Sync from SUSE:SLFO:Main wget revision 335e6b559fa6f74993de52a311ee92ad

2024-07-03 10:54:37 +02:00 · 2024-07-03 10:54:37 +02:00 · 696a19c17c
commit 696a19c17c
parent 89a661ef1c
10 changed files with 141 additions and 157 deletions
--- a/properly-re-implement-userinfo-parsing.patch
+++ b/properly-re-implement-userinfo-parsing.patch
@ -0,0 +1,74 @@
+From ed0c7c7e0e8f7298352646b2fd6e06a11e242ace Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Sun, 2 Jun 2024 12:40:16 +0200
+Subject: Properly re-implement userinfo parsing (rfc2396)
+
+* src/url.c (url_skip_credentials): Properly re-implement userinfo parsing (rfc2396)
+
+The reason why the implementation is based on RFC 2396, an outdated standard,
+is that the whole file is based on that RFC, and mixing standard here might be
+dangerous.
+---
+ src/url.c | 40 ++++++++++++++++++++++++++++++++++------
+ 1 file changed, 34 insertions(+), 6 deletions(-)
+
+diff --git a/src/url.c b/src/url.c
+index 69e948b..07c3bc8 100644
+--- a/src/url.c
+++ b/src/url.c
+@@ -41,6 +41,7 @@ as that of the covered work.  */
+ #include "url.h"
+ #include "host.h"  /* for is_valid_ipv6_address */
+ #include "c-strcase.h"
+#include "c-ctype.h"
+ 
+ #ifdef HAVE_ICONV
+ # include <iconv.h>
+@@ -526,12 +527,39 @@ scheme_leading_string (enum url_scheme scheme)
+ static const char *
+ url_skip_credentials (const char *url)
+ {
+-  /* Look for '@' that comes before terminators, such as '/', '?',
+-     '#', or ';'.  */
+-  const char *p = (const char *)strpbrk (url, "@/?#;");
+-  if (!p || *p != '@')
+-    return url;
+-  return p + 1;
+  /*
+   * This whole file implements https://www.rfc-editor.org/rfc/rfc2396 .
+   * RFC 2396 is outdated since 2005 and needs a rewrite or a thorough re-visit.
+   *
+   * The RFC says
+   * server        = [ [ userinfo "@" ] hostport ]
+   * userinfo      = *( unreserved | escaped | ";" | ":" | "&" | "=" | "+" | "$" | "," )
+   * unreserved    = alphanum | mark
+   * mark          = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")"
+   */
+  static const char *allowed = "-_.!~*'();:&=+$,";
+
+  for (const char *p = url; *p; p++)
+    {
+      if (c_isalnum(*p))
+        continue;
+
+      if (strchr(allowed, *p))
+        continue;
+
+      if (*p == '%' && c_isxdigit(p[1]) && c_isxdigit(p[2]))
+        {
+          p += 2;
+          continue;
+        }
+
+      if (*p == '@')
+        return p + 1;
+
+      break;
+    }
+
+  return url;
+ }
+ 
+ /* Parse credentials contained in [BEG, END).  The region is expected
+-- 
+cgit v1.1
--- a/remove-env-from-shebang.patch
+++ b/remove-env-from-shebang.patch
@ -1,10 +1,10 @@
-Index: wget-1.21.4/util/rmold.pl
+Index: wget-1.24.5/util/rmold.pl
 ===================================================================
--- wget-1.21.4.orig/util/rmold.pl
-+++ wget-1.21.4/util/rmold.pl
+--- wget-1.24.5.orig/util/rmold.pl
+++ wget-1.24.5/util/rmold.pl
@@ -1,4 +1,4 @@
 -#!/usr/bin/env perl -w
 +#!/usr/bin/perl -w
 
- # Copyright (C) 1995-1997, 2007-2011, 2015, 2018-2023 Free Software
+ # Copyright (C) 1995-1997, 2007-2011, 2015, 2018-2024 Free Software
 # Foundation, Inc.
--- a/wget-1.14-no-ssl-comp.patch
+++ b/wget-1.14-no-ssl-comp.patch
@ -1,6 +1,8 @@
--- src/openssl.c.orig
-+++ src/openssl.c
-@@ -241,7 +241,9 @@
+Index: wget-1.24.5/src/openssl.c
+===================================================================
+--- wget-1.24.5.orig/src/openssl.c
+++ wget-1.24.5/src/openssl.c
+@@ -426,7 +426,9 @@ ssl_init (void)
   /* The OpenSSL library can handle renegotiations automatically, so
      tell it to do so.  */
   SSL_CTX_set_mode (ssl_ctx, SSL_MODE_AUTO_RETRY);
--- a/wget-1.21.4.tar.gz
+++ b/wget-1.21.4.tar.gz
--- a/wget-1.21.4.tar.gz.sig
+++ b/wget-1.21.4.tar.gz.sig
@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQJDBAABCAAtFiEEa5j2N9h5xSNuJ3xcZP+QqujHCvkFAmRcPzMPHGdwZ0BkYXJu
-aXIubmV0AAoJEGT/kKroxwr5NhIP/1cuX5RmolNwO3wdsO+uLsAKiYW9FbIf7JuT
-wPuBAgtzSazyUrx/S4apRBYERuMhEVLefQvY8xKhZgnqsw+puD7VLjsjFkqr78BU
-3M0AMDu/QIWzv5mLazmIlZc9ArimqCEyAlKRpoiF1kud+9moE62/uxcwishcpIe1
-CvUfqy1R6o7QsHmmKoIU1p8LTzqP/wg28VI+Yw2hRKCD5aIpPHL1bkv13Ec7jFsi
-J2y2ntUVQiTNO+ssfYPu3jMb+jNIP6wqG8zGKtBCEjJ/MuLNvSNbXg5Sthwd88id
-jRUqaw1ui1pPJWHEkk/Aqm6WeqzPy6u88frWHDCQVtFEo+2rPdtpSdfCc1myIpa7
-D1FxWr+DKGXakUtlQdmkpBfmJkNsX2GjZBzOg6qRbr/wRbYWgc4pQHgrFZxWM8ZB
-THl4+1IBA4mTq3HRFwKtH43BEIGQLBjHN+RE6F25YesB9og7uhjxj17WkHRyD+Sr
-L7CO9O3AP0oM22qFNwdQGHDr1XIIktYln2Jp/EaZwEtjBDO6Fn9B+6T2UpjfeRU9
-bK6TaH6R4ws6uK87HThwdQBxpXi+Ueio49GwQzqWxGtm/nHdekTSBgJGStpOTMJI
-9yD+NlH+Cc/VHGloEzO0PFtDpBq7bB9cRkuru9bMz80aSBfVaUdX2fdGONYbbj1a
-D93jyajc
-=zquD
-----END PGP SIGNATURE-----
--- a/wget-1.24.5.tar.gz
+++ b/wget-1.24.5.tar.gz
--- a/wget-1.24.5.tar.gz.sig
+++ b/wget-1.24.5.tar.gz.sig
@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJDBAABCAAtFiEEa5j2N9h5xSNuJ3xcZP+QqujHCvkFAmXtv7QPHGdwZ0BkYXJu
+aXIubmV0AAoJEGT/kKroxwr59lwQAKCzs/wa9PmMW4MgcUKXMwixoysi/kl4zwTO
+V7W3JN80YRyf2kG/wPu6//JmYgeUXwY0x9XbbfwmCsopmCXsXWJlD6BswOrZi+34
+BFmQOQImfUYurKjA9N/ZiZbCl8i+/WiEW/kRHJ3TCiZ578JAy+H16pM2EJbv/jkE
+/FBW2gAyNcsu7pGCcv9DjdwJEGySvKklKmv6l/uA9l6wBX8/DqdmjjnMN3YaXot+
+2HpWZeEDnMhT3++MAYbpPVF76OWTFoyE9WBbPbs2uci75vsghwyF9PLmyqxBRNoE
+SGpY18DXrx01eXUiXYd5DUNkkFQReWRaMxkURijTgXVvebiXJ4b3Updr5Ds5j6vb
+adCgyf4zj8hbd41T+an/e3u51D+6+M+jjBGmL0gY/edixZMVb9lS8FiUBD9rjvpe
+VlNZWOS3C7Wr7iwq39t0R6sZc9GjnxokmcS+xCM3FBLpSg/jOJ0P+WIgVxyScuHa
+sLcQk0laXWcDwfOzPSjFSEMtDvt4NANhCMxHOi0dh5L+n+KFvFIS9R1mlyKmdLCo
+O72NS+Ks9zgSLebapGPFutvZlp6mB98f4YWhOyJR3VkfdHrtlWfq9EvofMM+KpB9
+0bKt+eDvIpkbMhUisAtjE0OwpTSZa1pBogwF3Zwjvb+baGD51EPbh4Al8XlQ8ONE
+9obMVikI
+=qpKJ
+-----END PGP SIGNATURE-----
--- a/wget-libproxy.patch
+++ b/wget-libproxy.patch
@ -1,113 +0,0 @@
-Index: wget-1.21.4/configure.ac
-===================================================================
--- wget-1.21.4.orig/configure.ac
-+++ wget-1.21.4/configure.ac
-@@ -655,6 +655,22 @@ then
-   fi
- fi
- 
-+dnl
-+dnl libproxy support
-+dnl
-+AC_ARG_ENABLE(libproxy,
-+  [  --enable-libproxy       libproxy support for system wide proxy configuration])
-+if test "${enable_libproxy}" != "no"
-+then
-+  PKG_CHECK_MODULES([libproxy], [libproxy-1.0], [enable_libproxy=yes], [enable_libproxy=no])
-+fi
-+if test "${enable_libproxy}" = "yes"
-+then
-+  AC_SUBST(libproxy_CFLAGS)
-+  AC_SUBST(libproxy_LIBS)
-+  AC_DEFINE([HAVE_LIBPROXY], 1, [Define when using libproxy])
-+fi
-+
- dnl **********************************************************************
- dnl Checks for IPv6
- dnl **********************************************************************
-Index: wget-1.21.4/src/Makefile.am
-===================================================================
--- wget-1.21.4.orig/src/Makefile.am
-+++ wget-1.21.4/src/Makefile.am
-@@ -85,11 +85,11 @@ endif
- nodist_wget_SOURCES = version.c
- EXTRA_wget_SOURCES = iri.c metalink.c xattr.c
- LDADD = $(CODE_COVERAGE_LIBS) $(LIBOBJS) ../lib/libgnu.a $(GETADDRINFO_LIB) $(HOSTENT_LIB)\
- $(INET_NTOP_LIB) $(LIBSOCKET) $(LIB_CLOCK_GETTIME) $(LIB_CRYPTO)\
-+ $(INET_NTOP_LIB) $(LIBSOCKET) $(libproxy_LIBS) $(LIB_CLOCK_GETTIME) $(LIB_CRYPTO)\
-  $(LIB_NANOSLEEP) $(LIB_POSIX_SPAWN) $(LIB_SELECT) $(LIBICONV) $(LIBINTL)\
-  $(LIBTHREAD) $(LIBUNISTRING) $(SERVENT_LIB)
- AM_CPPFLAGS = -I$(top_builddir)/lib -I$(top_srcdir)/lib $(CODE_COVERAGE_CPPFLAGS)
-AM_CFLAGS = $(WERROR_CFLAGS) $(WARN_CFLAGS) $(CODE_COVERAGE_CFLAGS)
-+AM_CFLAGS = $(WERROR_CFLAGS) $(WARN_CFLAGS) $(CODE_COVERAGE_CFLAGS) $(libproxy_CFLAGS)
- 
- ../lib/libgnu.a:
- 	cd ../lib && $(MAKE) $(AM_MAKEFLAGS)
-Index: wget-1.21.4/src/retr.c
-===================================================================
--- wget-1.21.4.orig/src/retr.c
-+++ wget-1.21.4/src/retr.c
-@@ -60,6 +60,10 @@ as that of the covered work.  */
- #include "iri.h"
- #include "hsts.h"
- 
-+#ifdef HAVE_LIBPROXY
-+#include "proxy.h"
-+#endif
-+
- /* Total size of downloaded files.  Used to enforce quota.  */
- wgint total_downloaded_bytes;
- 
-@@ -1489,7 +1493,40 @@ getproxy (struct url *u)
-       break;
-     }
-   if (!proxy || !*proxy)
-+#ifdef HAVE_LIBPROXY
-+  {
-+       pxProxyFactory *pf = px_proxy_factory_new();
-+       if (!pf)
-+       {
-+	       debug_logprintf (_("Allocating memory for libproxy failed"));
-+	       return NULL;
-+       }
-+       int i;
-+       char direct[] = "direct://";
-+
-+       debug_logprintf (_("asking libproxy about url '%s'\n"), u->url);
-+       char **proxies = px_proxy_factory_get_proxies(pf, u->url);
-+       if (proxies[0])
-+       {
-+	   char *check = NULL;
-+	   asprintf(&check , "%s", proxies[0]);
-+	  debug_logprintf (_("libproxy suggest to use '%s'\n"), check);
-+	  if(strcmp(check ,direct) != 0)
-+	  {
-+	       asprintf(&proxy , "%s", proxies[0]);
-+	       debug_logprintf (_("case 2: libproxy setting to use '%s'\n"), proxy);
-+	  }
-+       }
-+       for(i=0;proxies[i];i++) free(proxies[i]);
-+       free(proxies);
-+       px_proxy_factory_free(pf);
-+
-+       if (!proxy || !*proxy)
-+	  return NULL;
-+  }
-+#else
-     return NULL;
-+#endif
- 
-   /* Handle shorthands.  `rewritten_storage' is a kludge to allow
-      getproxy() to return static storage. */
-Index: wget-1.21.4/tests/Makefile.am
-===================================================================
--- wget-1.21.4.orig/tests/Makefile.am
-+++ wget-1.21.4/tests/Makefile.am
-@@ -31,6 +31,7 @@
- #
- # Version: @VERSION@
- #
-++LIBS     += $(libproxy_LIBS)
- 
- ../src/wget$(EXEEXT):
- 	cd ../src && $(MAKE) $(AM_MAKEFLAGS)
--- a/wget.changes
+++ b/wget.changes
@ -1,3 +1,31 @@
+-------------------------------------------------------------------
+Tue Jun 18 14:38:16 UTC 2024 - Valentin Lefebvre <valentin.lefebvre@suse.com>
+
+- Fix mishandled semicolons in the userinfo subcomponent could lead to an
+  insecure behavior in which data that was supposed to be in the userinfo
+  subcomponent is misinterpreted to be part of the host subcomponent.
+  [bsc#1226419, CVE-2024-38428, properly-re-implement-userinfo-parsing.patch]
+
+-------------------------------------------------------------------
+Sun Mar 10 20:45:15 UTC 2024 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- GNU wget 1.24.5:
+  * Fix how subdomain matches are checked for HSTS.
+  * Wget will now also parse the srcset attribute in <source> HTML
+    tags
+  * Support reading fetchmail style "user" and "passwd" fields from
+    netrc
+  * In some cases, prevent the confusing "Cannot write to...
+    (success)" error messages
+  * Support extremely fast download speeds (TB/s)
+  * Ensure that CSS URLs are corectly quoted
+  * libproxy support is now upstream- drop wget-libproxy.patch
+
+-------------------------------------------------------------------
+Tue Feb 20 15:19:15 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Use %patch -P N instead of deprecated %patchN.
+
 -------------------------------------------------------------------
 Mon Jun 12 08:34:23 UTC 2023 - Dominique Leuenberger <dimstar@opensuse.org>

--- a/wget.spec
+++ b/wget.spec
@ -2,6 +2,7 @@
 # spec file for package wget
 #
 # Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 Andreas Stieger <Andreas.Stieger@gmx.de>
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -18,7 +19,7 @@

 %bcond_with	regression_tests
 Name:           wget
-Version:        1.21.4
+Version:        1.24.5
 Release:        0
 Summary:        A Tool for Mirroring FTP and HTTP Servers
 License:        GPL-3.0-or-later
@ -28,16 +29,13 @@ Source:         https://ftp.gnu.org/gnu/wget/%{name}-%{version}.tar.gz
 Source1:        https://ftp.gnu.org/gnu/wget/%{name}-%{version}.tar.gz.sig
 Source2:        https://savannah.gnu.org/people/viewgpg.php?user_id=90497#/%{name}.keyring
 Patch0:         wgetrc.patch
-Patch1:         wget-libproxy.patch
 Patch6:         wget-1.14-no-ssl-comp.patch
 # PATCH-FIX-OPENSUSE fix pod syntax for perl 5.18 coolo@suse.de
 Patch7:         wget-fix-pod-syntax.diff
 Patch8:         wget-errno-clobber.patch
 Patch9:         remove-env-from-shebang.patch
 Patch10:        wget-do-not-propagate-credentials.patch
-# for AX_CODE_COVERAGE
-BuildRequires:  autoconf-archive >= 2015.02.04
-BuildRequires:  automake
+Patch11:        properly-re-implement-userinfo-parsing.patch
 BuildRequires:  gpgme-devel >= 0.4.2
 BuildRequires:  libcares-devel
 BuildRequires:  libidn2-devel
@ -47,7 +45,8 @@ BuildRequires:  openssl-devel
 BuildRequires:  pkgconfig >= 0.9.0
 BuildRequires:  pkgconfig(libmetalink)
 BuildRequires:  pkgconfig(libpcre2-8)
-BuildRequires:  pkgconfig(libproxy-1.0)
+# px_proxy_factory_free_proxies added in 0.4.16
+BuildRequires:  pkgconfig(libproxy-1.0) >= 0.4.16
 BuildRequires:  pkgconfig(libpsl)
 BuildRequires:  pkgconfig(uuid)
 %if %{with regression_tests}
@ -63,22 +62,15 @@ This can be done in script files or via the command line.
 %lang_package

 %prep
-%setup -q
-%patch0 -p1
-%patch1 -p1
-%patch6
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch10 -p1
+%autosetup -p1

 %build
-# wget-libproxy.patch
-autoreconf --force
 %configure \
 	--with-ssl=openssl \
 	--with-cares \
-	--with-metalink
+	--with-metalink \
+	--enable-libproxy \
+	%{nil}
 %make_build
 sed -i 's/\/usr\/bin\/env perl -w/\/usr\/bin\/perl -w/' util/rmold.pl

@ -101,5 +93,6 @@ sed -i 's/\/usr\/bin\/env perl -w/\/usr\/bin\/perl -w/' util/rmold.pl
 %{_bindir}/*

 %files lang -f %{name}.lang
+%license COPYING

 %changelog