gnu: wget: Update to 1.19.2 [fixes CVE-2017-13089 and CVE-2017-13090].

* gnu/packages/wget.scm (wget): Update to 1.19.2.
[source](uri): Change to '.lz' tarball.
[source](patches): Remove.
[native-inputs]: Add LZIP.
* gnu/packages/patches/wget-CVE-2017-6508.patch,
gnu/packages/patches/wget-fix-504-test-timeout.patch,
gnu/packages/patches/wget-perl-5.26.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
This commit is contained in:
Marius Bakke 2017-10-26 23:23:44 +02:00
parent 2e205c6193
commit 6b88912eb6
No known key found for this signature in database
GPG Key ID: A2A06DF2A33A54FA
5 changed files with 6 additions and 311 deletions

View File

@ -1100,9 +1100,6 @@ dist_patch_DATA = \
%D%/packages/patches/vte-CVE-2012-2738-pt1.patch \
%D%/packages/patches/vte-CVE-2012-2738-pt2.patch \
%D%/packages/patches/weechat-python.patch \
%D%/packages/patches/wget-CVE-2017-6508.patch \
%D%/packages/patches/wget-fix-504-test-timeout.patch \
%D%/packages/patches/wget-perl-5.26.patch \
%D%/packages/patches/wicd-bitrate-none-fix.patch \
%D%/packages/patches/wicd-get-selected-profile-fix.patch \
%D%/packages/patches/wicd-urwid-1.3.patch \

View File

@ -1,45 +0,0 @@
Fix CVE-2017-6508:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6508
Patch copied from upstream source repository:
https://git.savannah.gnu.org/cgit/wget.git/commit/?id=4d729e322fae359a1aefaafec1144764a54e8ad4
From 4d729e322fae359a1aefaafec1144764a54e8ad4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Mon, 6 Mar 2017 10:04:22 +0100
Subject: [PATCH] Fix CRLF injection in Wget host part
* src/url.c (url_parse): Reject control characters in host part of URL
Reported-by: Orange Tsai
---
src/url.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/src/url.c b/src/url.c
index 8f8ff0b8..7d36b27d 100644
--- a/src/url.c
+++ b/src/url.c
@@ -925,6 +925,17 @@ url_parse (const char *url, int *error, struct iri *iri, bool percent_encode)
url_unescape (u->host);
host_modified = true;
+ /* check for invalid control characters in host name */
+ for (p = u->host; *p; p++)
+ {
+ if (c_iscntrl(*p))
+ {
+ url_free(u);
+ error_code = PE_INVALID_HOST_NAME;
+ goto error;
+ }
+ }
+
/* Apply IDNA regardless of iri->utf8_encode status */
if (opt.enable_iri && iri)
{
--
2.12.0

View File

@ -1,160 +0,0 @@
This patch is from upstream. If a machine is too slow it can cause
test-504.py to fail.
http://git.savannah.gnu.org/cgit/wget.git/patch/?id=ac4fed32204e9ec1874e7cb5ecc55f1b35c1c8de
From ac4fed32204e9ec1874e7cb5ecc55f1b35c1c8de Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Tue, 14 Feb 2017 16:20:26 +0100
Subject: Fix 504 status handling
* src/http.c (gethttp): Move 504 handling to correct place.
(http_loop): Fix memeory leak.
* testenv/server/http/http_server.py: Add Content-Length header on non-2xx
status codes with a body
Reported-by: Adam Sampson
---
src/http.c | 30 +++++++++++-------------------
testenv/server/http/http_server.py | 9 +++++----
2 files changed, 16 insertions(+), 23 deletions(-)
diff --git a/src/http.c b/src/http.c
index 898e184..d2c5c77 100644
--- a/src/http.c
+++ b/src/http.c
@@ -3476,7 +3476,7 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
#ifdef HAVE_METALINK
/* We need to check for the Metalink data in the very first response
- we get from the server (before redirectionrs, authorization, etc.). */
+ we get from the server (before redirections, authorization, etc.). */
if (metalink)
{
hs->metalink = metalink_from_http (resp, hs, u);
@@ -3496,7 +3496,7 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
uerr_t auth_err = RETROK;
bool retry;
/* Normally we are not interested in the response body.
- But if we are writing a WARC file we are: we like to keep everyting. */
+ But if we are writing a WARC file we are: we like to keep everything. */
if (warc_enabled)
{
int _err;
@@ -3556,20 +3556,6 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
pconn.authorized = true;
}
- if (statcode == HTTP_STATUS_GATEWAY_TIMEOUT)
- {
- hs->len = 0;
- hs->res = 0;
- hs->restval = 0;
-
- CLOSE_FINISH (sock);
- xfree (hs->message);
-
- retval = GATEWAYTIMEOUT;
- goto cleanup;
- }
-
-
{
uerr_t ret = check_file_output (u, hs, resp, hdrval, sizeof hdrval);
if (ret != RETROK)
@@ -3910,8 +3896,8 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
retval = _err;
goto cleanup;
}
- else
- CLOSE_FINISH (sock);
+
+ CLOSE_FINISH (sock);
}
else
{
@@ -3934,7 +3920,11 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
CLOSE_INVALIDATE (sock);
}
- retval = RETRFINISHED;
+ if (statcode == HTTP_STATUS_GATEWAY_TIMEOUT)
+ retval = GATEWAYTIMEOUT;
+ else
+ retval = RETRFINISHED;
+
goto cleanup;
}
@@ -4208,6 +4198,8 @@ http_loop (const struct url *u, struct url *original_url, char **newloc,
bring them to "while" statement at the end, to judge
whether the number of tries was exceeded. */
printwhat (count, opt.ntry);
+ xfree (hstat.message);
+ xfree (hstat.error);
continue;
case FWRITEERR: case FOPENERR:
/* Another fatal error. */
diff --git a/testenv/server/http/http_server.py b/testenv/server/http/http_server.py
index e96f6e8..b222df0 100644
--- a/testenv/server/http/http_server.py
+++ b/testenv/server/http/http_server.py
@@ -204,7 +204,6 @@ class _Handler(BaseHTTPRequestHandler):
def Response(self, resp_obj):
self.send_response(resp_obj.response_code)
- self.finish_headers()
if resp_obj.response_code == 304:
raise NoBodyServerError("Conditional get falling to head")
raise ServerError("Custom Response code sent.")
@@ -329,7 +328,6 @@ class _Handler(BaseHTTPRequestHandler):
except AuthError as se:
self.send_response(401, "Authorization Required")
self.send_challenge(auth_rule.auth_type, auth_rule.auth_parm)
- self.finish_headers()
raise se
def handle_auth(self, auth_rule):
@@ -362,7 +360,6 @@ class _Handler(BaseHTTPRequestHandler):
if header_recd is None or header_recd != exp_headers[header_line]:
self.send_error(400, "Expected Header %s not found" %
header_line)
- self.finish_headers()
raise ServerError("Header " + header_line + " not found")
def RejectHeader(self, header_obj):
@@ -372,7 +369,6 @@ class _Handler(BaseHTTPRequestHandler):
if header_recd and header_recd == rej_headers[header_line]:
self.send_error(400, 'Blacklisted Header %s received' %
header_line)
- self.finish_headers()
raise ServerError("Header " + header_line + ' received')
def __log_request(self, method):
@@ -400,6 +396,7 @@ class _Handler(BaseHTTPRequestHandler):
content = self.server.fileSys.get(path)
content_length = len(content)
+
for rule_name in self.rules:
try:
assert hasattr(self, rule_name)
@@ -410,12 +407,16 @@ class _Handler(BaseHTTPRequestHandler):
return(None, None)
except AuthError as ae:
print(ae.__str__())
+ self.finish_headers()
return(None, None)
except NoBodyServerError as nbse:
print(nbse.__str__())
+ self.finish_headers()
return(None, None)
except ServerError as se:
print(se.__str__())
+ self.add_header("Content-Length", content_length)
+ self.finish_headers()
return(content, None)
try:
--
cgit v1.0-41-gc330

View File

@ -1,96 +0,0 @@
This upstream commit adjusts tests for Perl 5.26.
commit 7ffe93cabb181f39ad5091c31ab9f61bd940a55f
Author: Anton Yuzhaninov <citrin+github@citrin.ru>
Date: Wed Apr 5 19:06:42 2017 +0300
Fix perl warnings in tests
* tests/FTPServer.pm: Escape '{' in RE to fix warnings
* tests/FTPTest.pm: Likewise
* tests/HTTPServer.pm: Likewise
* tests/HTTPTest.pm: Likewise
* tests/Test-proxied-https-auth-keepalive.px: Likewise
* tests/Test-proxied-https-auth.px: Likewise
Escape '{' in RE to fix warnings:
Unescaped left brace in regex is deprecated, passed through in regex;
marked by <-- HERE in m/{{ <-- HERE port}}/
diff --git a/tests/FTPServer.pm b/tests/FTPServer.pm
index a5185d66..cac80942 100644
--- a/tests/FTPServer.pm
+++ b/tests/FTPServer.pm
@@ -589,7 +589,7 @@ sub new
foreach my $file (keys %{$self->{_input}})
{
my $ref = \$self->{_input}{$file}{content};
- $$ref =~ s/{{port}}/$self->sockport/eg;
+ $$ref =~ s/\Q{{port}}/$self->sockport/eg;
}
return $self;
diff --git a/tests/FTPTest.pm b/tests/FTPTest.pm
index 50385ad0..0a1c768c 100644
--- a/tests/FTPTest.pm
+++ b/tests/FTPTest.pm
@@ -53,7 +53,7 @@ sub _substitute_port
{
my $self = shift;
my $ret = shift;
- $ret =~ s/{{port}}/$self->{_server}->sockport/eg;
+ $ret =~ s/\Q{{port}}/$self->{_server}->sockport/eg;
return $ret;
}
diff --git a/tests/HTTPServer.pm b/tests/HTTPServer.pm
index dd8ec043..78609f65 100644
--- a/tests/HTTPServer.pm
+++ b/tests/HTTPServer.pm
@@ -310,7 +310,7 @@ sub _substitute_port
{
my $self = shift;
my $ret = shift;
- $ret =~ s/{{port}}/$self->sockport/eg;
+ $ret =~ s/\Q{{port}}/$self->sockport/eg;
return $ret;
}
diff --git a/tests/HTTPTest.pm b/tests/HTTPTest.pm
index 00f079f8..6225c7f1 100644
--- a/tests/HTTPTest.pm
+++ b/tests/HTTPTest.pm
@@ -47,7 +47,7 @@ sub _substitute_port
{
my $self = shift;
my $ret = shift;
- $ret =~ s/{{port}}/$self->{_server}->sockport/eg;
+ $ret =~ s/\Q{{port}}/$self->{_server}->sockport/eg;
return $ret;
}
diff --git a/tests/Test-proxied-https-auth-keepalive.px b/tests/Test-proxied-https-auth-keepalive.px
index 049bebec..2a18ccfd 100755
--- a/tests/Test-proxied-https-auth-keepalive.px
+++ b/tests/Test-proxied-https-auth-keepalive.px
@@ -153,7 +153,7 @@ my $cmdline = $WgetTest::WGETPATH . " --user=fiddle-dee-dee"
. " --password=Dodgson -e https_proxy=localhost:{{port}}"
. " --no-check-certificate"
. " https://no.such.domain/needs-auth.txt";
-$cmdline =~ s/{{port}}/$SOCKET->sockport()/e;
+$cmdline =~ s/\Q{{port}}/$SOCKET->sockport()/e;
if (defined $srcdir) {
$VALGRIND_SUPP_FILE = $srcdir . '/valgrind-suppressions-ssl';
diff --git a/tests/Test-proxied-https-auth.px b/tests/Test-proxied-https-auth.px
index ce4e736c..878114e7 100755
--- a/tests/Test-proxied-https-auth.px
+++ b/tests/Test-proxied-https-auth.px
@@ -152,7 +152,7 @@ my $cmdline = $WgetTest::WGETPATH . " --user=fiddle-dee-dee"
. " --password=Dodgson -e https_proxy=localhost:{{port}}"
. " --no-check-certificate"
. " https://no.such.domain/needs-auth.txt";
-$cmdline =~ s/{{port}}/$SOCKET->sockport()/e;
+$cmdline =~ s/\Q{{port}}/$SOCKET->sockport()/e;
if (defined $srcdir) {
$VALGRIND_SUPP_FILE = $srcdir . '/valgrind-suppressions-ssl';

View File

@ -21,6 +21,7 @@
(define-module (gnu packages wget)
#:use-module (guix licenses)
#:use-module (gnu packages)
#:use-module (gnu packages compression)
#:use-module (gnu packages libidn)
#:use-module (gnu packages python)
#:use-module (gnu packages perl)
@ -34,18 +35,15 @@
(define-public wget
(package
(name "wget")
(version "1.19.1")
(version "1.19.2")
(source
(origin
(method url-fetch)
(uri (string-append "mirror://gnu/wget/wget-"
version ".tar.xz"))
(patches (search-patches "wget-CVE-2017-6508.patch"
"wget-fix-504-test-timeout.patch"
"wget-perl-5.26.patch"))
version ".tar.lz"))
(sha256
(base32
"1ljcfhbkdsd0zjfm520rbl1ai62fc34i7c45sfj244l8f6b0p58c"))))
"01yzal7xm85543x02bij3capnigr063d6c5vc039f8n5s9d796nm"))))
(build-system gnu-build-system)
(arguments
'(#:phases (modify-phases %standard-phases
@ -65,7 +63,8 @@
(inputs
`(("gnutls" ,gnutls)
("libidn2" ,libidn2)
("libpsl" ,libpsl)))
("libpsl" ,libpsl)
("lzip" ,lzip)))
(native-inputs
`(("pkg-config" ,pkg-config)
("perl" ,perl)