From 6b88912eb6c414467234678c347990181dbf848b Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Thu, 26 Oct 2017 23:23:44 +0200 Subject: [PATCH] gnu: wget: Update to 1.19.2 [fixes CVE-2017-13089 and CVE-2017-13090]. * gnu/packages/wget.scm (wget): Update to 1.19.2. [source](uri): Change to '.lz' tarball. [source](patches): Remove. [native-inputs]: Add LZIP. * gnu/packages/patches/wget-CVE-2017-6508.patch, gnu/packages/patches/wget-fix-504-test-timeout.patch, gnu/packages/patches/wget-perl-5.26.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them. --- gnu/local.mk | 3 - gnu/packages/patches/wget-CVE-2017-6508.patch | 45 ----- .../patches/wget-fix-504-test-timeout.patch | 160 ------------------ gnu/packages/patches/wget-perl-5.26.patch | 96 ----------- gnu/packages/wget.scm | 13 +- 5 files changed, 6 insertions(+), 311 deletions(-) delete mode 100644 gnu/packages/patches/wget-CVE-2017-6508.patch delete mode 100644 gnu/packages/patches/wget-fix-504-test-timeout.patch delete mode 100644 gnu/packages/patches/wget-perl-5.26.patch diff --git a/gnu/local.mk b/gnu/local.mk index f318bcd497..2aa2f7b20c 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1100,9 +1100,6 @@ dist_patch_DATA = \ %D%/packages/patches/vte-CVE-2012-2738-pt1.patch \ %D%/packages/patches/vte-CVE-2012-2738-pt2.patch \ %D%/packages/patches/weechat-python.patch \ - %D%/packages/patches/wget-CVE-2017-6508.patch \ - %D%/packages/patches/wget-fix-504-test-timeout.patch \ - %D%/packages/patches/wget-perl-5.26.patch \ %D%/packages/patches/wicd-bitrate-none-fix.patch \ %D%/packages/patches/wicd-get-selected-profile-fix.patch \ %D%/packages/patches/wicd-urwid-1.3.patch \ diff --git a/gnu/packages/patches/wget-CVE-2017-6508.patch b/gnu/packages/patches/wget-CVE-2017-6508.patch deleted file mode 100644 index 0218fceaad..0000000000 --- a/gnu/packages/patches/wget-CVE-2017-6508.patch +++ /dev/null @@ -1,45 +0,0 @@ -Fix CVE-2017-6508: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6508 - -Patch copied from upstream source repository: - -https://git.savannah.gnu.org/cgit/wget.git/commit/?id=4d729e322fae359a1aefaafec1144764a54e8ad4 - -From 4d729e322fae359a1aefaafec1144764a54e8ad4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Tim=20R=C3=BChsen?= -Date: Mon, 6 Mar 2017 10:04:22 +0100 -Subject: [PATCH] Fix CRLF injection in Wget host part - -* src/url.c (url_parse): Reject control characters in host part of URL - -Reported-by: Orange Tsai ---- - src/url.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/src/url.c b/src/url.c -index 8f8ff0b8..7d36b27d 100644 ---- a/src/url.c -+++ b/src/url.c -@@ -925,6 +925,17 @@ url_parse (const char *url, int *error, struct iri *iri, bool percent_encode) - url_unescape (u->host); - host_modified = true; - -+ /* check for invalid control characters in host name */ -+ for (p = u->host; *p; p++) -+ { -+ if (c_iscntrl(*p)) -+ { -+ url_free(u); -+ error_code = PE_INVALID_HOST_NAME; -+ goto error; -+ } -+ } -+ - /* Apply IDNA regardless of iri->utf8_encode status */ - if (opt.enable_iri && iri) - { --- -2.12.0 - diff --git a/gnu/packages/patches/wget-fix-504-test-timeout.patch b/gnu/packages/patches/wget-fix-504-test-timeout.patch deleted file mode 100644 index d9bf154103..0000000000 --- a/gnu/packages/patches/wget-fix-504-test-timeout.patch +++ /dev/null @@ -1,160 +0,0 @@ -This patch is from upstream. If a machine is too slow it can cause -test-504.py to fail. -http://git.savannah.gnu.org/cgit/wget.git/patch/?id=ac4fed32204e9ec1874e7cb5ecc55f1b35c1c8de - -From ac4fed32204e9ec1874e7cb5ecc55f1b35c1c8de Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Tim=20R=C3=BChsen?= -Date: Tue, 14 Feb 2017 16:20:26 +0100 -Subject: Fix 504 status handling - -* src/http.c (gethttp): Move 504 handling to correct place. - (http_loop): Fix memeory leak. -* testenv/server/http/http_server.py: Add Content-Length header on non-2xx - status codes with a body - -Reported-by: Adam Sampson ---- - src/http.c | 30 +++++++++++------------------- - testenv/server/http/http_server.py | 9 +++++---- - 2 files changed, 16 insertions(+), 23 deletions(-) - -diff --git a/src/http.c b/src/http.c -index 898e184..d2c5c77 100644 ---- a/src/http.c -+++ b/src/http.c -@@ -3476,7 +3476,7 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs, - - #ifdef HAVE_METALINK - /* We need to check for the Metalink data in the very first response -- we get from the server (before redirectionrs, authorization, etc.). */ -+ we get from the server (before redirections, authorization, etc.). */ - if (metalink) - { - hs->metalink = metalink_from_http (resp, hs, u); -@@ -3496,7 +3496,7 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs, - uerr_t auth_err = RETROK; - bool retry; - /* Normally we are not interested in the response body. -- But if we are writing a WARC file we are: we like to keep everyting. */ -+ But if we are writing a WARC file we are: we like to keep everything. */ - if (warc_enabled) - { - int _err; -@@ -3556,20 +3556,6 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs, - pconn.authorized = true; - } - -- if (statcode == HTTP_STATUS_GATEWAY_TIMEOUT) -- { -- hs->len = 0; -- hs->res = 0; -- hs->restval = 0; -- -- CLOSE_FINISH (sock); -- xfree (hs->message); -- -- retval = GATEWAYTIMEOUT; -- goto cleanup; -- } -- -- - { - uerr_t ret = check_file_output (u, hs, resp, hdrval, sizeof hdrval); - if (ret != RETROK) -@@ -3910,8 +3896,8 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs, - retval = _err; - goto cleanup; - } -- else -- CLOSE_FINISH (sock); -+ -+ CLOSE_FINISH (sock); - } - else - { -@@ -3934,7 +3920,11 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs, - CLOSE_INVALIDATE (sock); - } - -- retval = RETRFINISHED; -+ if (statcode == HTTP_STATUS_GATEWAY_TIMEOUT) -+ retval = GATEWAYTIMEOUT; -+ else -+ retval = RETRFINISHED; -+ - goto cleanup; - } - -@@ -4208,6 +4198,8 @@ http_loop (const struct url *u, struct url *original_url, char **newloc, - bring them to "while" statement at the end, to judge - whether the number of tries was exceeded. */ - printwhat (count, opt.ntry); -+ xfree (hstat.message); -+ xfree (hstat.error); - continue; - case FWRITEERR: case FOPENERR: - /* Another fatal error. */ -diff --git a/testenv/server/http/http_server.py b/testenv/server/http/http_server.py -index e96f6e8..b222df0 100644 ---- a/testenv/server/http/http_server.py -+++ b/testenv/server/http/http_server.py -@@ -204,7 +204,6 @@ class _Handler(BaseHTTPRequestHandler): - - def Response(self, resp_obj): - self.send_response(resp_obj.response_code) -- self.finish_headers() - if resp_obj.response_code == 304: - raise NoBodyServerError("Conditional get falling to head") - raise ServerError("Custom Response code sent.") -@@ -329,7 +328,6 @@ class _Handler(BaseHTTPRequestHandler): - except AuthError as se: - self.send_response(401, "Authorization Required") - self.send_challenge(auth_rule.auth_type, auth_rule.auth_parm) -- self.finish_headers() - raise se - - def handle_auth(self, auth_rule): -@@ -362,7 +360,6 @@ class _Handler(BaseHTTPRequestHandler): - if header_recd is None or header_recd != exp_headers[header_line]: - self.send_error(400, "Expected Header %s not found" % - header_line) -- self.finish_headers() - raise ServerError("Header " + header_line + " not found") - - def RejectHeader(self, header_obj): -@@ -372,7 +369,6 @@ class _Handler(BaseHTTPRequestHandler): - if header_recd and header_recd == rej_headers[header_line]: - self.send_error(400, 'Blacklisted Header %s received' % - header_line) -- self.finish_headers() - raise ServerError("Header " + header_line + ' received') - - def __log_request(self, method): -@@ -400,6 +396,7 @@ class _Handler(BaseHTTPRequestHandler): - - content = self.server.fileSys.get(path) - content_length = len(content) -+ - for rule_name in self.rules: - try: - assert hasattr(self, rule_name) -@@ -410,12 +407,16 @@ class _Handler(BaseHTTPRequestHandler): - return(None, None) - except AuthError as ae: - print(ae.__str__()) -+ self.finish_headers() - return(None, None) - except NoBodyServerError as nbse: - print(nbse.__str__()) -+ self.finish_headers() - return(None, None) - except ServerError as se: - print(se.__str__()) -+ self.add_header("Content-Length", content_length) -+ self.finish_headers() - return(content, None) - - try: --- -cgit v1.0-41-gc330 - diff --git a/gnu/packages/patches/wget-perl-5.26.patch b/gnu/packages/patches/wget-perl-5.26.patch deleted file mode 100644 index ee3a984daa..0000000000 --- a/gnu/packages/patches/wget-perl-5.26.patch +++ /dev/null @@ -1,96 +0,0 @@ -This upstream commit adjusts tests for Perl 5.26. - -commit 7ffe93cabb181f39ad5091c31ab9f61bd940a55f -Author: Anton Yuzhaninov -Date: Wed Apr 5 19:06:42 2017 +0300 - - Fix perl warnings in tests - - * tests/FTPServer.pm: Escape '{' in RE to fix warnings - * tests/FTPTest.pm: Likewise - * tests/HTTPServer.pm: Likewise - * tests/HTTPTest.pm: Likewise - * tests/Test-proxied-https-auth-keepalive.px: Likewise - * tests/Test-proxied-https-auth.px: Likewise - Escape '{' in RE to fix warnings: - Unescaped left brace in regex is deprecated, passed through in regex; - marked by <-- HERE in m/{{ <-- HERE port}}/ - -diff --git a/tests/FTPServer.pm b/tests/FTPServer.pm -index a5185d66..cac80942 100644 ---- a/tests/FTPServer.pm -+++ b/tests/FTPServer.pm -@@ -589,7 +589,7 @@ sub new - foreach my $file (keys %{$self->{_input}}) - { - my $ref = \$self->{_input}{$file}{content}; -- $$ref =~ s/{{port}}/$self->sockport/eg; -+ $$ref =~ s/\Q{{port}}/$self->sockport/eg; - } - - return $self; -diff --git a/tests/FTPTest.pm b/tests/FTPTest.pm -index 50385ad0..0a1c768c 100644 ---- a/tests/FTPTest.pm -+++ b/tests/FTPTest.pm -@@ -53,7 +53,7 @@ sub _substitute_port - { - my $self = shift; - my $ret = shift; -- $ret =~ s/{{port}}/$self->{_server}->sockport/eg; -+ $ret =~ s/\Q{{port}}/$self->{_server}->sockport/eg; - return $ret; - } - -diff --git a/tests/HTTPServer.pm b/tests/HTTPServer.pm -index dd8ec043..78609f65 100644 ---- a/tests/HTTPServer.pm -+++ b/tests/HTTPServer.pm -@@ -310,7 +310,7 @@ sub _substitute_port - { - my $self = shift; - my $ret = shift; -- $ret =~ s/{{port}}/$self->sockport/eg; -+ $ret =~ s/\Q{{port}}/$self->sockport/eg; - return $ret; - } - -diff --git a/tests/HTTPTest.pm b/tests/HTTPTest.pm -index 00f079f8..6225c7f1 100644 ---- a/tests/HTTPTest.pm -+++ b/tests/HTTPTest.pm -@@ -47,7 +47,7 @@ sub _substitute_port - { - my $self = shift; - my $ret = shift; -- $ret =~ s/{{port}}/$self->{_server}->sockport/eg; -+ $ret =~ s/\Q{{port}}/$self->{_server}->sockport/eg; - return $ret; - } - -diff --git a/tests/Test-proxied-https-auth-keepalive.px b/tests/Test-proxied-https-auth-keepalive.px -index 049bebec..2a18ccfd 100755 ---- a/tests/Test-proxied-https-auth-keepalive.px -+++ b/tests/Test-proxied-https-auth-keepalive.px -@@ -153,7 +153,7 @@ my $cmdline = $WgetTest::WGETPATH . " --user=fiddle-dee-dee" - . " --password=Dodgson -e https_proxy=localhost:{{port}}" - . " --no-check-certificate" - . " https://no.such.domain/needs-auth.txt"; --$cmdline =~ s/{{port}}/$SOCKET->sockport()/e; -+$cmdline =~ s/\Q{{port}}/$SOCKET->sockport()/e; - - if (defined $srcdir) { - $VALGRIND_SUPP_FILE = $srcdir . '/valgrind-suppressions-ssl'; -diff --git a/tests/Test-proxied-https-auth.px b/tests/Test-proxied-https-auth.px -index ce4e736c..878114e7 100755 ---- a/tests/Test-proxied-https-auth.px -+++ b/tests/Test-proxied-https-auth.px -@@ -152,7 +152,7 @@ my $cmdline = $WgetTest::WGETPATH . " --user=fiddle-dee-dee" - . " --password=Dodgson -e https_proxy=localhost:{{port}}" - . " --no-check-certificate" - . " https://no.such.domain/needs-auth.txt"; --$cmdline =~ s/{{port}}/$SOCKET->sockport()/e; -+$cmdline =~ s/\Q{{port}}/$SOCKET->sockport()/e; - - if (defined $srcdir) { - $VALGRIND_SUPP_FILE = $srcdir . '/valgrind-suppressions-ssl'; diff --git a/gnu/packages/wget.scm b/gnu/packages/wget.scm index 3673ad5cc4..bfcfcad230 100644 --- a/gnu/packages/wget.scm +++ b/gnu/packages/wget.scm @@ -21,6 +21,7 @@ (define-module (gnu packages wget) #:use-module (guix licenses) #:use-module (gnu packages) + #:use-module (gnu packages compression) #:use-module (gnu packages libidn) #:use-module (gnu packages python) #:use-module (gnu packages perl) @@ -34,18 +35,15 @@ (define-public wget (package (name "wget") - (version "1.19.1") + (version "1.19.2") (source (origin (method url-fetch) (uri (string-append "mirror://gnu/wget/wget-" - version ".tar.xz")) - (patches (search-patches "wget-CVE-2017-6508.patch" - "wget-fix-504-test-timeout.patch" - "wget-perl-5.26.patch")) + version ".tar.lz")) (sha256 (base32 - "1ljcfhbkdsd0zjfm520rbl1ai62fc34i7c45sfj244l8f6b0p58c")))) + "01yzal7xm85543x02bij3capnigr063d6c5vc039f8n5s9d796nm")))) (build-system gnu-build-system) (arguments '(#:phases (modify-phases %standard-phases @@ -65,7 +63,8 @@ (inputs `(("gnutls" ,gnutls) ("libidn2" ,libidn2) - ("libpsl" ,libpsl))) + ("libpsl" ,libpsl) + ("lzip" ,lzip))) (native-inputs `(("pkg-config" ,pkg-config) ("perl" ,perl)