Accepting request 17684 from network:utilities

Copy from network:utilities/wget based on submit request 17684 from user rmax OBS-URL: https://build.opensuse.org/request/show/17684 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/wget?expand=0&rev=7
2009-08-13 15:41:58 +00:00 · 2009-08-13 15:41:58 +00:00 · 6922131c7a
commit 6922131c7a
parent 5551eb9e6e
3 changed files with 58 additions and 245 deletions
--- a/wget-nullcerts.patch
+++ b/wget-nullcerts.patch
@ -0,0 +1,48 @@
 --- src/openssl.c
 +++ src/openssl.c
@@ -481,6 +481,7 @@
 {
   X509 *cert;
   char common_name[256];
 +  int len1, len2;
   long vresult;
   bool success = true;
@@ -562,9 +563,34 @@
        UTF-8 which can be meaningfully compared to HOST.  */
   common_name[0] = '\0';
 -  X509_NAME_get_text_by_NID (X509_get_subject_name (cert),
 -                             NID_commonName, common_name, sizeof (common_name));
 -  if (!pattern_match (common_name, host))
 +  len1 = X509_NAME_get_text_by_NID (X509_get_subject_name (cert),
 +				    NID_commonName, NULL, 0);
 +  len2 = X509_NAME_get_text_by_NID (X509_get_subject_name (cert),
 +				    NID_commonName, common_name,
 +				    sizeof(common_name));
 +  if (len1 < 0 || len2 < 0)
 +    {
 +      logprintf (LOG_NOTQUIET, _("\
 +%s: certificate has no common name.\n"),
 +                 severity);
 +      success = false;
 +    }
 +  if (len1 != len2)
 +    {
 +      logprintf (LOG_NOTQUIET, _("\
 +%s: certificate common name is %d bytes long, maximum allowed is %d.\n"),
 +                 severity, len1, sizeof(common_name)-1);
 +      success = false;
 +    }
 +  else if (len2 != strlen(common_name))
 +    {
 +      logprintf (LOG_NOTQUIET, _("\
 +%s: certificate common name contains a NULL character: '%s\\0%s'.\n"),
 +                 severity, escnonprint (common_name),
 +		 escnonprint (common_name + strlen(common_name)+1));
 +      success = false;
 +    }
 +  else if (!pattern_match (common_name, host))
     {
       logprintf (LOG_NOTQUIET, _("\
 %s: certificate common name `%s' doesn't match requested host name `%s'.\n"),
--- a/wget.changes
+++ b/wget.changes
@ -1,3 +1,9 @@
 -------------------------------------------------------------------
 Tue Aug 11 15:03:51 CEST 2009 - max@suse.de
 - Fix vulnerability against SSL certificates with a zero byte in
  the common name field (wget-nullcerts.patch, bnc#528298).
 -------------------------------------------------------------------
 Mon Sep  1 16:28:05 CEST 2008 - max@suse.de
--- a/wget.spec
+++ b/wget.spec
@ -1,7 +1,7 @@
 #
 # spec file for package wget (Version 1.11.4)
 #
-# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -25,10 +25,11 @@ License:        GPL v3 or later
 Group:          Productivity/Networking/Web/Utilities
 AutoReqProv:    on
 Version:        1.11.4
-Release:        1
+Release:        7
 Summary:        A Tool for Mirroring FTP and HTTP Servers
 Source:         %name-%version.tar.bz2
 Patch1:         wgetrc.patch
 Patch2:         wget-nullcerts.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         %install_info_prereq
@ -45,6 +46,7 @@ Authors:
 %prep
 %setup -q
 %patch1
 %patch2
 %build
 ./autogen.sh
@ -74,246 +76,3 @@ rm -rf $RPM_BUILD_ROOT;
 %{_bindir}/*
 %changelog
 * Mon Sep 01 2008 max@suse.de
 - New version 1.11.4:
  * Fixed a problem in authenticating over HTTPS through a proxy.
  (Regression in 1.11 over 1.10.2.)
  * The combination of -r or -p with -O, which was disallowed in 1.11,
  has been downgraded to a warning in 1.11.2.
  * Further improvements to progress bar displays in non-English
  locales (too many spaces could be inserted, causing the display to
  scroll).
  * Successive invocations of Wget on FTP URLS, with
    --no-remove-listing and --continue, was causing Wget to append,
  rather than replace, information in the .listing file, and thereby
  download the same files multiple times. Fixed in 1.11.2.
  * Wget 1.11 no longer allowed ".." to persist at the beginning of
  URLs, for improved conformance with RFC 3986. However, this
  behavior presents problems for some FTP setups, and so they are now
  preserved again, for FTP URLs only.
  * Downgraded -N with -O to a warning, rather than an error.
  * Fixed a crash on some systems, due to Wget casting a
  pointer-to-long to a pointer-to-time_t.
  * Fixed an issue (apparently a regression) where -O would refuse to
  download when -nc was given, even though the file didn't exist.
  * Fixed a situation where Wget could abort with --continue if the
  remote server gives a content-length of zero when the file exists
  locally with content.
 * Wed Apr 30 2008 max@suse.de
 - Let the resolver (/etc/gai.conf) decide whether to prefer IPv4
  or IPv6 if a host has addresses of both kinds (bnc#310224).
 - Passive FTP is the default now, so we don't need to set it
  explicitly anymore.
 * Wed Apr 23 2008 max@suse.de
 - New version 1.11.1:
  * Migration to the GPLv3+ license.
  * Improvements to the HTTP password authentication code, bringing
  it a little closer to RFC compliance (more is needed).
  * Basic support for respecting filenames specified via
  `Content-Disposition' headers (turned on with --content-disposition,
  but please read the documentation).
  * An --ignore-case option to make wildcard- and suffix-matching
  case-sensitive.
  * Progress bar now displays correctly in non-English locales (and a
  related assertion failure was fixed).
  * Added option --auth-no-challenge, to support broken pre-1.11
  authentication-before-server-challenge, which turns out to still
  be useful for some limited cases.
  * Documentation of accept/reject lists in the manual's "Types of
  Files" section now explains various aspects of their behavior that
  may be surprising, and notes that they may change in the future.
  * Documentation of --no-parents now explains how a trailing slash,
  or lack thereof, in the specified URL, will affect behavior.
 - Purged lots of obsolete patches and cleaned up the spec file.
 * Sun Feb 24 2008 crrodriguez@suse.de
 - make use of find_lang macro
 * Wed Mar 28 2007 max@suse.de
 - Fixes a null pointer dereference (#231063, CVE-2006-6719)
 * Thu Jun 22 2006 max@suse.de
 - Removed the unneeded fix for CAN-2004-1487
  (bugs #179369 and #185214).
 - Filter escape responses from the HTTP server (CAN-2004-1488,
  bug #185265).
 * Wed Feb 01 2006 max@suse.de
 - Fixed (hacked) restart of interrupted FTP transactions (#144410).
 * Wed Jan 25 2006 mls@suse.de
 - converted neededforbuild to BuildRequires
 * Mon Jan 16 2006 mmj@suse.de
 - Compile with -fstack-protector
 * Fri Oct 14 2005 mmj@suse.de
 - Update to wget 1.10.2
 * Mon Sep 19 2005 mmj@suse.de
 - Fix strict aliasing issues
 * Tue Aug 30 2005 mmj@suse.de
 - Update to wget-1.10.1 which is a bugfix release [#113682]
 * Mon Jun 13 2005 mmj@suse.de
 - Update to wget-1.10 which has LFS and non-experimental IPv6,
  among many other improvements and bugfixes
 * Tue Apr 26 2005 mmj@suse.de
 - Fix the way fnmatch matches [#75791]
 * Fri Apr 08 2005 mmj@suse.de
 - Add sanitizing URLs patch
 - Add other patches
 * Thu Mar 31 2005 mmj@suse.de
 - Don't double UTF-8 encode german messages [#74544]
 * Fri Feb 11 2005 mmj@suse.de
 - Roll back to wget-1.9.1 since the wget tree with LFS support is
  too buggy. We rather want a functioning wget. [#47965]
 * Mon Jan 31 2005 ro@suse.de
 - texi2html changed behaviour, adapt filelist
 * Thu Dec 02 2004 mmj@suse.de
 - Update to 20041113 wget-LFS snapshot
 - Fix NULL pointer assertion [#48748]
 * Mon Nov 15 2004 mmj@suse.de
 - Use another version of the fix below
 * Sun Nov 14 2004 mmj@suse.de
 - Add fix for using proxies [#47965]
 * Tue Oct 19 2004 mmj@suse.de
 - locale no should correctly be nb so rename po/no* to po/nb*
 * Mon Sep 27 2004 mmj@suse.de
 - Use LFS patch from Leonid Petrov [#37967] [#45084]
 * Mon Jun 28 2004 mmj@suse.de
 - Fix what appears to be a copy/paste error in the dual-family
  IPv4+IPv6 patch [#42503].
 * Thu Apr 01 2004 mmj@suse.de
 - Enable download of files > 2 GB [#37967]
 - Remove old crufty comments
 * Fri Feb 20 2004 pth@suse.de
 - Correctly set the charset for de.po to utf-8. Fixes #34708.
 * Sun Feb 01 2004 mmj@suse.de
 - Update to 1.9.1 which is a bugfix release
 * Sat Jan 10 2004 adrian@suse.de
 - build as user
 * Tue Oct 28 2003 mmj@suse.de
 - Add patch for dual-family IPv4+IPv6 support from Ari Edelkind
 * Mon Oct 27 2003 mmj@suse.de
 - Update to version 1.9 and remove patches, which was included
  upstream. 1.9 news:
  o specify what POST method be used for HTTP
  o IPv6 support is available, although it's still experimental
  o The `--timeout' option now also affects DNS lookup and
  establishing the TCP connection
  o Download speed shown by the progress bar is based on the data
  recently read, rather than the average speed of the entire
  download
  o It is now possible to connect to FTP servers through FWTK
  firewalls
  o The new option `--retry-connrefused' makes Wget retry
  downloads even in the face of refused connections
  o The new option `--dns-cache=off' may be used to prevent Wget
  from caching DNS lookups
  o Wget no longer escapes characters in local file names based
  on whether they're appropriate in URLs
  o Handling of HTML comments has been dumbed down to conform to
  what users expect and other browsers do: instead of being
  treated as SGML declaration, a comment is terminated at the
  first occurrence of "-->"
  o Wget now correctly handles relative URIs that begin with "//"
  o Boolean options in `.wgetrc' and on the command line now
  accept values "yes" and "no" along with the traditional "on"
  and "off"
  o It is now possible to specify decimal values for timeouts,
  waiting periods, and download rate.
 * Tue Jul 15 2003 pthomas@suse.de
 - Add security fix to unconditionally terminate the filename
  in url.c(compose_file_name).
 * Thu Apr 24 2003 ro@suse.de
 - fix install_info --delete call and move from preun to postun
 * Tue Apr 01 2003 schwab@suse.de
 - Define _GNU_SOURCE to fix missing declarations.
 * Fri Mar 07 2003 ro@suse.de
 - fix build with current autoconf
 * Thu Mar 06 2003 pthomas@suse.de
 - Add missing change log entry.
 * Wed Mar 05 2003 pthomas@suse.de
 - Add security fix that makes wget check for '..' and '/' in
  file names.
 * Wed Feb 12 2003 kukuk@suse.de
 - Remove ps and pdf documenation, info, man and html are enough.
  [Bug #23592]
 * Tue Feb 11 2003 mmj@suse.de
 - Use %%install_info macro [#23468]
 - Don't remove $RPM_BUILD_ROOT without checking it's not "/"
 * Thu Oct 24 2002 pthomas@suse.de
 - Change wgetrc to make wget use passive_ftp per default.
 * Wed Aug 07 2002 mmj@suse.de
 - Update to 1.8.2 which is a bugfix release.
 * Wed Jul 10 2002 okir@suse.de
 - added patch for IPv6 support
 * Tue May 14 2002 meissner@suse.de
 - replaced assert msecs>=0 by if (msecs<0) msecs=0. (stupid assert)
 * Fri Feb 01 2002 ro@suse.de
 - changed neededforbuild <libpng> to <libpng-devel-packages>
 * Tue Jan 15 2002 bk@suse.de
 - marked wgetrc as noreplace, format is compatible to older versions
 * Mon Jan 07 2002 pthomas@suse.de
 - Upgrade to 1.8.1
 * Thu Dec 13 2001 pthomas@suse.de
 - Upgrade to 1.8
 - Regenerate pdf_doc.diff
 - Drop ppc specific patch as it's not needed anymore.
 - Install all HTML pages and not only the table of contents.
 - Pass DESTDIR on from the toplevel Makefile.
 * Mon Aug 20 2001 olh@suse.de
 - add wget-1.7.ppc.diff to fix segfault on ppc
 * Fri Jun 08 2001 pthomas@suse.de
 - Upgrade to 1.7.
 - Add a target to doc/Makefile to build a PDF version of the
  documentation.
 - Compile with SSL support (for HTTPS).
 * Fri May 25 2001 bjacke@suse.de
 - apply and enable IPv6 patch
 - add Debian's manpage
 * Thu May 10 2001 mfabian@suse.de
 - bzip2 sources
 * Fri Mar 30 2001 pthomas@suse.de
 - Apply my patch accepted for wget 1.7 that replaces ctype.h
  with safe-ctype.h, a locale independent version of ctype.h
  taken from libiberty. This makes setting LC_CTYPE safe.
 * Thu Mar 08 2001 ke@suse.de
 - Build and install a printable manual (PDF).
 * Fri Mar 02 2001 pthomas@suse.de
 - Set LC_CTYPE along with LC_MESSAGES to correctly display
  messages in locales other then C/POSIX.
 * Wed Feb 14 2001 schwab@suse.de
 - Fix large file support (#2647).
 * Mon Jan 22 2001 ke@suse.de
 - Update to version 1.6.
 - wget.spec: Use proper rpm macros.
 - Add README.SuSE
 - Drop security patch (cf. 1999-02-09 and README.SuSE); not needed any
  longer.
 - Lost large file support (cf. README.SuSE); reopen #2647.
 * Fri Jun 09 2000 schwab@suse.de
 - Change all values that count bytes from long to unsigned long (#2647).
 * Sun Feb 20 2000 ke@suse.de
 - General spec file cleanup:
 - add group tag.
 - use various macros (%%{version}, %%{_infodir}).
 - ./configure -> %%build.
 * Sat Oct 02 1999 ke@suse.de
 - Add more PO files from
  http://www.iro.umontreal.ca/~pinard/po/HTML/domain-wget.html.
 * Mon Sep 13 1999 bs@suse.de
 - ran old prepare_spec on spec file to switch to new prepare_spec.
 * Tue Feb 09 1999 ke@suse.de
 - Security fix (proposed by marc).
 * Sun Jan 17 1999 ke@suse.de
 - apply patch (new de.po).
 - fix BuildRoot.
 * Thu Sep 24 1998 ke@suse.de
 - Update: wget-1.5.3 (bug fix release).
 * Sat Jun 27 1998 ke@suse.de
 - Update: wget-1.5.2 (bug fix release).
 - Make BuildRoot work.
 * Tue May 12 1998 ke@suse.de
 - update: wget-1.5.1 (bug fix release).
 * Fri Apr 24 1998 ke@suse.de
 - enable NLS.
 * Thu Apr 23 1998 ke@suse.de
 - update: wget-1.5.0.
 * Sat Jun 21 1997 Karl Eichwalder <ke@suse.de>
  * patch from Hrvoje Niksic to prevent crashes if you are using
  proxy authorization.
 * Mon May 19 1997 Karl Eichwalder <ke@suse.de>
  * new package: wget-1.4.5