diff --git a/.gitignore b/.gitignore index 47c4ae5..888f11b 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ +SOURCES/wget-1.17-path.patch SOURCES/wget-1.21.1.tar.gz diff --git a/.wget.metadata b/.wget.metadata index 1ac6975..01b3c93 100644 --- a/.wget.metadata +++ b/.wget.metadata @@ -1 +1,2 @@ +5b4e331beb50e54860e0cb819e4c1f14ec4db661 SOURCES/wget-1.17-path.patch 7a14aeb3871fa4ec5e2580d2718913d1665cb49b SOURCES/wget-1.21.1.tar.gz diff --git a/SOURCES/wget-1.17-path.patch b/SOURCES/wget-1.17-path.patch deleted file mode 100644 index 3d14610..0000000 --- a/SOURCES/wget-1.17-path.patch +++ /dev/null @@ -1,172 +0,0 @@ -diff --git a/NEWS b/NEWS -index d23ae95..aa3247f 100644 ---- a/NEWS -+++ b/NEWS -@@ -935,7 +935,7 @@ distributed with Wget. - - ** Compiles on pre-ANSI compilers. - --** Global wgetrc now goes to /usr/local/etc (i.e. $sysconfdir). -+** Global wgetrc now goes to /etc (i.e. $sysconfdir). - - ** Lots of bugfixes. - -@@ -998,7 +998,7 @@ Emacs, standalone info, or converted to HTML, dvi or postscript. - ** Fixed a long-standing bug, so that Wget now works over SLIP - connections. - --** You can have a system-wide wgetrc (/usr/local/lib/wgetrc by -+** You can have a system-wide wgetrc (/etc/wgetrc by - default). Settings in $HOME/.wgetrc override the global ones, of - course :-) - -diff --git a/README b/README -index 692e1c6..38231c9 100644 ---- a/README -+++ b/README -@@ -33,7 +33,7 @@ for socks. - - Most of the features are configurable, either through command-line - options, or via initialization file .wgetrc. Wget allows you to --install a global startup file (/usr/local/etc/wgetrc by default) for -+install a global startup file (/etc/wgetrc by default) for - site settings. - - Wget works under almost all Unix variants in use today and, unlike -diff --git a/doc/sample.wgetrc b/doc/sample.wgetrc -index c0d0779..9a73ada 100644 ---- a/doc/sample.wgetrc -+++ b/doc/sample.wgetrc -@@ -10,7 +10,7 @@ - ## Or online here: - ## https://www.gnu.org/software/wget/manual/wget.html#Startup-File - ## --## Wget initialization file can reside in /usr/local/etc/wgetrc -+## Wget initialization file can reside in /etc/wgetrc - ## (global, for all users) or $HOME/.wgetrc (for a single user). - ## - ## To use the settings in this file, you will have to uncomment them, -@@ -22,7 +22,7 @@ - - - ## --## Global settings (useful for setting up in /usr/local/etc/wgetrc). -+## Global settings (useful for setting up in /etc/wgetrc). - ## Think well before you change them, since they may reduce wget's - ## functionality, and make it behave contrary to the documentation: - ## -diff --git a/doc/sample.wgetrc.munged_for_texi_inclusion b/doc/sample.wgetrc.munged_for_texi_inclusion -index 3c7f2f4..521ef16 100644 ---- a/doc/sample.wgetrc.munged_for_texi_inclusion -+++ b/doc/sample.wgetrc.munged_for_texi_inclusion -@@ -10,7 +10,7 @@ - ## Or online here: - ## https://www.gnu.org/software/wget/manual/wget.html#Startup-File - ## --## Wget initialization file can reside in /usr/local/etc/wgetrc -+## Wget initialization file can reside in /etc/wgetrc - ## (global, for all users) or $HOME/.wgetrc (for a single user). - ## - ## To use the settings in this file, you will have to uncomment them, -@@ -22,7 +22,7 @@ - - - ## --## Global settings (useful for setting up in /usr/local/etc/wgetrc). -+## Global settings (useful for setting up in /etc/wgetrc). - ## Think well before you change them, since they may reduce wget's - ## functionality, and make it behave contrary to the documentation: - ## -diff --git a/doc/wget.info b/doc/wget.info -index 40ce0d4..89c6652 100644 ---- a/doc/wget.info -+++ b/doc/wget.info -@@ -109,7 +109,7 @@ retrieval through HTTP proxies. - • Most of the features are fully configurable, either through command - line options, or via the initialization file ‘.wgetrc’ (*note - Startup File::). Wget allows you to define “global” startup files -- (‘/usr/local/etc/wgetrc’ by default) for site settings. You can -+ (‘/etc/wgetrc’ by default) for site settings. You can - also specify the location of a startup file with the –config - option. To disable the reading of config files, use –no-config. - If both –config and –no-config are given, –no-config is ignored. -@@ -2825,8 +2825,8 @@ File: wget.info, Node: Wgetrc Location, Next: Wgetrc Syntax, Prev: Startup Fi - =================== - - When initializing, Wget will look for a “global” startup file, --‘/usr/local/etc/wgetrc’ by default (or some prefix other than --‘/usr/local’, if Wget was not installed there) and read commands from -+‘/etc/wgetrc’ by default (or some prefix other than -+‘/etc’, if Wget was not installed there) and read commands from - there, if it exists. - - Then it will look for the user’s file. If the environmental variable -@@ -2837,7 +2837,7 @@ further attempts will be made. - - The fact that user’s settings are loaded after the system-wide ones - means that in case of collision user’s wgetrc _overrides_ the --system-wide wgetrc (in ‘/usr/local/etc/wgetrc’ by default). Fascist -+system-wide wgetrc (in ‘/etc/wgetrc’ by default). Fascist - admins, away! - -  -@@ -3380,7 +3380,7 @@ its line. - ## Or online here: - ## https://www.gnu.org/software/wget/manual/wget.html#Startup-File - ## -- ## Wget initialization file can reside in /usr/local/etc/wgetrc -+ ## Wget initialization file can reside in /etc/wgetrc - ## (global, for all users) or $HOME/.wgetrc (for a single user). - ## - ## To use the settings in this file, you will have to uncomment them, -@@ -3392,7 +3392,7 @@ its line. - - - ## -- ## Global settings (useful for setting up in /usr/local/etc/wgetrc). -+ ## Global settings (useful for setting up in /etc/wgetrc). - ## Think well before you change them, since they may reduce wget's - ## functionality, and make it behave contrary to the documentation: - ## -diff --git a/doc/wget.texi b/doc/wget.texi -index eaf6b38..608d008 100644 ---- a/doc/wget.texi -+++ b/doc/wget.texi -@@ -190,7 +190,7 @@ gauge can be customized to your preferences. - Most of the features are fully configurable, either through command line - options, or via the initialization file @file{.wgetrc} (@pxref{Startup - File}). Wget allows you to define @dfn{global} startup files --(@file{/usr/local/etc/wgetrc} by default) for site settings. You can also -+(@file{/etc/wgetrc} by default) for site settings. You can also - specify the location of a startup file with the --config option. - To disable the reading of config files, use --no-config. - If both --config and --no-config are given, --no-config is ignored. -@@ -199,7 +199,7 @@ If both --config and --no-config are given, --no-config is ignored. - @ignore - @c man begin FILES - @table @samp --@item /usr/local/etc/wgetrc -+@item /etc/wgetrc - Default location of the @dfn{global} startup file. - - @item .wgetrc -@@ -3154,8 +3154,8 @@ commands. - @cindex location of wgetrc - - When initializing, Wget will look for a @dfn{global} startup file, --@file{/usr/local/etc/wgetrc} by default (or some prefix other than --@file{/usr/local}, if Wget was not installed there) and read commands -+@file{/etc/wgetrc} by default (or some prefix other than -+@file{/etc}, if Wget was not installed there) and read commands - from there, if it exists. - - Then it will look for the user's file. If the environmental variable -@@ -3166,7 +3166,7 @@ If @code{WGETRC} is not set, Wget will try to load @file{$HOME/.wgetrc}. - - The fact that user's settings are loaded after the system-wide ones - means that in case of collision user's wgetrc @emph{overrides} the --system-wide wgetrc (in @file{/usr/local/etc/wgetrc} by default). -+system-wide wgetrc (in @file{/etc/wgetrc} by default). - Fascist admins, away! - - @node Wgetrc Syntax, Wgetrc Commands, Wgetrc Location, Startup File diff --git a/SOURCES/wget-1.21-CVE-2024-38428.patch b/SOURCES/wget-1.21-CVE-2024-38428.patch new file mode 100644 index 0000000..383c5f6 --- /dev/null +++ b/SOURCES/wget-1.21-CVE-2024-38428.patch @@ -0,0 +1,74 @@ +From ed0c7c7e0e8f7298352646b2fd6e06a11e242ace Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= +Date: Sun, 2 Jun 2024 12:40:16 +0200 +Subject: Properly re-implement userinfo parsing (rfc2396) + +* src/url.c (url_skip_credentials): Properly re-implement userinfo parsing (rfc2396) + +The reason why the implementation is based on RFC 2396, an outdated standard, +is that the whole file is based on that RFC, and mixing standard here might be +dangerous. +--- + src/url.c | 40 ++++++++++++++++++++++++++++++++++------ + 1 file changed, 34 insertions(+), 6 deletions(-) + +diff --git a/src/url.c b/src/url.c +index 69e948b..07c3bc8 100644 +--- a/src/url.c ++++ b/src/url.c +@@ -41,6 +41,7 @@ as that of the covered work. */ + #include "url.h" + #include "host.h" /* for is_valid_ipv6_address */ + #include "c-strcase.h" ++#include "c-ctype.h" + + #ifdef HAVE_ICONV + # include +@@ -526,12 +527,39 @@ scheme_leading_string (enum url_scheme scheme) + static const char * + url_skip_credentials (const char *url) + { +- /* Look for '@' that comes before terminators, such as '/', '?', +- '#', or ';'. */ +- const char *p = (const char *)strpbrk (url, "@/?#;"); +- if (!p || *p != '@') +- return url; +- return p + 1; ++ /* ++ * This whole file implements https://www.rfc-editor.org/rfc/rfc2396 . ++ * RFC 2396 is outdated since 2005 and needs a rewrite or a thorough re-visit. ++ * ++ * The RFC says ++ * server = [ [ userinfo "@" ] hostport ] ++ * userinfo = *( unreserved | escaped | ";" | ":" | "&" | "=" | "+" | "$" | "," ) ++ * unreserved = alphanum | mark ++ * mark = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")" ++ */ ++ static const char *allowed = "-_.!~*'();:&=+$,"; ++ ++ for (const char *p = url; *p; p++) ++ { ++ if (c_isalnum(*p)) ++ continue; ++ ++ if (strchr(allowed, *p)) ++ continue; ++ ++ if (*p == '%' && c_isxdigit(p[1]) && c_isxdigit(p[2])) ++ { ++ p += 2; ++ continue; ++ } ++ ++ if (*p == '@') ++ return p + 1; ++ ++ break; ++ } ++ ++ return url; + } + + /* Parse credentials contained in [BEG, END). The region is expected +-- +cgit v1.1 diff --git a/SPECS/wget.spec b/SPECS/wget.spec index 5d1c77e..d285103 100644 --- a/SPECS/wget.spec +++ b/SPECS/wget.spec @@ -1,7 +1,7 @@ Summary: A utility for retrieving files using the HTTP or FTP protocols Name: wget Version: 1.21.1 -Release: 7%{?dist} +Release: 8%{?dist} License: GPLv3+ Url: http://www.gnu.org/software/wget/ Source: ftp://ftp.gnu.org/gnu/wget/wget-%{version}.tar.gz @@ -10,6 +10,7 @@ Patch1: wget-1.17-path.patch Patch2: wget-1.21-strtol.patch Patch3: wget-1.21-metalink-man.patch Patch4: wget-1.21-segfault.patch +Patch5: wget-1.21-CVE-2024-38428.patch Provides: webclient Provides: bundled(gnulib) @@ -69,6 +70,9 @@ make check %{_infodir}/* %changelog +* Mon Jul 15 2024 Michal Ruprich - 1.21.1-8 +- Resolves: RHEL-43226 - Misinterpretation of input may lead to improper behavior + * Tue Nov 02 2021 Michal Ruprich - 1.21.1-7 - Resolves: #2017842 - Two different segfaults when downloading multiple files - Removing metalink from manpage