import wget-1.19.5-12.el8_10

7 months ago · e9805949d7
parent 7bf93cd487
commit e9805949d7
5 changed files with 107 additions and 173 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
 SOURCES/wget-1.17-path.patch
 SOURCES/wget-1.19.5.tar.gz
--- a/.wget.metadata
+++ b/.wget.metadata
@ -1 +1,2 @@
 5b4e331beb50e54860e0cb819e4c1f14ec4db661 SOURCES/wget-1.17-path.patch
 43b3d09e786df9e8d7aa454095d4ea2d420ae41c SOURCES/wget-1.19.5.tar.gz
--- a/SOURCES/wget-1.17-path.patch
+++ b/SOURCES/wget-1.17-path.patch
@ -1,172 +0,0 @@
 diff --git a/NEWS b/NEWS
 index d23ae95..aa3247f 100644
 --- a/NEWS
 +++ b/NEWS
@@ -935,7 +935,7 @@ distributed with Wget.
 ** Compiles on pre-ANSI compilers.
 -** Global wgetrc now goes to /usr/local/etc (i.e. $sysconfdir).
 +** Global wgetrc now goes to /etc (i.e. $sysconfdir).
 ** Lots of bugfixes.
@@ -998,7 +998,7 @@ Emacs, standalone info, or converted to HTML, dvi or postscript.
 ** Fixed a long-standing bug, so that Wget now works over SLIP
 connections.
 -** You can have a system-wide wgetrc (/usr/local/lib/wgetrc by
 +** You can have a system-wide wgetrc (/etc/wgetrc by
 default). Settings in $HOME/.wgetrc override the global ones, of
 course :-)
 diff --git a/README b/README
 index 692e1c6..38231c9 100644
 --- a/README
 +++ b/README
@@ -33,7 +33,7 @@ for socks.
 Most of the features are configurable, either through command-line
 options, or via initialization file .wgetrc.  Wget allows you to
 -install a global startup file (/usr/local/etc/wgetrc by default) for
 +install a global startup file (/etc/wgetrc by default) for
 site settings.
 Wget works under almost all Unix variants in use today and, unlike
 diff --git a/doc/sample.wgetrc b/doc/sample.wgetrc
 index c0d0779..9a73ada 100644
 --- a/doc/sample.wgetrc
 +++ b/doc/sample.wgetrc
@@ -10,7 +10,7 @@
 ## Or online here:
 ##   https://www.gnu.org/software/wget/manual/wget.html#Startup-File
 ##
 -## Wget initialization file can reside in /usr/local/etc/wgetrc
 +## Wget initialization file can reside in /etc/wgetrc
 ## (global, for all users) or $HOME/.wgetrc (for a single user).
 ##
 ## To use the settings in this file, you will have to uncomment them,
@@ -22,7 +22,7 @@
 ##
 -## Global settings (useful for setting up in /usr/local/etc/wgetrc).
 +## Global settings (useful for setting up in /etc/wgetrc).
 ## Think well before you change them, since they may reduce wget's
 ## functionality, and make it behave contrary to the documentation:
 ##
 diff --git a/doc/sample.wgetrc.munged_for_texi_inclusion b/doc/sample.wgetrc.munged_for_texi_inclusion
 index 3c7f2f4..521ef16 100644
 --- a/doc/sample.wgetrc.munged_for_texi_inclusion
 +++ b/doc/sample.wgetrc.munged_for_texi_inclusion
@@ -10,7 +10,7 @@
 ## Or online here:
 ##   https://www.gnu.org/software/wget/manual/wget.html#Startup-File
 ##
 -## Wget initialization file can reside in /usr/local/etc/wgetrc
 +## Wget initialization file can reside in /etc/wgetrc
 ## (global, for all users) or $HOME/.wgetrc (for a single user).
 ##
 ## To use the settings in this file, you will have to uncomment them,
@@ -22,7 +22,7 @@
 ##
 -## Global settings (useful for setting up in /usr/local/etc/wgetrc).
 +## Global settings (useful for setting up in /etc/wgetrc).
 ## Think well before you change them, since they may reduce wget's
 ## functionality, and make it behave contrary to the documentation:
 ##
 diff --git a/doc/wget.info b/doc/wget.info
 index 40ce0d4..89c6652 100644
 --- a/doc/wget.info
 +++ b/doc/wget.info
@@ -109,7 +109,7 @@ retrieval through HTTP proxies.
    • Most of the features are fully configurable, either through command
      line options, or via the initialization file ‘.wgetrc’ (*note
      Startup File::).  Wget allows you to define “global” startup files
 -     (‘/usr/local/etc/wgetrc’ by default) for site settings.  You can
 +     (‘/etc/wgetrc’ by default) for site settings.  You can
      also specify the location of a startup file with the –config
      option.  To disable the reading of config files, use –no-config.
      If both –config and –no-config are given, –no-config is ignored.
@@ -2825,8 +2825,8 @@ File: wget.info,  Node: Wgetrc Location,  Next: Wgetrc Syntax,  Prev: Startup Fi
 ===================
 When initializing, Wget will look for a “global” startup file,
 -‘/usr/local/etc/wgetrc’ by default (or some prefix other than
 -‘/usr/local’, if Wget was not installed there) and read commands from
 +‘/etc/wgetrc’ by default (or some prefix other than
 +‘/etc’, if Wget was not installed there) and read commands from
 there, if it exists.
    Then it will look for the user’s file.  If the environmental variable
@@ -2837,7 +2837,7 @@ further attempts will be made.
    The fact that user’s settings are loaded after the system-wide ones
 means that in case of collision user’s wgetrc _overrides_ the
 -system-wide wgetrc (in ‘/usr/local/etc/wgetrc’ by default).  Fascist
 +system-wide wgetrc (in ‘/etc/wgetrc’ by default).  Fascist
 admins, away!
@@ -3380,7 +3380,7 @@ its line.
      ## Or online here:
      ##   https://www.gnu.org/software/wget/manual/wget.html#Startup-File
      ##
 -     ## Wget initialization file can reside in /usr/local/etc/wgetrc
 +     ## Wget initialization file can reside in /etc/wgetrc
      ## (global, for all users) or $HOME/.wgetrc (for a single user).
      ##
      ## To use the settings in this file, you will have to uncomment them,
@@ -3392,7 +3392,7 @@ its line.
      ##
 -     ## Global settings (useful for setting up in /usr/local/etc/wgetrc).
 +     ## Global settings (useful for setting up in /etc/wgetrc).
      ## Think well before you change them, since they may reduce wget's
      ## functionality, and make it behave contrary to the documentation:
      ##
 diff --git a/doc/wget.texi b/doc/wget.texi
 index eaf6b38..608d008 100644
 --- a/doc/wget.texi
 +++ b/doc/wget.texi
@@ -190,7 +190,7 @@ gauge can be customized to your preferences.
 Most of the features are fully configurable, either through command line
 options, or via the initialization file @file{.wgetrc} (@pxref{Startup
 File}).  Wget allows you to define @dfn{global} startup files
 -(@file{/usr/local/etc/wgetrc} by default) for site settings. You can also
 +(@file{/etc/wgetrc} by default) for site settings. You can also
 specify the location of a startup file with the --config option.
 To disable the reading of config files, use --no-config.
 If both --config and --no-config are given, --no-config is ignored.
@@ -199,7 +199,7 @@ If both --config and --no-config are given, --no-config is ignored.
 @ignore
 @c man begin FILES
 @table @samp
 -@item /usr/local/etc/wgetrc
 +@item /etc/wgetrc
 Default location of the @dfn{global} startup file.
 @item .wgetrc
@@ -3154,8 +3154,8 @@ commands.
 @cindex location of wgetrc
 When initializing, Wget will look for a @dfn{global} startup file,
 -@file{/usr/local/etc/wgetrc} by default (or some prefix other than
 -@file{/usr/local}, if Wget was not installed there) and read commands
 +@file{/etc/wgetrc} by default (or some prefix other than
 +@file{/etc}, if Wget was not installed there) and read commands
 from there, if it exists.
 Then it will look for the user's file.  If the environmental variable
@@ -3166,7 +3166,7 @@ If @code{WGETRC} is not set, Wget will try to load @file{$HOME/.wgetrc}.
 The fact that user's settings are loaded after the system-wide ones
 means that in case of collision user's wgetrc @emph{overrides} the
 -system-wide wgetrc (in @file{/usr/local/etc/wgetrc} by default).
 +system-wide wgetrc (in @file{/etc/wgetrc} by default).
 Fascist admins, away!
 @node Wgetrc Syntax, Wgetrc Commands, Wgetrc Location, Startup File
--- a/SOURCES/wget-1.19.5-CVE-2024-38428.patch
+++ b/SOURCES/wget-1.19.5-CVE-2024-38428.patch
@ -0,0 +1,99 @@
 From ed0c7c7e0e8f7298352646b2fd6e06a11e242ace Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
 Date: Sun, 2 Jun 2024 12:40:16 +0200
 Subject: Properly re-implement userinfo parsing (rfc2396)
 * src/url.c (url_skip_credentials): Properly re-implement userinfo parsing (rfc2396)
 The reason why the implementation is based on RFC 2396, an outdated standard,
 is that the whole file is based on that RFC, and mixing standard here might be
 dangerous.
 ---
 src/url.c | 40 ++++++++++++++++++++++++++++++++++------
 1 file changed, 34 insertions(+), 6 deletions(-)
 diff --git a/src/url.c b/src/url.c
 index 69e948b..07c3bc8 100644
 --- a/src/url.c
 +++ b/src/url.c
@@ -41,6 +41,7 @@ as that of the covered work.  */
 #include "url.h"
 #include "host.h"  /* for is_valid_ipv6_address */
 #include "c-strcase.h"
 +#include "c-ctype.h"
 #ifdef HAVE_ICONV
 # include <iconv.h>
@@ -526,12 +527,39 @@ scheme_leading_string (enum url_scheme scheme)
 static const char *
 url_skip_credentials (const char *url)
 {
 -  /* Look for '@' that comes before terminators, such as '/', '?',
 -     '#', or ';'.  */
 -  const char *p = (const char *)strpbrk (url, "@/?#;");
 -  if (!p || *p != '@')
 -    return url;
 -  return p + 1;
 +  /*
 +   * This whole file implements https://www.rfc-editor.org/rfc/rfc2396 .
 +   * RFC 2396 is outdated since 2005 and needs a rewrite or a thorough re-visit.
 +   *
 +   * The RFC says
 +   * server        = [ [ userinfo "@" ] hostport ]
 +   * userinfo      = *( unreserved | escaped | ";" | ":" | "&" | "=" | "+" | "$" | "," )
 +   * unreserved    = alphanum | mark
 +   * mark          = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")"
 +   */
 +  static const char *allowed = "-_.!~*'();:&=+$,";
 +
 +  for (const char *p = url; *p; p++)
 +    {
 +      if (c_isalnum(*p))
 +        continue;
 +
 +      if (strchr(allowed, *p))
 +        continue;
 +
 +      if (*p == '%' && c_isxdigit(p[1]) && c_isxdigit(p[2]))
 +        {
 +          p += 2;
 +          continue;
 +        }
 +
 +      if (*p == '@')
 +        return p + 1;
 +
 +      break;
 +    }
 +
 +  return url;
 }
 /* Parse credentials contained in [BEG, END).  The region is expected
 -- 
 cgit v1.1
 diff --git a/tests/Test-proxied-https-auth.px.old b/tests/Test-proxied-https-auth.px
 index 83e0210..76617ce 100755
 --- a/tests/Test-proxied-https-auth.px.old
 +++ b/tests/Test-proxied-https-auth.px
@@ -32,6 +32,7 @@ if (defined $srcdir) {
 use HTTP::Daemon;
 use HTTP::Request;
 # Skip this test rather than fail it when the module isn't installed
 +exit 77;
 if (!eval {require IO::Socket::SSL;1;}) {
     print STDERR "This test needs the perl module \"IO::Socket::SSL\".\n";
     print STDERR "Install e.g. on Debian with 'apt-get install libio-socket-ssl-perl'\n";
 diff --git a/tests/Test-proxied-https-auth-keepalive.px.old b/tests/Test-proxied-https-auth-keepalive.px
 index 2a18ccf..80a8603 100755
 --- a/tests/Test-proxied-https-auth-keepalive.px.old
 +++ b/tests/Test-proxied-https-auth-keepalive.px
@@ -32,6 +32,7 @@ if (defined $srcdir) {
 use HTTP::Daemon;
 use HTTP::Request;
 # Skip this test rather than fail it when the module isn't installed
 +exit 77;
 if (!eval {require IO::Socket::SSL;1;}) {
     print STDERR "This test needs the perl module \"IO::Socket::SSL\".\n";
     print STDERR "Install e.g. on Debian with 'apt-get install libio-socket-ssl-perl'\n";
--- a/SPECS/wget.spec
+++ b/SPECS/wget.spec
@ -1,7 +1,7 @@
 Summary: A utility for retrieving files using the HTTP or FTP protocols
 Name: wget
 Version: 1.19.5
-Release: 11%{?dist}
+Release: 12%{?dist}
 License: GPLv3+
 Group: Applications/Internet
 Url: http://www.gnu.org/software/wget/
@ -23,6 +23,7 @@ Patch10: wget-1.19.5-no_proxy-tests.patch
 # http://git.savannah.gnu.org/cgit/wget.git/commit/?id=706e71564cadc7192ac21efbf51b661c967f35b5
 Patch11: wget-1.19.5-ca-cert-too-verbose.patch
 Patch12: wget-1.19.5-no-log-when-quiet.patch
 Patch13: wget-1.19.5-CVE-2024-38428.patch
 Provides: webclient
 Provides: bundled(gnulib) 
@ -60,6 +61,7 @@ grep "PACKAGE_STRING='wget .* (Red Hat modified)'" configure || exit 1
 %patch10 -p1 -b .no_proxy-test
 %patch11 -p1 -b .too_verbose
 %patch12 -p1 -b .no-log-quiet
 %patch13 -p1 -b .CVE-2024-38428
 %build
 %configure \
@ -106,6 +108,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_infodir}/*
 %changelog
 * Wed Jul 10 2024 Michal Ruprich <mruprich@redhat.com> - 1.19.5-12
 - Resolves: RHEL-43559 - Misinterpretation of input may lead to improper behavior
 * Wed Jul 26 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 1.19.5-11
 - Rebuilt for MSVSphere 8.8
`@ -1 +1,2 @@`
		`SOURCES/wget-1.17-path.patch`
	`SOURCES/wget-1.19.5.tar.gz`	`SOURCES/wget-1.19.5.tar.gz`
`@ -1 +1,2 @@`
		`5b4e331beb50e54860e0cb819e4c1f14ec4db661 SOURCES/wget-1.17-path.patch`
	`43b3d09e786df9e8d7aa454095d4ea2d420ae41c SOURCES/wget-1.19.5.tar.gz`	`43b3d09e786df9e8d7aa454095d4ea2d420ae41c SOURCES/wget-1.19.5.tar.gz`