gnu: wget: Update to 1.19.2 [fixes CVE-2017-13089 and CVE-2017-13090].
* gnu/packages/wget.scm (wget): Update to 1.19.2. [source](uri): Change to '.lz' tarball. [source](patches): Remove. [native-inputs]: Add LZIP. * gnu/packages/patches/wget-CVE-2017-6508.patch, gnu/packages/patches/wget-fix-504-test-timeout.patch, gnu/packages/patches/wget-perl-5.26.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them.master
parent
2e205c6193
commit
6b88912eb6
|
@ -1100,9 +1100,6 @@ dist_patch_DATA = \
|
||||||
%D%/packages/patches/vte-CVE-2012-2738-pt1.patch \
|
%D%/packages/patches/vte-CVE-2012-2738-pt1.patch \
|
||||||
%D%/packages/patches/vte-CVE-2012-2738-pt2.patch \
|
%D%/packages/patches/vte-CVE-2012-2738-pt2.patch \
|
||||||
%D%/packages/patches/weechat-python.patch \
|
%D%/packages/patches/weechat-python.patch \
|
||||||
%D%/packages/patches/wget-CVE-2017-6508.patch \
|
|
||||||
%D%/packages/patches/wget-fix-504-test-timeout.patch \
|
|
||||||
%D%/packages/patches/wget-perl-5.26.patch \
|
|
||||||
%D%/packages/patches/wicd-bitrate-none-fix.patch \
|
%D%/packages/patches/wicd-bitrate-none-fix.patch \
|
||||||
%D%/packages/patches/wicd-get-selected-profile-fix.patch \
|
%D%/packages/patches/wicd-get-selected-profile-fix.patch \
|
||||||
%D%/packages/patches/wicd-urwid-1.3.patch \
|
%D%/packages/patches/wicd-urwid-1.3.patch \
|
||||||
|
|
|
@ -1,45 +0,0 @@
|
||||||
Fix CVE-2017-6508:
|
|
||||||
|
|
||||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6508
|
|
||||||
|
|
||||||
Patch copied from upstream source repository:
|
|
||||||
|
|
||||||
https://git.savannah.gnu.org/cgit/wget.git/commit/?id=4d729e322fae359a1aefaafec1144764a54e8ad4
|
|
||||||
|
|
||||||
From 4d729e322fae359a1aefaafec1144764a54e8ad4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
|
|
||||||
Date: Mon, 6 Mar 2017 10:04:22 +0100
|
|
||||||
Subject: [PATCH] Fix CRLF injection in Wget host part
|
|
||||||
|
|
||||||
* src/url.c (url_parse): Reject control characters in host part of URL
|
|
||||||
|
|
||||||
Reported-by: Orange Tsai
|
|
||||||
---
|
|
||||||
src/url.c | 11 +++++++++++
|
|
||||||
1 file changed, 11 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/url.c b/src/url.c
|
|
||||||
index 8f8ff0b8..7d36b27d 100644
|
|
||||||
--- a/src/url.c
|
|
||||||
+++ b/src/url.c
|
|
||||||
@@ -925,6 +925,17 @@ url_parse (const char *url, int *error, struct iri *iri, bool percent_encode)
|
|
||||||
url_unescape (u->host);
|
|
||||||
host_modified = true;
|
|
||||||
|
|
||||||
+ /* check for invalid control characters in host name */
|
|
||||||
+ for (p = u->host; *p; p++)
|
|
||||||
+ {
|
|
||||||
+ if (c_iscntrl(*p))
|
|
||||||
+ {
|
|
||||||
+ url_free(u);
|
|
||||||
+ error_code = PE_INVALID_HOST_NAME;
|
|
||||||
+ goto error;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* Apply IDNA regardless of iri->utf8_encode status */
|
|
||||||
if (opt.enable_iri && iri)
|
|
||||||
{
|
|
||||||
--
|
|
||||||
2.12.0
|
|
||||||
|
|
|
@ -1,160 +0,0 @@
|
||||||
This patch is from upstream. If a machine is too slow it can cause
|
|
||||||
test-504.py to fail.
|
|
||||||
http://git.savannah.gnu.org/cgit/wget.git/patch/?id=ac4fed32204e9ec1874e7cb5ecc55f1b35c1c8de
|
|
||||||
|
|
||||||
From ac4fed32204e9ec1874e7cb5ecc55f1b35c1c8de Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
|
|
||||||
Date: Tue, 14 Feb 2017 16:20:26 +0100
|
|
||||||
Subject: Fix 504 status handling
|
|
||||||
|
|
||||||
* src/http.c (gethttp): Move 504 handling to correct place.
|
|
||||||
(http_loop): Fix memeory leak.
|
|
||||||
* testenv/server/http/http_server.py: Add Content-Length header on non-2xx
|
|
||||||
status codes with a body
|
|
||||||
|
|
||||||
Reported-by: Adam Sampson
|
|
||||||
---
|
|
||||||
src/http.c | 30 +++++++++++-------------------
|
|
||||||
testenv/server/http/http_server.py | 9 +++++----
|
|
||||||
2 files changed, 16 insertions(+), 23 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/http.c b/src/http.c
|
|
||||||
index 898e184..d2c5c77 100644
|
|
||||||
--- a/src/http.c
|
|
||||||
+++ b/src/http.c
|
|
||||||
@@ -3476,7 +3476,7 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
|
|
||||||
|
|
||||||
#ifdef HAVE_METALINK
|
|
||||||
/* We need to check for the Metalink data in the very first response
|
|
||||||
- we get from the server (before redirectionrs, authorization, etc.). */
|
|
||||||
+ we get from the server (before redirections, authorization, etc.). */
|
|
||||||
if (metalink)
|
|
||||||
{
|
|
||||||
hs->metalink = metalink_from_http (resp, hs, u);
|
|
||||||
@@ -3496,7 +3496,7 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
|
|
||||||
uerr_t auth_err = RETROK;
|
|
||||||
bool retry;
|
|
||||||
/* Normally we are not interested in the response body.
|
|
||||||
- But if we are writing a WARC file we are: we like to keep everyting. */
|
|
||||||
+ But if we are writing a WARC file we are: we like to keep everything. */
|
|
||||||
if (warc_enabled)
|
|
||||||
{
|
|
||||||
int _err;
|
|
||||||
@@ -3556,20 +3556,6 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
|
|
||||||
pconn.authorized = true;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (statcode == HTTP_STATUS_GATEWAY_TIMEOUT)
|
|
||||||
- {
|
|
||||||
- hs->len = 0;
|
|
||||||
- hs->res = 0;
|
|
||||||
- hs->restval = 0;
|
|
||||||
-
|
|
||||||
- CLOSE_FINISH (sock);
|
|
||||||
- xfree (hs->message);
|
|
||||||
-
|
|
||||||
- retval = GATEWAYTIMEOUT;
|
|
||||||
- goto cleanup;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
-
|
|
||||||
{
|
|
||||||
uerr_t ret = check_file_output (u, hs, resp, hdrval, sizeof hdrval);
|
|
||||||
if (ret != RETROK)
|
|
||||||
@@ -3910,8 +3896,8 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
|
|
||||||
retval = _err;
|
|
||||||
goto cleanup;
|
|
||||||
}
|
|
||||||
- else
|
|
||||||
- CLOSE_FINISH (sock);
|
|
||||||
+
|
|
||||||
+ CLOSE_FINISH (sock);
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
@@ -3934,7 +3920,11 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
|
|
||||||
CLOSE_INVALIDATE (sock);
|
|
||||||
}
|
|
||||||
|
|
||||||
- retval = RETRFINISHED;
|
|
||||||
+ if (statcode == HTTP_STATUS_GATEWAY_TIMEOUT)
|
|
||||||
+ retval = GATEWAYTIMEOUT;
|
|
||||||
+ else
|
|
||||||
+ retval = RETRFINISHED;
|
|
||||||
+
|
|
||||||
goto cleanup;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -4208,6 +4198,8 @@ http_loop (const struct url *u, struct url *original_url, char **newloc,
|
|
||||||
bring them to "while" statement at the end, to judge
|
|
||||||
whether the number of tries was exceeded. */
|
|
||||||
printwhat (count, opt.ntry);
|
|
||||||
+ xfree (hstat.message);
|
|
||||||
+ xfree (hstat.error);
|
|
||||||
continue;
|
|
||||||
case FWRITEERR: case FOPENERR:
|
|
||||||
/* Another fatal error. */
|
|
||||||
diff --git a/testenv/server/http/http_server.py b/testenv/server/http/http_server.py
|
|
||||||
index e96f6e8..b222df0 100644
|
|
||||||
--- a/testenv/server/http/http_server.py
|
|
||||||
+++ b/testenv/server/http/http_server.py
|
|
||||||
@@ -204,7 +204,6 @@ class _Handler(BaseHTTPRequestHandler):
|
|
||||||
|
|
||||||
def Response(self, resp_obj):
|
|
||||||
self.send_response(resp_obj.response_code)
|
|
||||||
- self.finish_headers()
|
|
||||||
if resp_obj.response_code == 304:
|
|
||||||
raise NoBodyServerError("Conditional get falling to head")
|
|
||||||
raise ServerError("Custom Response code sent.")
|
|
||||||
@@ -329,7 +328,6 @@ class _Handler(BaseHTTPRequestHandler):
|
|
||||||
except AuthError as se:
|
|
||||||
self.send_response(401, "Authorization Required")
|
|
||||||
self.send_challenge(auth_rule.auth_type, auth_rule.auth_parm)
|
|
||||||
- self.finish_headers()
|
|
||||||
raise se
|
|
||||||
|
|
||||||
def handle_auth(self, auth_rule):
|
|
||||||
@@ -362,7 +360,6 @@ class _Handler(BaseHTTPRequestHandler):
|
|
||||||
if header_recd is None or header_recd != exp_headers[header_line]:
|
|
||||||
self.send_error(400, "Expected Header %s not found" %
|
|
||||||
header_line)
|
|
||||||
- self.finish_headers()
|
|
||||||
raise ServerError("Header " + header_line + " not found")
|
|
||||||
|
|
||||||
def RejectHeader(self, header_obj):
|
|
||||||
@@ -372,7 +369,6 @@ class _Handler(BaseHTTPRequestHandler):
|
|
||||||
if header_recd and header_recd == rej_headers[header_line]:
|
|
||||||
self.send_error(400, 'Blacklisted Header %s received' %
|
|
||||||
header_line)
|
|
||||||
- self.finish_headers()
|
|
||||||
raise ServerError("Header " + header_line + ' received')
|
|
||||||
|
|
||||||
def __log_request(self, method):
|
|
||||||
@@ -400,6 +396,7 @@ class _Handler(BaseHTTPRequestHandler):
|
|
||||||
|
|
||||||
content = self.server.fileSys.get(path)
|
|
||||||
content_length = len(content)
|
|
||||||
+
|
|
||||||
for rule_name in self.rules:
|
|
||||||
try:
|
|
||||||
assert hasattr(self, rule_name)
|
|
||||||
@@ -410,12 +407,16 @@ class _Handler(BaseHTTPRequestHandler):
|
|
||||||
return(None, None)
|
|
||||||
except AuthError as ae:
|
|
||||||
print(ae.__str__())
|
|
||||||
+ self.finish_headers()
|
|
||||||
return(None, None)
|
|
||||||
except NoBodyServerError as nbse:
|
|
||||||
print(nbse.__str__())
|
|
||||||
+ self.finish_headers()
|
|
||||||
return(None, None)
|
|
||||||
except ServerError as se:
|
|
||||||
print(se.__str__())
|
|
||||||
+ self.add_header("Content-Length", content_length)
|
|
||||||
+ self.finish_headers()
|
|
||||||
return(content, None)
|
|
||||||
|
|
||||||
try:
|
|
||||||
--
|
|
||||||
cgit v1.0-41-gc330
|
|
||||||
|
|
|
@ -1,96 +0,0 @@
|
||||||
This upstream commit adjusts tests for Perl 5.26.
|
|
||||||
|
|
||||||
commit 7ffe93cabb181f39ad5091c31ab9f61bd940a55f
|
|
||||||
Author: Anton Yuzhaninov <citrin+github@citrin.ru>
|
|
||||||
Date: Wed Apr 5 19:06:42 2017 +0300
|
|
||||||
|
|
||||||
Fix perl warnings in tests
|
|
||||||
|
|
||||||
* tests/FTPServer.pm: Escape '{' in RE to fix warnings
|
|
||||||
* tests/FTPTest.pm: Likewise
|
|
||||||
* tests/HTTPServer.pm: Likewise
|
|
||||||
* tests/HTTPTest.pm: Likewise
|
|
||||||
* tests/Test-proxied-https-auth-keepalive.px: Likewise
|
|
||||||
* tests/Test-proxied-https-auth.px: Likewise
|
|
||||||
Escape '{' in RE to fix warnings:
|
|
||||||
Unescaped left brace in regex is deprecated, passed through in regex;
|
|
||||||
marked by <-- HERE in m/{{ <-- HERE port}}/
|
|
||||||
|
|
||||||
diff --git a/tests/FTPServer.pm b/tests/FTPServer.pm
|
|
||||||
index a5185d66..cac80942 100644
|
|
||||||
--- a/tests/FTPServer.pm
|
|
||||||
+++ b/tests/FTPServer.pm
|
|
||||||
@@ -589,7 +589,7 @@ sub new
|
|
||||||
foreach my $file (keys %{$self->{_input}})
|
|
||||||
{
|
|
||||||
my $ref = \$self->{_input}{$file}{content};
|
|
||||||
- $$ref =~ s/{{port}}/$self->sockport/eg;
|
|
||||||
+ $$ref =~ s/\Q{{port}}/$self->sockport/eg;
|
|
||||||
}
|
|
||||||
|
|
||||||
return $self;
|
|
||||||
diff --git a/tests/FTPTest.pm b/tests/FTPTest.pm
|
|
||||||
index 50385ad0..0a1c768c 100644
|
|
||||||
--- a/tests/FTPTest.pm
|
|
||||||
+++ b/tests/FTPTest.pm
|
|
||||||
@@ -53,7 +53,7 @@ sub _substitute_port
|
|
||||||
{
|
|
||||||
my $self = shift;
|
|
||||||
my $ret = shift;
|
|
||||||
- $ret =~ s/{{port}}/$self->{_server}->sockport/eg;
|
|
||||||
+ $ret =~ s/\Q{{port}}/$self->{_server}->sockport/eg;
|
|
||||||
return $ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/tests/HTTPServer.pm b/tests/HTTPServer.pm
|
|
||||||
index dd8ec043..78609f65 100644
|
|
||||||
--- a/tests/HTTPServer.pm
|
|
||||||
+++ b/tests/HTTPServer.pm
|
|
||||||
@@ -310,7 +310,7 @@ sub _substitute_port
|
|
||||||
{
|
|
||||||
my $self = shift;
|
|
||||||
my $ret = shift;
|
|
||||||
- $ret =~ s/{{port}}/$self->sockport/eg;
|
|
||||||
+ $ret =~ s/\Q{{port}}/$self->sockport/eg;
|
|
||||||
return $ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/tests/HTTPTest.pm b/tests/HTTPTest.pm
|
|
||||||
index 00f079f8..6225c7f1 100644
|
|
||||||
--- a/tests/HTTPTest.pm
|
|
||||||
+++ b/tests/HTTPTest.pm
|
|
||||||
@@ -47,7 +47,7 @@ sub _substitute_port
|
|
||||||
{
|
|
||||||
my $self = shift;
|
|
||||||
my $ret = shift;
|
|
||||||
- $ret =~ s/{{port}}/$self->{_server}->sockport/eg;
|
|
||||||
+ $ret =~ s/\Q{{port}}/$self->{_server}->sockport/eg;
|
|
||||||
return $ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/tests/Test-proxied-https-auth-keepalive.px b/tests/Test-proxied-https-auth-keepalive.px
|
|
||||||
index 049bebec..2a18ccfd 100755
|
|
||||||
--- a/tests/Test-proxied-https-auth-keepalive.px
|
|
||||||
+++ b/tests/Test-proxied-https-auth-keepalive.px
|
|
||||||
@@ -153,7 +153,7 @@ my $cmdline = $WgetTest::WGETPATH . " --user=fiddle-dee-dee"
|
|
||||||
. " --password=Dodgson -e https_proxy=localhost:{{port}}"
|
|
||||||
. " --no-check-certificate"
|
|
||||||
. " https://no.such.domain/needs-auth.txt";
|
|
||||||
-$cmdline =~ s/{{port}}/$SOCKET->sockport()/e;
|
|
||||||
+$cmdline =~ s/\Q{{port}}/$SOCKET->sockport()/e;
|
|
||||||
|
|
||||||
if (defined $srcdir) {
|
|
||||||
$VALGRIND_SUPP_FILE = $srcdir . '/valgrind-suppressions-ssl';
|
|
||||||
diff --git a/tests/Test-proxied-https-auth.px b/tests/Test-proxied-https-auth.px
|
|
||||||
index ce4e736c..878114e7 100755
|
|
||||||
--- a/tests/Test-proxied-https-auth.px
|
|
||||||
+++ b/tests/Test-proxied-https-auth.px
|
|
||||||
@@ -152,7 +152,7 @@ my $cmdline = $WgetTest::WGETPATH . " --user=fiddle-dee-dee"
|
|
||||||
. " --password=Dodgson -e https_proxy=localhost:{{port}}"
|
|
||||||
. " --no-check-certificate"
|
|
||||||
. " https://no.such.domain/needs-auth.txt";
|
|
||||||
-$cmdline =~ s/{{port}}/$SOCKET->sockport()/e;
|
|
||||||
+$cmdline =~ s/\Q{{port}}/$SOCKET->sockport()/e;
|
|
||||||
|
|
||||||
if (defined $srcdir) {
|
|
||||||
$VALGRIND_SUPP_FILE = $srcdir . '/valgrind-suppressions-ssl';
|
|
|
@ -21,6 +21,7 @@
|
||||||
(define-module (gnu packages wget)
|
(define-module (gnu packages wget)
|
||||||
#:use-module (guix licenses)
|
#:use-module (guix licenses)
|
||||||
#:use-module (gnu packages)
|
#:use-module (gnu packages)
|
||||||
|
#:use-module (gnu packages compression)
|
||||||
#:use-module (gnu packages libidn)
|
#:use-module (gnu packages libidn)
|
||||||
#:use-module (gnu packages python)
|
#:use-module (gnu packages python)
|
||||||
#:use-module (gnu packages perl)
|
#:use-module (gnu packages perl)
|
||||||
|
@ -34,18 +35,15 @@
|
||||||
(define-public wget
|
(define-public wget
|
||||||
(package
|
(package
|
||||||
(name "wget")
|
(name "wget")
|
||||||
(version "1.19.1")
|
(version "1.19.2")
|
||||||
(source
|
(source
|
||||||
(origin
|
(origin
|
||||||
(method url-fetch)
|
(method url-fetch)
|
||||||
(uri (string-append "mirror://gnu/wget/wget-"
|
(uri (string-append "mirror://gnu/wget/wget-"
|
||||||
version ".tar.xz"))
|
version ".tar.lz"))
|
||||||
(patches (search-patches "wget-CVE-2017-6508.patch"
|
|
||||||
"wget-fix-504-test-timeout.patch"
|
|
||||||
"wget-perl-5.26.patch"))
|
|
||||||
(sha256
|
(sha256
|
||||||
(base32
|
(base32
|
||||||
"1ljcfhbkdsd0zjfm520rbl1ai62fc34i7c45sfj244l8f6b0p58c"))))
|
"01yzal7xm85543x02bij3capnigr063d6c5vc039f8n5s9d796nm"))))
|
||||||
(build-system gnu-build-system)
|
(build-system gnu-build-system)
|
||||||
(arguments
|
(arguments
|
||||||
'(#:phases (modify-phases %standard-phases
|
'(#:phases (modify-phases %standard-phases
|
||||||
|
@ -65,7 +63,8 @@
|
||||||
(inputs
|
(inputs
|
||||||
`(("gnutls" ,gnutls)
|
`(("gnutls" ,gnutls)
|
||||||
("libidn2" ,libidn2)
|
("libidn2" ,libidn2)
|
||||||
("libpsl" ,libpsl)))
|
("libpsl" ,libpsl)
|
||||||
|
("lzip" ,lzip)))
|
||||||
(native-inputs
|
(native-inputs
|
||||||
`(("pkg-config" ,pkg-config)
|
`(("pkg-config" ,pkg-config)
|
||||||
("perl" ,perl)
|
("perl" ,perl)
|
||||||
|
|
Reference in New Issue