From eaa23c2de5a04e3d340ed776c41637de1f2429a95247d4cb347036058c58ca20 Mon Sep 17 00:00:00 2001
From: Valentin Lefebvre <valentin.lefebvre@suse.com>
Date: Tue, 18 Jun 2024 08:47:43 +0000
Subject: [PATCH 1/2] Fix mishandled semicolons in the userinfo subcomponent,
 bsc#1226419

OBS-URL: https://build.opensuse.org/package/show/network:utilities/wget?expand=0&rev=125
---
 properly-re-implement-userinfo-parsing.patch | 74 ++++++++++++++++++++
 wget.changes                                 |  8 +++
 wget.spec                                    |  3 +-
 3 files changed, 84 insertions(+), 1 deletion(-)
 create mode 100644 properly-re-implement-userinfo-parsing.patch

diff --git a/properly-re-implement-userinfo-parsing.patch b/properly-re-implement-userinfo-parsing.patch
new file mode 100644
index 0000000..37cd38c
--- /dev/null
+++ b/properly-re-implement-userinfo-parsing.patch
@@ -0,0 +1,74 @@
+From ed0c7c7e0e8f7298352646b2fd6e06a11e242ace Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Sun, 2 Jun 2024 12:40:16 +0200
+Subject: Properly re-implement userinfo parsing (rfc2396)
+
+* src/url.c (url_skip_credentials): Properly re-implement userinfo parsing (rfc2396)
+
+The reason why the implementation is based on RFC 2396, an outdated standard,
+is that the whole file is based on that RFC, and mixing standard here might be
+dangerous.
+---
+ src/url.c | 40 ++++++++++++++++++++++++++++++++++------
+ 1 file changed, 34 insertions(+), 6 deletions(-)
+
+diff --git a/src/url.c b/src/url.c
+index 69e948b..07c3bc8 100644
+--- a/src/url.c
++++ b/src/url.c
+@@ -41,6 +41,7 @@ as that of the covered work.  */
+ #include "url.h"
+ #include "host.h"  /* for is_valid_ipv6_address */
+ #include "c-strcase.h"
++#include "c-ctype.h"
+ 
+ #ifdef HAVE_ICONV
+ # include <iconv.h>
+@@ -526,12 +527,39 @@ scheme_leading_string (enum url_scheme scheme)
+ static const char *
+ url_skip_credentials (const char *url)
+ {
+-  /* Look for '@' that comes before terminators, such as '/', '?',
+-     '#', or ';'.  */
+-  const char *p = (const char *)strpbrk (url, "@/?#;");
+-  if (!p || *p != '@')
+-    return url;
+-  return p + 1;
++  /*
++   * This whole file implements https://www.rfc-editor.org/rfc/rfc2396 .
++   * RFC 2396 is outdated since 2005 and needs a rewrite or a thorough re-visit.
++   *
++   * The RFC says
++   * server        = [ [ userinfo "@" ] hostport ]
++   * userinfo      = *( unreserved | escaped | ";" | ":" | "&" | "=" | "+" | "$" | "," )
++   * unreserved    = alphanum | mark
++   * mark          = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")"
++   */
++  static const char *allowed = "-_.!~*'();:&=+$,";
++
++  for (const char *p = url; *p; p++)
++    {
++      if (c_isalnum(*p))
++        continue;
++
++      if (strchr(allowed, *p))
++        continue;
++
++      if (*p == '%' && c_isxdigit(p[1]) && c_isxdigit(p[2]))
++        {
++          p += 2;
++          continue;
++        }
++
++      if (*p == '@')
++        return p + 1;
++
++      break;
++    }
++
++  return url;
+ }
+ 
+ /* Parse credentials contained in [BEG, END).  The region is expected
+-- 
+cgit v1.1
diff --git a/wget.changes b/wget.changes
index 9440f15..82a7c6a 100644
--- a/wget.changes
+++ b/wget.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Jun 18 07:54:22 UTC 2024 - Valentin Lefebvre <valentin.lefebvre@suse.com>
+
+- Fix mishandled semicolons in the userinfo subcomponent could lead to an
+  insecure behavior in which data that was supposed to be in the userinfo
+  subcomponent is misinterpreted to be part of the host subcomponent.
+  [bsc#1226419, properly-re-implement-userinfo-parsing.patch] 
+
 -------------------------------------------------------------------
 Sun Mar 10 20:45:15 UTC 2024 - Andreas Stieger <andreas.stieger@gmx.de>
 
diff --git a/wget.spec b/wget.spec
index 8a2881e..9422676 100644
--- a/wget.spec
+++ b/wget.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package wget
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 # Copyright (c) 2024 Andreas Stieger <Andreas.Stieger@gmx.de>
 #
 # All modifications and additions to the file contributed by third parties
@@ -35,6 +35,7 @@ Patch7:         wget-fix-pod-syntax.diff
 Patch8:         wget-errno-clobber.patch
 Patch9:         remove-env-from-shebang.patch
 Patch10:        wget-do-not-propagate-credentials.patch
+Patch11:        properly-re-implement-userinfo-parsing.patch
 BuildRequires:  gpgme-devel >= 0.4.2
 BuildRequires:  libcares-devel
 BuildRequires:  libidn2-devel

From cdfa479c876946101dd537d61a9c0de6a6598ff9233dd2436979ef096df7919b Mon Sep 17 00:00:00 2001
From: Valentin Lefebvre <valentin.lefebvre@suse.com>
Date: Tue, 18 Jun 2024 14:58:33 +0000
Subject: [PATCH 2/2] Add missing refence to last CVE

OBS-URL: https://build.opensuse.org/package/show/network:utilities/wget?expand=0&rev=126
---
 wget.changes | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wget.changes b/wget.changes
index 82a7c6a..4c969d4 100644
--- a/wget.changes
+++ b/wget.changes
@@ -4,7 +4,7 @@ Tue Jun 18 07:54:22 UTC 2024 - Valentin Lefebvre <valentin.lefebvre@suse.com>
 - Fix mishandled semicolons in the userinfo subcomponent could lead to an
   insecure behavior in which data that was supposed to be in the userinfo
   subcomponent is misinterpreted to be part of the host subcomponent.
-  [bsc#1226419, properly-re-implement-userinfo-parsing.patch] 
+  [bsc#1226419, CVE-2024-38428, properly-re-implement-userinfo-parsing.patch] 
 
 -------------------------------------------------------------------
 Sun Mar 10 20:45:15 UTC 2024 - Andreas Stieger <andreas.stieger@gmx.de>