diff --git a/properly-re-implement-userinfo-parsing.patch b/properly-re-implement-userinfo-parsing.patch new file mode 100644 index 0000000..37cd38c --- /dev/null +++ b/properly-re-implement-userinfo-parsing.patch @@ -0,0 +1,74 @@ +From ed0c7c7e0e8f7298352646b2fd6e06a11e242ace Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= +Date: Sun, 2 Jun 2024 12:40:16 +0200 +Subject: Properly re-implement userinfo parsing (rfc2396) + +* src/url.c (url_skip_credentials): Properly re-implement userinfo parsing (rfc2396) + +The reason why the implementation is based on RFC 2396, an outdated standard, +is that the whole file is based on that RFC, and mixing standard here might be +dangerous. +--- + src/url.c | 40 ++++++++++++++++++++++++++++++++++------ + 1 file changed, 34 insertions(+), 6 deletions(-) + +diff --git a/src/url.c b/src/url.c +index 69e948b..07c3bc8 100644 +--- a/src/url.c ++++ b/src/url.c +@@ -41,6 +41,7 @@ as that of the covered work. */ + #include "url.h" + #include "host.h" /* for is_valid_ipv6_address */ + #include "c-strcase.h" ++#include "c-ctype.h" + + #ifdef HAVE_ICONV + # include +@@ -526,12 +527,39 @@ scheme_leading_string (enum url_scheme scheme) + static const char * + url_skip_credentials (const char *url) + { +- /* Look for '@' that comes before terminators, such as '/', '?', +- '#', or ';'. */ +- const char *p = (const char *)strpbrk (url, "@/?#;"); +- if (!p || *p != '@') +- return url; +- return p + 1; ++ /* ++ * This whole file implements https://www.rfc-editor.org/rfc/rfc2396 . ++ * RFC 2396 is outdated since 2005 and needs a rewrite or a thorough re-visit. ++ * ++ * The RFC says ++ * server = [ [ userinfo "@" ] hostport ] ++ * userinfo = *( unreserved | escaped | ";" | ":" | "&" | "=" | "+" | "$" | "," ) ++ * unreserved = alphanum | mark ++ * mark = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")" ++ */ ++ static const char *allowed = "-_.!~*'();:&=+$,"; ++ ++ for (const char *p = url; *p; p++) ++ { ++ if (c_isalnum(*p)) ++ continue; ++ ++ if (strchr(allowed, *p)) ++ continue; ++ ++ if (*p == '%' && c_isxdigit(p[1]) && c_isxdigit(p[2])) ++ { ++ p += 2; ++ continue; ++ } ++ ++ if (*p == '@') ++ return p + 1; ++ ++ break; ++ } ++ ++ return url; + } + + /* Parse credentials contained in [BEG, END). The region is expected +-- +cgit v1.1 diff --git a/remove-env-from-shebang.patch b/remove-env-from-shebang.patch index 5a44a86..cfe72e5 100644 --- a/remove-env-from-shebang.patch +++ b/remove-env-from-shebang.patch @@ -1,10 +1,10 @@ -Index: wget-1.21.4/util/rmold.pl +Index: wget-1.24.5/util/rmold.pl =================================================================== ---- wget-1.21.4.orig/util/rmold.pl -+++ wget-1.21.4/util/rmold.pl +--- wget-1.24.5.orig/util/rmold.pl ++++ wget-1.24.5/util/rmold.pl @@ -1,4 +1,4 @@ -#!/usr/bin/env perl -w +#!/usr/bin/perl -w - # Copyright (C) 1995-1997, 2007-2011, 2015, 2018-2023 Free Software + # Copyright (C) 1995-1997, 2007-2011, 2015, 2018-2024 Free Software # Foundation, Inc. diff --git a/wget-1.14-no-ssl-comp.patch b/wget-1.14-no-ssl-comp.patch index 9773cb9..b074d04 100644 --- a/wget-1.14-no-ssl-comp.patch +++ b/wget-1.14-no-ssl-comp.patch @@ -1,6 +1,8 @@ ---- src/openssl.c.orig -+++ src/openssl.c -@@ -241,7 +241,9 @@ +Index: wget-1.24.5/src/openssl.c +=================================================================== +--- wget-1.24.5.orig/src/openssl.c ++++ wget-1.24.5/src/openssl.c +@@ -426,7 +426,9 @@ ssl_init (void) /* The OpenSSL library can handle renegotiations automatically, so tell it to do so. */ SSL_CTX_set_mode (ssl_ctx, SSL_MODE_AUTO_RETRY); diff --git a/wget-1.21.4.tar.gz b/wget-1.21.4.tar.gz deleted file mode 100644 index 14d3a14..0000000 --- a/wget-1.21.4.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:81542f5cefb8faacc39bbbc6c82ded80e3e4a88505ae72ea51df27525bcde04c -size 5059591 diff --git a/wget-1.21.4.tar.gz.sig b/wget-1.21.4.tar.gz.sig deleted file mode 100644 index d7d7f2f..0000000 --- a/wget-1.21.4.tar.gz.sig +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQJDBAABCAAtFiEEa5j2N9h5xSNuJ3xcZP+QqujHCvkFAmRcPzMPHGdwZ0BkYXJu -aXIubmV0AAoJEGT/kKroxwr5NhIP/1cuX5RmolNwO3wdsO+uLsAKiYW9FbIf7JuT -wPuBAgtzSazyUrx/S4apRBYERuMhEVLefQvY8xKhZgnqsw+puD7VLjsjFkqr78BU -3M0AMDu/QIWzv5mLazmIlZc9ArimqCEyAlKRpoiF1kud+9moE62/uxcwishcpIe1 -CvUfqy1R6o7QsHmmKoIU1p8LTzqP/wg28VI+Yw2hRKCD5aIpPHL1bkv13Ec7jFsi -J2y2ntUVQiTNO+ssfYPu3jMb+jNIP6wqG8zGKtBCEjJ/MuLNvSNbXg5Sthwd88id -jRUqaw1ui1pPJWHEkk/Aqm6WeqzPy6u88frWHDCQVtFEo+2rPdtpSdfCc1myIpa7 -D1FxWr+DKGXakUtlQdmkpBfmJkNsX2GjZBzOg6qRbr/wRbYWgc4pQHgrFZxWM8ZB -THl4+1IBA4mTq3HRFwKtH43BEIGQLBjHN+RE6F25YesB9og7uhjxj17WkHRyD+Sr -L7CO9O3AP0oM22qFNwdQGHDr1XIIktYln2Jp/EaZwEtjBDO6Fn9B+6T2UpjfeRU9 -bK6TaH6R4ws6uK87HThwdQBxpXi+Ueio49GwQzqWxGtm/nHdekTSBgJGStpOTMJI -9yD+NlH+Cc/VHGloEzO0PFtDpBq7bB9cRkuru9bMz80aSBfVaUdX2fdGONYbbj1a -D93jyajc -=zquD ------END PGP SIGNATURE----- diff --git a/wget-1.24.5.tar.gz b/wget-1.24.5.tar.gz new file mode 100644 index 0000000..9bb2568 --- /dev/null +++ b/wget-1.24.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fa2dc35bab5184ecbc46a9ef83def2aaaa3f4c9f3c97d4bd19dcb07d4da637de +size 5182521 diff --git a/wget-1.24.5.tar.gz.sig b/wget-1.24.5.tar.gz.sig new file mode 100644 index 0000000..72efada --- /dev/null +++ b/wget-1.24.5.tar.gz.sig @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJDBAABCAAtFiEEa5j2N9h5xSNuJ3xcZP+QqujHCvkFAmXtv7QPHGdwZ0BkYXJu +aXIubmV0AAoJEGT/kKroxwr59lwQAKCzs/wa9PmMW4MgcUKXMwixoysi/kl4zwTO +V7W3JN80YRyf2kG/wPu6//JmYgeUXwY0x9XbbfwmCsopmCXsXWJlD6BswOrZi+34 +BFmQOQImfUYurKjA9N/ZiZbCl8i+/WiEW/kRHJ3TCiZ578JAy+H16pM2EJbv/jkE +/FBW2gAyNcsu7pGCcv9DjdwJEGySvKklKmv6l/uA9l6wBX8/DqdmjjnMN3YaXot+ +2HpWZeEDnMhT3++MAYbpPVF76OWTFoyE9WBbPbs2uci75vsghwyF9PLmyqxBRNoE +SGpY18DXrx01eXUiXYd5DUNkkFQReWRaMxkURijTgXVvebiXJ4b3Updr5Ds5j6vb +adCgyf4zj8hbd41T+an/e3u51D+6+M+jjBGmL0gY/edixZMVb9lS8FiUBD9rjvpe +VlNZWOS3C7Wr7iwq39t0R6sZc9GjnxokmcS+xCM3FBLpSg/jOJ0P+WIgVxyScuHa +sLcQk0laXWcDwfOzPSjFSEMtDvt4NANhCMxHOi0dh5L+n+KFvFIS9R1mlyKmdLCo +O72NS+Ks9zgSLebapGPFutvZlp6mB98f4YWhOyJR3VkfdHrtlWfq9EvofMM+KpB9 +0bKt+eDvIpkbMhUisAtjE0OwpTSZa1pBogwF3Zwjvb+baGD51EPbh4Al8XlQ8ONE +9obMVikI +=qpKJ +-----END PGP SIGNATURE----- diff --git a/wget-libproxy.patch b/wget-libproxy.patch deleted file mode 100644 index df61abe..0000000 --- a/wget-libproxy.patch +++ /dev/null @@ -1,113 +0,0 @@ -Index: wget-1.21.4/configure.ac -=================================================================== ---- wget-1.21.4.orig/configure.ac -+++ wget-1.21.4/configure.ac -@@ -655,6 +655,22 @@ then - fi - fi - -+dnl -+dnl libproxy support -+dnl -+AC_ARG_ENABLE(libproxy, -+ [ --enable-libproxy libproxy support for system wide proxy configuration]) -+if test "${enable_libproxy}" != "no" -+then -+ PKG_CHECK_MODULES([libproxy], [libproxy-1.0], [enable_libproxy=yes], [enable_libproxy=no]) -+fi -+if test "${enable_libproxy}" = "yes" -+then -+ AC_SUBST(libproxy_CFLAGS) -+ AC_SUBST(libproxy_LIBS) -+ AC_DEFINE([HAVE_LIBPROXY], 1, [Define when using libproxy]) -+fi -+ - dnl ********************************************************************** - dnl Checks for IPv6 - dnl ********************************************************************** -Index: wget-1.21.4/src/Makefile.am -=================================================================== ---- wget-1.21.4.orig/src/Makefile.am -+++ wget-1.21.4/src/Makefile.am -@@ -85,11 +85,11 @@ endif - nodist_wget_SOURCES = version.c - EXTRA_wget_SOURCES = iri.c metalink.c xattr.c - LDADD = $(CODE_COVERAGE_LIBS) $(LIBOBJS) ../lib/libgnu.a $(GETADDRINFO_LIB) $(HOSTENT_LIB)\ -- $(INET_NTOP_LIB) $(LIBSOCKET) $(LIB_CLOCK_GETTIME) $(LIB_CRYPTO)\ -+ $(INET_NTOP_LIB) $(LIBSOCKET) $(libproxy_LIBS) $(LIB_CLOCK_GETTIME) $(LIB_CRYPTO)\ - $(LIB_NANOSLEEP) $(LIB_POSIX_SPAWN) $(LIB_SELECT) $(LIBICONV) $(LIBINTL)\ - $(LIBTHREAD) $(LIBUNISTRING) $(SERVENT_LIB) - AM_CPPFLAGS = -I$(top_builddir)/lib -I$(top_srcdir)/lib $(CODE_COVERAGE_CPPFLAGS) --AM_CFLAGS = $(WERROR_CFLAGS) $(WARN_CFLAGS) $(CODE_COVERAGE_CFLAGS) -+AM_CFLAGS = $(WERROR_CFLAGS) $(WARN_CFLAGS) $(CODE_COVERAGE_CFLAGS) $(libproxy_CFLAGS) - - ../lib/libgnu.a: - cd ../lib && $(MAKE) $(AM_MAKEFLAGS) -Index: wget-1.21.4/src/retr.c -=================================================================== ---- wget-1.21.4.orig/src/retr.c -+++ wget-1.21.4/src/retr.c -@@ -60,6 +60,10 @@ as that of the covered work. */ - #include "iri.h" - #include "hsts.h" - -+#ifdef HAVE_LIBPROXY -+#include "proxy.h" -+#endif -+ - /* Total size of downloaded files. Used to enforce quota. */ - wgint total_downloaded_bytes; - -@@ -1489,7 +1493,40 @@ getproxy (struct url *u) - break; - } - if (!proxy || !*proxy) -+#ifdef HAVE_LIBPROXY -+ { -+ pxProxyFactory *pf = px_proxy_factory_new(); -+ if (!pf) -+ { -+ debug_logprintf (_("Allocating memory for libproxy failed")); -+ return NULL; -+ } -+ int i; -+ char direct[] = "direct://"; -+ -+ debug_logprintf (_("asking libproxy about url '%s'\n"), u->url); -+ char **proxies = px_proxy_factory_get_proxies(pf, u->url); -+ if (proxies[0]) -+ { -+ char *check = NULL; -+ asprintf(&check , "%s", proxies[0]); -+ debug_logprintf (_("libproxy suggest to use '%s'\n"), check); -+ if(strcmp(check ,direct) != 0) -+ { -+ asprintf(&proxy , "%s", proxies[0]); -+ debug_logprintf (_("case 2: libproxy setting to use '%s'\n"), proxy); -+ } -+ } -+ for(i=0;proxies[i];i++) free(proxies[i]); -+ free(proxies); -+ px_proxy_factory_free(pf); -+ -+ if (!proxy || !*proxy) -+ return NULL; -+ } -+#else - return NULL; -+#endif - - /* Handle shorthands. `rewritten_storage' is a kludge to allow - getproxy() to return static storage. */ -Index: wget-1.21.4/tests/Makefile.am -=================================================================== ---- wget-1.21.4.orig/tests/Makefile.am -+++ wget-1.21.4/tests/Makefile.am -@@ -31,6 +31,7 @@ - # - # Version: @VERSION@ - # -++LIBS += $(libproxy_LIBS) - - ../src/wget$(EXEEXT): - cd ../src && $(MAKE) $(AM_MAKEFLAGS) diff --git a/wget.changes b/wget.changes index 87f8a99..67d8af3 100644 --- a/wget.changes +++ b/wget.changes @@ -1,3 +1,31 @@ +------------------------------------------------------------------- +Tue Jun 18 14:38:16 UTC 2024 - Valentin Lefebvre + +- Fix mishandled semicolons in the userinfo subcomponent could lead to an + insecure behavior in which data that was supposed to be in the userinfo + subcomponent is misinterpreted to be part of the host subcomponent. + [bsc#1226419, CVE-2024-38428, properly-re-implement-userinfo-parsing.patch] + +------------------------------------------------------------------- +Sun Mar 10 20:45:15 UTC 2024 - Andreas Stieger + +- GNU wget 1.24.5: + * Fix how subdomain matches are checked for HSTS. + * Wget will now also parse the srcset attribute in HTML + tags + * Support reading fetchmail style "user" and "passwd" fields from + netrc + * In some cases, prevent the confusing "Cannot write to... + (success)" error messages + * Support extremely fast download speeds (TB/s) + * Ensure that CSS URLs are corectly quoted + * libproxy support is now upstream- drop wget-libproxy.patch + +------------------------------------------------------------------- +Tue Feb 20 15:19:15 UTC 2024 - Dominique Leuenberger + +- Use %patch -P N instead of deprecated %patchN. + ------------------------------------------------------------------- Mon Jun 12 08:34:23 UTC 2023 - Dominique Leuenberger diff --git a/wget.spec b/wget.spec index a75cb9a..6586362 100644 --- a/wget.spec +++ b/wget.spec @@ -2,6 +2,7 @@ # spec file for package wget # # Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 Andreas Stieger # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +19,7 @@ %bcond_with regression_tests Name: wget -Version: 1.21.4 +Version: 1.24.5 Release: 0 Summary: A Tool for Mirroring FTP and HTTP Servers License: GPL-3.0-or-later @@ -28,16 +29,13 @@ Source: https://ftp.gnu.org/gnu/wget/%{name}-%{version}.tar.gz Source1: https://ftp.gnu.org/gnu/wget/%{name}-%{version}.tar.gz.sig Source2: https://savannah.gnu.org/people/viewgpg.php?user_id=90497#/%{name}.keyring Patch0: wgetrc.patch -Patch1: wget-libproxy.patch Patch6: wget-1.14-no-ssl-comp.patch # PATCH-FIX-OPENSUSE fix pod syntax for perl 5.18 coolo@suse.de Patch7: wget-fix-pod-syntax.diff Patch8: wget-errno-clobber.patch Patch9: remove-env-from-shebang.patch Patch10: wget-do-not-propagate-credentials.patch -# for AX_CODE_COVERAGE -BuildRequires: autoconf-archive >= 2015.02.04 -BuildRequires: automake +Patch11: properly-re-implement-userinfo-parsing.patch BuildRequires: gpgme-devel >= 0.4.2 BuildRequires: libcares-devel BuildRequires: libidn2-devel @@ -47,7 +45,8 @@ BuildRequires: openssl-devel BuildRequires: pkgconfig >= 0.9.0 BuildRequires: pkgconfig(libmetalink) BuildRequires: pkgconfig(libpcre2-8) -BuildRequires: pkgconfig(libproxy-1.0) +# px_proxy_factory_free_proxies added in 0.4.16 +BuildRequires: pkgconfig(libproxy-1.0) >= 0.4.16 BuildRequires: pkgconfig(libpsl) BuildRequires: pkgconfig(uuid) %if %{with regression_tests} @@ -63,22 +62,15 @@ This can be done in script files or via the command line. %lang_package %prep -%setup -q -%patch0 -p1 -%patch1 -p1 -%patch6 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 +%autosetup -p1 %build -# wget-libproxy.patch -autoreconf --force %configure \ --with-ssl=openssl \ --with-cares \ - --with-metalink + --with-metalink \ + --enable-libproxy \ + %{nil} %make_build sed -i 's/\/usr\/bin\/env perl -w/\/usr\/bin\/perl -w/' util/rmold.pl @@ -101,5 +93,6 @@ sed -i 's/\/usr\/bin\/env perl -w/\/usr\/bin\/perl -w/' util/rmold.pl %{_bindir}/* %files lang -f %{name}.lang +%license COPYING %changelog