_uses_proxy (url_parsed)))
@@ -2147,9 +2135,9 @@ only if outputting to a regular file.\n"));
int old_follow_ftp = opt.follow_ftp;
/* Turn opt.follow_ftp on in case of recursive FTP retrieval */
- if (url_scheme (*t) == SCHEME_FTP
+ if (url_scheme (t) == SCHEME_FTP
#ifdef HAVE_SSL
- || url_scheme (*t) == SCHEME_FTPS
+ || url_scheme (t) == SCHEME_FTPS
#endif
)
opt.follow_ftp = 1;
@@ -2160,7 +2148,7 @@ only if outputting to a regular file.\n"));
}
else
{
- retrieve_url (url_parsed, *t, &filename, &redirected_URL, NULL,
+ retrieve_url (url_parsed, t, &filename, &redirected_URL, NULL,
&dt, opt.recursive, iri, true);
}
@@ -2175,10 +2163,12 @@ only if outputting to a regular file.\n"));
xfree (filename);
url_free (url_parsed);
}
+
iri_free (iri);
- }
- xfree(url);
+ if (t != argv[optind])
+ xfree (t);
+ }
/* And then from the input file, if any. */
if (opt.input_filename)
@@ -2249,7 +2239,7 @@ only if outputting to a regular file.\n"));
/* Print the downloaded sum. */
if ((opt.recursive || opt.page_requisites
- || nurl > 1
+ || nurls > 1
|| (opt.input_filename && total_downloaded_bytes != 0))
&&
total_downloaded_bytes != 0)
--
2.33.0

40
backport-src-main.c-main-Remove-use-of-alloca.patch Normal file
View File

@ -0,0 +1,40 @@
From f460e1d04963dce88b9711002c655497a8a22390 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Thu, 13 Feb 2020 15:17:27 +0100
Subject: [PATCH] * src/main.c (main): Remove use of alloca
diff --git a/src/main.c b/src/main.c
index 4d595ef0..3b6e49fc 100644
--- a/src/main.c
+++ b/src/main.c
@@ -1934,7 +1934,7 @@ for details.\n\n"));
set_progress_implementation (opt.progress_type);
/* Fill in the arguments. */
- url = alloca_array (char *, nurl + 1);
+ url = xmalloc (sizeof (char *) * (nurl + 1));
if (url == NULL)
{
fprintf (stderr, _("Memory allocation problem\n"));
@@ -1946,7 +1946,7 @@ for details.\n\n"));
if (rewritten)
url[i] = rewritten;
else
- url[i] = xstrdup (argv[optind]);
+ url[i] = argv[optind];
}
url[i] = NULL;
@@ -2180,6 +2180,8 @@ only if outputting to a regular file.\n"));
iri_free (iri);
}
+ xfree(url);
+
/* And then from the input file, if any. */
if (opt.input_filename)
{
--
2.33.0

23
backport-src-url.c-maybe_prepend_scheme-Print-message-only-in.patch Normal file
View File

@ -0,0 +1,23 @@
From d98df662121977f3d3ba69d0cfbd4d3322714f2d Mon Sep 17 00:00:00 2001
From: Darshit Shah <darnir@gnu.org>
Date: Fri, 15 Nov 2024 22:28:41 +0100
Subject: [PATCH] * src/url.c (maybe_prepend_scheme): Print message only in
verbose mode
diff --git a/src/url.c b/src/url.c
index 2f27c48a..913db4f1 100644
--- a/src/url.c
+++ b/src/url.c
@@ -625,7 +625,7 @@ maybe_prepend_scheme (const char *url)
return NULL;
- fprintf(stderr, "Prepended http:// to '%s'\n", url);
+ logprintf (LOG_VERBOSE, _ ("Prepended http:// to '%s'\n"), url);
return aprintf ("http://%s", url);
}
--
2.33.0

4
fix-buffer-overflows-in-progress-bar-code.patch
View File

@ -111,7 +111,7 @@ index 02b6f04d..96d00398 100644
int units = 0;
/* Calculate the download speed using the history ring and
recent data that hasn't made it to the ring yet. */
@@ -1192,12 +1211,18 @@ create_image (struct bar_progress *bp, double dl_total_time, bool done)
@@ -1192,12 +1211,16 @@ create_image (struct bar_progress *bp, double dl_total_time, bool done)
}
}
@ -125,8 +125,6 @@ index 02b6f04d..96d00398 100644
- *p = '\0';
+ if (padding > 0)
+ {
+// if (padding > BUF_LEN - (p - bp->buffer) - 1)
+// padding = BUF_LEN - (p - bp->buffer) - 1;
+ memset (p, ' ', padding);
+ p += padding;
+ *p = '\0';

30
wget.spec
View File

@ -1,6 +1,6 @@
Name: wget
Version: 1.20.3
Release: 2
Release: 6
Summary: A package for retrieving files using HTTP, HTTPS, FTP and FTPS the most widely-used Internet protocols.
License: GPLv3+
Url: http://www.gnu.org/software/wget/
@ -16,9 +16,15 @@ Patch6006: calc_rate-fix-division-by-zero.patch
Patch6007: print-row-stats-fix-two-integer-overflows.patch
Patch6008: dot-draw-avoid-integer-overflows.patch
Patch6009: fix-and-cleanup-progress-bar-code.patch
Patch6010: backport-src-main.c-main-Remove-use-of-alloca.patch
Patch6011: backport-src-main.c-main-Code-clean-reduce-allocations.patch
Patch6012: backport-CVE-2024-10524.patch
Patch6013: backport-src-url.c-maybe_prepend_scheme-Print-message-only-in.patch
Patch9000: avoid-triggering-signed-integer-overflow.patch
Patch9001: backport-CVE-2024-38428.patch
Provides: webclient bundled(gnulib)
BuildRequires: perl-HTTP-Daemon python3 libuuid-devel perl-podlators libpsl-devel libmetalink-devel
BuildRequires: gnutls-devel pkgconfig texinfo gettext autoconf libidn2-devel gpgme-devel zlib-devel
@ -40,6 +46,7 @@ files and man, info files.
%autosetup -p1
%build
sed -i 's/@WITH_SSL_TRUE@am__append_1 = export SSL_TESTS=1/#@WITH_SSL_TRUE@am__append_1 = export SSL_TESTS=1/g' testenv/Makefile.in
%configure --with-ssl=gnutls --with-libpsl --enable-largefile --enable-opie --enable-digest --enable-ntlm --enable-nls --enable-ipv6 --disable-rpath --with-metalink
%make_build
@ -65,6 +72,27 @@ make check
%{_infodir}/*
%changelog
* Tue Dec 03 2024 xingwei <xingwei14@h-partners> -1.20.3-6
- Type:CVES
- ID:NA
- SUG:NA
- DESC:fix CVE-2024-10524 and backport related patches
* Sun Jun 16 2024 xuchenchen <xuchenchen@kylinos.cn> -1.20.3-5
- Type:CVES
- ID:NA
- SUG:NA
- DESC:backport CVE-2024-38428
* Tue Nov 01 2022 zhouyihang <zhouyihang3@h-partners> - 1.20.3-4
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:skip some unstable ssl tests
* Mon Feb 8 2021 openEuler Buildteam <buildteam@openeuler.org> - 1.20.3-3
- rebuild 1.20.3-3
* Thu Apr 23 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.20.3-2
- Type:bugfix
- ID:NA