Accepting request 477531 from network:utilities

OBS-URL: https://build.opensuse.org/request/show/477531
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/wget?expand=0&rev=46

wget-CVE-2017-6508.patch

@@ -0,0 +1,22 @@
+diff --git a/src/url.c b/src/url.c
+index 8f8ff0b..7d36b27 100644
+--- a/src/url.c
++++ b/src/url.c
+@@ -925,6 +925,17 @@ url_parse (const char *url, int *error, struct iri *iri, bool percent_encode)
+       url_unescape (u->host);
+       host_modified = true;
+ 
++      /* check for invalid control characters in host name */
++      for (p = u->host; *p; p++)
++        {
++          if (c_iscntrl(*p))
++            {
++              url_free(u);
++              error_code = PE_INVALID_HOST_NAME;
++              goto error;
++            }
++        }
++
+       /* Apply IDNA regardless of iri->utf8_encode status */
+       if (opt.enable_iri && iri)
+         {

wget.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Mar  7 13:40:10 UTC 2017 - josef.moellers@suse.com
+
+- src/url.c (url_parse): Reject control characters in host part
+  of URL
+  (CVE-2017-6508, wget-CVE-2017-6508.patch, bsc#1028301)
+
 -------------------------------------------------------------------
 Thu Feb 16 11:20:07 UTC 2017 - josef.moellers@suse.com
 

wget.spec

@@ -33,6 +33,7 @@ Patch6:         wget-1.14-no-ssl-comp.patch
 # PATCH-FIX-OPENSUSE fix pod syntax for perl 5.18 coolo@suse.de
 Patch7:         wget-fix-pod-syntax.diff
 Patch8:         wget-errno-clobber.patch
+Patch9:         wget-CVE-2017-6508.patch
 BuildRequires:  automake
 BuildRequires:  gpgme-devel >= 0.4.2
 BuildRequires:  libcares-devel
@@ -79,6 +80,7 @@ This can be done in script files or via the command line.
 %patch6
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
 
 %build
 %if 0%{?suse_version} > 1110