import wget-1.21.1-8.el9_4

6 months ago · bc8880937c
parent 6db8e80fcf
commit bc8880937c
5 changed files with 81 additions and 173 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
+SOURCES/wget-1.17-path.patch
 SOURCES/wget-1.21.1.tar.gz
--- a/.wget.metadata
+++ b/.wget.metadata
@ -1 +1,2 @@
+5b4e331beb50e54860e0cb819e4c1f14ec4db661 SOURCES/wget-1.17-path.patch
 7a14aeb3871fa4ec5e2580d2718913d1665cb49b SOURCES/wget-1.21.1.tar.gz
--- a/SOURCES/wget-1.17-path.patch
+++ b/SOURCES/wget-1.17-path.patch
@ -1,172 +0,0 @@
-diff --git a/NEWS b/NEWS
-index d23ae95..aa3247f 100644
--- a/NEWS
-+++ b/NEWS
-@@ -935,7 +935,7 @@ distributed with Wget.
- 
- ** Compiles on pre-ANSI compilers.
- 
-** Global wgetrc now goes to /usr/local/etc (i.e. $sysconfdir).
-+** Global wgetrc now goes to /etc (i.e. $sysconfdir).
- 
- ** Lots of bugfixes.
- 
-@@ -998,7 +998,7 @@ Emacs, standalone info, or converted to HTML, dvi or postscript.
- ** Fixed a long-standing bug, so that Wget now works over SLIP
- connections.
- 
-** You can have a system-wide wgetrc (/usr/local/lib/wgetrc by
-+** You can have a system-wide wgetrc (/etc/wgetrc by
- default). Settings in $HOME/.wgetrc override the global ones, of
- course :-)
- 
-diff --git a/README b/README
-index 692e1c6..38231c9 100644
--- a/README
-+++ b/README
-@@ -33,7 +33,7 @@ for socks.
- 
- Most of the features are configurable, either through command-line
- options, or via initialization file .wgetrc.  Wget allows you to
-install a global startup file (/usr/local/etc/wgetrc by default) for
-+install a global startup file (/etc/wgetrc by default) for
- site settings.
- 
- Wget works under almost all Unix variants in use today and, unlike
-diff --git a/doc/sample.wgetrc b/doc/sample.wgetrc
-index c0d0779..9a73ada 100644
--- a/doc/sample.wgetrc
-+++ b/doc/sample.wgetrc
-@@ -10,7 +10,7 @@
- ## Or online here:
- ##   https://www.gnu.org/software/wget/manual/wget.html#Startup-File
- ##
-## Wget initialization file can reside in /usr/local/etc/wgetrc
-+## Wget initialization file can reside in /etc/wgetrc
- ## (global, for all users) or $HOME/.wgetrc (for a single user).
- ##
- ## To use the settings in this file, you will have to uncomment them,
-@@ -22,7 +22,7 @@
- 
- 
- ##
-## Global settings (useful for setting up in /usr/local/etc/wgetrc).
-+## Global settings (useful for setting up in /etc/wgetrc).
- ## Think well before you change them, since they may reduce wget's
- ## functionality, and make it behave contrary to the documentation:
- ##
-diff --git a/doc/sample.wgetrc.munged_for_texi_inclusion b/doc/sample.wgetrc.munged_for_texi_inclusion
-index 3c7f2f4..521ef16 100644
--- a/doc/sample.wgetrc.munged_for_texi_inclusion
-+++ b/doc/sample.wgetrc.munged_for_texi_inclusion
-@@ -10,7 +10,7 @@
- ## Or online here:
- ##   https://www.gnu.org/software/wget/manual/wget.html#Startup-File
- ##
-## Wget initialization file can reside in /usr/local/etc/wgetrc
-+## Wget initialization file can reside in /etc/wgetrc
- ## (global, for all users) or $HOME/.wgetrc (for a single user).
- ##
- ## To use the settings in this file, you will have to uncomment them,
-@@ -22,7 +22,7 @@
- 
- 
- ##
-## Global settings (useful for setting up in /usr/local/etc/wgetrc).
-+## Global settings (useful for setting up in /etc/wgetrc).
- ## Think well before you change them, since they may reduce wget's
- ## functionality, and make it behave contrary to the documentation:
- ##
-diff --git a/doc/wget.info b/doc/wget.info
-index 40ce0d4..89c6652 100644
--- a/doc/wget.info
-+++ b/doc/wget.info
-@@ -109,7 +109,7 @@ retrieval through HTTP proxies.
-    • Most of the features are fully configurable, either through command
-      line options, or via the initialization file ‘.wgetrc’ (*note
-      Startup File::).  Wget allows you to define “global” startup files
-     (‘/usr/local/etc/wgetrc’ by default) for site settings.  You can
-+     (‘/etc/wgetrc’ by default) for site settings.  You can
-      also specify the location of a startup file with the –config
-      option.  To disable the reading of config files, use –no-config.
-      If both –config and –no-config are given, –no-config is ignored.
-@@ -2825,8 +2825,8 @@ File: wget.info,  Node: Wgetrc Location,  Next: Wgetrc Syntax,  Prev: Startup Fi
- ===================
- 
- When initializing, Wget will look for a “global” startup file,
-‘/usr/local/etc/wgetrc’ by default (or some prefix other than
-‘/usr/local’, if Wget was not installed there) and read commands from
-+‘/etc/wgetrc’ by default (or some prefix other than
-+‘/etc’, if Wget was not installed there) and read commands from
- there, if it exists.
- 
-    Then it will look for the user’s file.  If the environmental variable
-@@ -2837,7 +2837,7 @@ further attempts will be made.
- 
-    The fact that user’s settings are loaded after the system-wide ones
- means that in case of collision user’s wgetrc _overrides_ the
-system-wide wgetrc (in ‘/usr/local/etc/wgetrc’ by default).  Fascist
-+system-wide wgetrc (in ‘/etc/wgetrc’ by default).  Fascist
- admins, away!
- 
- 
-@@ -3380,7 +3380,7 @@ its line.
-      ## Or online here:
-      ##   https://www.gnu.org/software/wget/manual/wget.html#Startup-File
-      ##
-     ## Wget initialization file can reside in /usr/local/etc/wgetrc
-+     ## Wget initialization file can reside in /etc/wgetrc
-      ## (global, for all users) or $HOME/.wgetrc (for a single user).
-      ##
-      ## To use the settings in this file, you will have to uncomment them,
-@@ -3392,7 +3392,7 @@ its line.
- 
- 
-      ##
-     ## Global settings (useful for setting up in /usr/local/etc/wgetrc).
-+     ## Global settings (useful for setting up in /etc/wgetrc).
-      ## Think well before you change them, since they may reduce wget's
-      ## functionality, and make it behave contrary to the documentation:
-      ##
-diff --git a/doc/wget.texi b/doc/wget.texi
-index eaf6b38..608d008 100644
--- a/doc/wget.texi
-+++ b/doc/wget.texi
-@@ -190,7 +190,7 @@ gauge can be customized to your preferences.
- Most of the features are fully configurable, either through command line
- options, or via the initialization file @file{.wgetrc} (@pxref{Startup
- File}).  Wget allows you to define @dfn{global} startup files
-(@file{/usr/local/etc/wgetrc} by default) for site settings. You can also
-+(@file{/etc/wgetrc} by default) for site settings. You can also
- specify the location of a startup file with the --config option.
- To disable the reading of config files, use --no-config.
- If both --config and --no-config are given, --no-config is ignored.
-@@ -199,7 +199,7 @@ If both --config and --no-config are given, --no-config is ignored.
- @ignore
- @c man begin FILES
- @table @samp
-@item /usr/local/etc/wgetrc
-+@item /etc/wgetrc
- Default location of the @dfn{global} startup file.
- 
- @item .wgetrc
-@@ -3154,8 +3154,8 @@ commands.
- @cindex location of wgetrc
- 
- When initializing, Wget will look for a @dfn{global} startup file,
-@file{/usr/local/etc/wgetrc} by default (or some prefix other than
-@file{/usr/local}, if Wget was not installed there) and read commands
-+@file{/etc/wgetrc} by default (or some prefix other than
-+@file{/etc}, if Wget was not installed there) and read commands
- from there, if it exists.
- 
- Then it will look for the user's file.  If the environmental variable
-@@ -3166,7 +3166,7 @@ If @code{WGETRC} is not set, Wget will try to load @file{$HOME/.wgetrc}.
- 
- The fact that user's settings are loaded after the system-wide ones
- means that in case of collision user's wgetrc @emph{overrides} the
-system-wide wgetrc (in @file{/usr/local/etc/wgetrc} by default).
-+system-wide wgetrc (in @file{/etc/wgetrc} by default).
- Fascist admins, away!
- 
- @node Wgetrc Syntax, Wgetrc Commands, Wgetrc Location, Startup File
--- a/SOURCES/wget-1.21-CVE-2024-38428.patch
+++ b/SOURCES/wget-1.21-CVE-2024-38428.patch
@ -0,0 +1,74 @@
+From ed0c7c7e0e8f7298352646b2fd6e06a11e242ace Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Sun, 2 Jun 2024 12:40:16 +0200
+Subject: Properly re-implement userinfo parsing (rfc2396)
+
+* src/url.c (url_skip_credentials): Properly re-implement userinfo parsing (rfc2396)
+
+The reason why the implementation is based on RFC 2396, an outdated standard,
+is that the whole file is based on that RFC, and mixing standard here might be
+dangerous.
+---
+ src/url.c | 40 ++++++++++++++++++++++++++++++++++------
+ 1 file changed, 34 insertions(+), 6 deletions(-)
+
+diff --git a/src/url.c b/src/url.c
+index 69e948b..07c3bc8 100644
+--- a/src/url.c
+++ b/src/url.c
+@@ -41,6 +41,7 @@ as that of the covered work.  */
+ #include "url.h"
+ #include "host.h"  /* for is_valid_ipv6_address */
+ #include "c-strcase.h"
+#include "c-ctype.h"
+ 
+ #ifdef HAVE_ICONV
+ # include <iconv.h>
+@@ -526,12 +527,39 @@ scheme_leading_string (enum url_scheme scheme)
+ static const char *
+ url_skip_credentials (const char *url)
+ {
+-  /* Look for '@' that comes before terminators, such as '/', '?',
+-     '#', or ';'.  */
+-  const char *p = (const char *)strpbrk (url, "@/?#;");
+-  if (!p || *p != '@')
+-    return url;
+-  return p + 1;
+  /*
+   * This whole file implements https://www.rfc-editor.org/rfc/rfc2396 .
+   * RFC 2396 is outdated since 2005 and needs a rewrite or a thorough re-visit.
+   *
+   * The RFC says
+   * server        = [ [ userinfo "@" ] hostport ]
+   * userinfo      = *( unreserved | escaped | ";" | ":" | "&" | "=" | "+" | "$" | "," )
+   * unreserved    = alphanum | mark
+   * mark          = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")"
+   */
+  static const char *allowed = "-_.!~*'();:&=+$,";
+
+  for (const char *p = url; *p; p++)
+    {
+      if (c_isalnum(*p))
+        continue;
+
+      if (strchr(allowed, *p))
+        continue;
+
+      if (*p == '%' && c_isxdigit(p[1]) && c_isxdigit(p[2]))
+        {
+          p += 2;
+          continue;
+        }
+
+      if (*p == '@')
+        return p + 1;
+
+      break;
+    }
+
+  return url;
+ }
+ 
+ /* Parse credentials contained in [BEG, END).  The region is expected
+-- 
+cgit v1.1
--- a/SPECS/wget.spec
+++ b/SPECS/wget.spec
@ -1,7 +1,7 @@
 Summary: A utility for retrieving files using the HTTP or FTP protocols
 Name: wget
 Version: 1.21.1
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: GPLv3+
 Url: http://www.gnu.org/software/wget/
 Source: ftp://ftp.gnu.org/gnu/wget/wget-%{version}.tar.gz
@ -10,6 +10,7 @@ Patch1: wget-1.17-path.patch
 Patch2: wget-1.21-strtol.patch
 Patch3: wget-1.21-metalink-man.patch
 Patch4: wget-1.21-segfault.patch
+Patch5: wget-1.21-CVE-2024-38428.patch

 Provides: webclient
 Provides: bundled(gnulib) 
@ -69,6 +70,9 @@ make check
 %{_infodir}/*

 %changelog
+* Mon Jul 15 2024 Michal Ruprich <mruprich@redhat.com> - 1.21.1-8
+- Resolves: RHEL-43226 - Misinterpretation of input may lead to improper behavior
+
 * Wed Mar 15 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 1.21.1-7
 - Rebuilt for MSVSphere 9.1.