Accepting request 258883 from home:AndreasStieger:branches:network:utilities

GNU wget 1.16 [CVE-2014-4877] [boo#902709]

OBS-URL: https://build.opensuse.org/request/show/258883
OBS-URL: https://build.opensuse.org/package/show/network:utilities/wget?expand=0&rev=47

wget-1.15.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d18a5f4354c9854b1f1b9897353443bceed8e19a391d36d4dbebe85cc9d480fb
-size 1679908

wget-1.16.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9261dd090a17687b6dc0682a257e90a926def15624b650e8f799af57e5c8b0e7
+size 1697308

wget-libproxy.patch

@@ -1,11 +1,18 @@
-Index: configure.ac
+---
+ configure.ac      |   16 ++++++++++++++++
+ src/Makefile.am   |    2 +-
+ src/retr.c        |   37 +++++++++++++++++++++++++++++++++++++
+ tests/Makefile.am |    1 +
+ 4 files changed, 55 insertions(+), 1 deletion(-)
+
+Index: wget-1.16/configure.ac
 ===================================================================
---- configure.ac.orig
+--- wget-1.16.orig/configure.ac	2014-10-29 20:41:01.000000000 +0000
-+++ configure.ac
++++ wget-1.16/configure.ac	2014-10-29 20:41:05.000000000 +0000
-@@ -338,6 +338,22 @@ else
+@@ -366,6 +366,22 @@ else
-   fi
  fi
  
+ 
 +dnl
 +dnl libproxy support
 +dnl
@@ -25,31 +32,24 @@ Index: configure.ac
  dnl **********************************************************************
  dnl Checks for IPv6
  dnl **********************************************************************
-Index: src/Makefile.am
+Index: wget-1.16/src/Makefile.am
 ===================================================================
---- src/Makefile.am.orig
+--- wget-1.16.orig/src/Makefile.am	2014-10-29 20:41:01.000000000 +0000
-+++ src/Makefile.am
++++ wget-1.16/src/Makefile.am	2014-10-29 20:41:05.000000000 +0000
 @@ -37,7 +37,7 @@ endif
  
  # The following line is losing on some versions of make!
- DEFS     = @DEFS@ -DSYSTEM_WGETRC=\"$(sysconfdir)/wgetrc\" -DLOCALEDIR=\"$(localedir)\"
+ DEFS     += -DSYSTEM_WGETRC=\"$(sysconfdir)/wgetrc\" -DLOCALEDIR=\"$(localedir)\"
--LIBS     = @LIBICONV@ @LIBINTL@ @LIBS@ $(LIB_CLOCK_GETTIME)
+-LIBS     += $(LIBICONV) $(LIBINTL) $(LIB_CLOCK_GETTIME)
-+LIBS     = @LIBICONV@ @LIBINTL@ @libproxy_LIBS@ @LIBS@ $(LIB_CLOCK_GETTIME)
++LIBS     += $(LIBICONV) $(LIBINTL) $(libproxy_LIBS) $(LIB_CLOCK_GETTIME)
  
  EXTRA_DIST = css.l css.c css_.c build_info.c.in
  
-Index: tests/Makefile.am
+Index: wget-1.16/src/retr.c
 ===================================================================
---- tests/Makefile.am.orig
+--- wget-1.16.orig/src/retr.c	2014-10-29 20:41:01.000000000 +0000
-+++ tests/Makefile.am
++++ wget-1.16/src/retr.c	2014-10-29 20:41:05.000000000 +0000
-@@ -37,1 +37,1 @@
+@@ -57,6 +57,10 @@ as that of the covered work.  */
--LIBS     = @LIBICONV@ @LIBINTL@ @LIBS@ $(LIB_CLOCK_GETTIME)
-+LIBS     = @LIBICONV@ @LIBINTL@ @libproxy_LIBS@ @LIBS@ $(LIB_CLOCK_GETTIME)
-Index: src/retr.c
-===================================================================
---- src/retr.c.orig
-+++ src/retr.c
-@@ -54,6 +54,10 @@ as that of the covered work.  */
  #include "html-url.h"
  #include "iri.h"
  
@@ -60,7 +60,7 @@ Index: src/retr.c
  /* Total size of downloaded files.  Used to enforce quota.  */
  SUM_SIZE_INT total_downloaded_bytes;
  
-@@ -1182,7 +1186,40 @@ getproxy (struct url *u)
+@@ -1266,7 +1270,40 @@ getproxy (struct url *u)
        break;
      }
    if (!proxy || !*proxy)
@@ -101,5 +101,15 @@ Index: src/retr.c
  
    /* Handle shorthands.  `rewritten_storage' is a kludge to allow
       getproxy() to return static storage. */
+Index: wget-1.16/tests/Makefile.am
+===================================================================
+--- wget-1.16.orig/tests/Makefile.am	2014-10-29 20:41:40.000000000 +0000
++++ wget-1.16/tests/Makefile.am	2014-10-29 20:42:18.000000000 +0000
+@@ -33,6 +33,7 @@
+ # Version: $(VERSION)
+ #
  
++LIBS     += $(libproxy_LIBS)
  
+ ../src/wget$(EXEEXT):
+ 	cd ../src && $(MAKE) $(AM_MAKEFLAGS)

wget.changes

@@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Wed Oct 29 20:37:47 UTC 2014 - andreas.stieger@gmx.de
+
+- GNU wget 1.16:
+  This release contains a fix for symlink attack which could allow
+  a malicious ftp server to create arbitrary files, directories or
+  symbolic links and set their permissions when retrieving a
+  directory recursively through FTP. [CVE-2014-4877] [boo#902709]
+  * No longer create local symbolic links by default
+    --retr-symlinks=no option restores previous behaviour
+  * Use libpsl for verifying cookie domains.
+  * Default progress bar output changed.
+  * Introduce --show-progress to force display the progress bar.
+  * Introduce --no-config.  The wgetrc files will not be read.
+  * Introduce --start-pos to allow starting downloads from a specified position.
+  * Fix a problem with ISA Server Proxy and keep-alive connections.
+- refresh wget-libproxy.patch for upstream changes
+- make some dependencies only required for testsuite optional
+
 -------------------------------------------------------------------
 Sun Jun  8 07:19:29 UTC 2014 - andreas.stieger@gmx.de
 

wget.spec

@@ -19,7 +19,7 @@
 %bcond_with	regression_tests
 
 Name:           wget
-Version:        1.15
+Version:        1.16
 Release:        0
 Summary:        A Tool for Mirroring FTP and HTTP Servers
 License:        GPL-3.0+
@@ -42,10 +42,11 @@ BuildRequires:  automake
 BuildRequires:  libidn-devel
 BuildRequires:  makeinfo
 BuildRequires:  openssl-devel
+%if %{with regression_tests}
 # For the Testsuite
 BuildRequires:  perl-HTTP-Daemon
 BuildRequires:  perl-IO-Socket-SSL
-
+%endif
 BuildRequires:  pkg-config
 BuildRequires:  xz
 PreReq:         %install_info_prereq
@@ -59,7 +60,7 @@ This can be done in script files or via the command line.
 %setup -q
 %patch0
 %if 0%{suse_version} > 1110
-%patch1
+%patch1 -p1
 %endif
 %patch5 -p1
 %patch6