From 0ba770190182df0617bfad46f29dd9ee4ff38883523ed11b75fe311a82c0076e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Josef=20M=C3=B6llers?= <josef.moellers@suse.com>
Date: Tue, 7 Mar 2017 13:37:41 +0000
Subject: [PATCH] OBS-URL:
 https://build.opensuse.org/package/show/network:utilities/wget?expand=0&rev=69

---
 wget-CVE-2017-6508.patch | 22 ++++++++++++++++++++++
 wget.changes             |  7 +++++++
 wget.spec                |  2 ++
 3 files changed, 31 insertions(+)
 create mode 100644 wget-CVE-2017-6508.patch

diff --git a/wget-CVE-2017-6508.patch b/wget-CVE-2017-6508.patch
new file mode 100644
index 0000000..d3b0c29
--- /dev/null
+++ b/wget-CVE-2017-6508.patch
@@ -0,0 +1,22 @@
+diff --git a/src/url.c b/src/url.c
+index 8f8ff0b..7d36b27 100644
+--- a/src/url.c
++++ b/src/url.c
+@@ -925,6 +925,17 @@ url_parse (const char *url, int *error, struct iri *iri, bool percent_encode)
+       url_unescape (u->host);
+       host_modified = true;
+ 
++      /* check for invalid control characters in host name */
++      for (p = u->host; *p; p++)
++        {
++          if (c_iscntrl(*p))
++            {
++              url_free(u);
++              error_code = PE_INVALID_HOST_NAME;
++              goto error;
++            }
++        }
++
+       /* Apply IDNA regardless of iri->utf8_encode status */
+       if (opt.enable_iri && iri)
+         {
diff --git a/wget.changes b/wget.changes
index 8ca2d33..b1c5641 100644
--- a/wget.changes
+++ b/wget.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Mar  7 13:40:10 UTC 2017 - josef.moellers@suse.com
+
+- src/url.c (url_parse): Reject control characters in host part
+  of URL
+  (CVE-2017-6508, wget-CVE-2017-6508.patch, bsc#1028301)
+
 -------------------------------------------------------------------
 Thu Feb 16 11:20:07 UTC 2017 - josef.moellers@suse.com
 
diff --git a/wget.spec b/wget.spec
index 02279e4..a992575 100644
--- a/wget.spec
+++ b/wget.spec
@@ -33,6 +33,7 @@ Patch6:         wget-1.14-no-ssl-comp.patch
 # PATCH-FIX-OPENSUSE fix pod syntax for perl 5.18 coolo@suse.de
 Patch7:         wget-fix-pod-syntax.diff
 Patch8:         wget-errno-clobber.patch
+Patch9:         wget-CVE-2017-6508.patch
 BuildRequires:  automake
 BuildRequires:  gpgme-devel >= 0.4.2
 BuildRequires:  libcares-devel
@@ -79,6 +80,7 @@ This can be done in script files or via the command line.
 %patch6
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
 
 %build
 %if 0%{?suse_version} > 1110