gnu: wget: Update to 1.19.2 [fixes CVE-2017-13089 and CVE-2017-13090].
* gnu/packages/wget.scm (wget): Update to 1.19.2. [source](uri): Change to '.lz' tarball. [source](patches): Remove. [native-inputs]: Add LZIP. * gnu/packages/patches/wget-CVE-2017-6508.patch, gnu/packages/patches/wget-fix-504-test-timeout.patch, gnu/packages/patches/wget-perl-5.26.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them.
This commit is contained in:
parent
2e205c6193
commit
6b88912eb6
@ -1100,9 +1100,6 @@ dist_patch_DATA = \
|
||||
%D%/packages/patches/vte-CVE-2012-2738-pt1.patch \
|
||||
%D%/packages/patches/vte-CVE-2012-2738-pt2.patch \
|
||||
%D%/packages/patches/weechat-python.patch \
|
||||
%D%/packages/patches/wget-CVE-2017-6508.patch \
|
||||
%D%/packages/patches/wget-fix-504-test-timeout.patch \
|
||||
%D%/packages/patches/wget-perl-5.26.patch \
|
||||
%D%/packages/patches/wicd-bitrate-none-fix.patch \
|
||||
%D%/packages/patches/wicd-get-selected-profile-fix.patch \
|
||||
%D%/packages/patches/wicd-urwid-1.3.patch \
|
||||
|
@ -1,45 +0,0 @@
|
||||
Fix CVE-2017-6508:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6508
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
https://git.savannah.gnu.org/cgit/wget.git/commit/?id=4d729e322fae359a1aefaafec1144764a54e8ad4
|
||||
|
||||
From 4d729e322fae359a1aefaafec1144764a54e8ad4 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
|
||||
Date: Mon, 6 Mar 2017 10:04:22 +0100
|
||||
Subject: [PATCH] Fix CRLF injection in Wget host part
|
||||
|
||||
* src/url.c (url_parse): Reject control characters in host part of URL
|
||||
|
||||
Reported-by: Orange Tsai
|
||||
---
|
||||
src/url.c | 11 +++++++++++
|
||||
1 file changed, 11 insertions(+)
|
||||
|
||||
diff --git a/src/url.c b/src/url.c
|
||||
index 8f8ff0b8..7d36b27d 100644
|
||||
--- a/src/url.c
|
||||
+++ b/src/url.c
|
||||
@@ -925,6 +925,17 @@ url_parse (const char *url, int *error, struct iri *iri, bool percent_encode)
|
||||
url_unescape (u->host);
|
||||
host_modified = true;
|
||||
|
||||
+ /* check for invalid control characters in host name */
|
||||
+ for (p = u->host; *p; p++)
|
||||
+ {
|
||||
+ if (c_iscntrl(*p))
|
||||
+ {
|
||||
+ url_free(u);
|
||||
+ error_code = PE_INVALID_HOST_NAME;
|
||||
+ goto error;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
/* Apply IDNA regardless of iri->utf8_encode status */
|
||||
if (opt.enable_iri && iri)
|
||||
{
|
||||
--
|
||||
2.12.0
|
||||
|
@ -1,160 +0,0 @@
|
||||
This patch is from upstream. If a machine is too slow it can cause
|
||||
test-504.py to fail.
|
||||
http://git.savannah.gnu.org/cgit/wget.git/patch/?id=ac4fed32204e9ec1874e7cb5ecc55f1b35c1c8de
|
||||
|
||||
From ac4fed32204e9ec1874e7cb5ecc55f1b35c1c8de Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
|
||||
Date: Tue, 14 Feb 2017 16:20:26 +0100
|
||||
Subject: Fix 504 status handling
|
||||
|
||||
* src/http.c (gethttp): Move 504 handling to correct place.
|
||||
(http_loop): Fix memeory leak.
|
||||
* testenv/server/http/http_server.py: Add Content-Length header on non-2xx
|
||||
status codes with a body
|
||||
|
||||
Reported-by: Adam Sampson
|
||||
---
|
||||
src/http.c | 30 +++++++++++-------------------
|
||||
testenv/server/http/http_server.py | 9 +++++----
|
||||
2 files changed, 16 insertions(+), 23 deletions(-)
|
||||
|
||||
diff --git a/src/http.c b/src/http.c
|
||||
index 898e184..d2c5c77 100644
|
||||
--- a/src/http.c
|
||||
+++ b/src/http.c
|
||||
@@ -3476,7 +3476,7 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
|
||||
|
||||
#ifdef HAVE_METALINK
|
||||
/* We need to check for the Metalink data in the very first response
|
||||
- we get from the server (before redirectionrs, authorization, etc.). */
|
||||
+ we get from the server (before redirections, authorization, etc.). */
|
||||
if (metalink)
|
||||
{
|
||||
hs->metalink = metalink_from_http (resp, hs, u);
|
||||
@@ -3496,7 +3496,7 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
|
||||
uerr_t auth_err = RETROK;
|
||||
bool retry;
|
||||
/* Normally we are not interested in the response body.
|
||||
- But if we are writing a WARC file we are: we like to keep everyting. */
|
||||
+ But if we are writing a WARC file we are: we like to keep everything. */
|
||||
if (warc_enabled)
|
||||
{
|
||||
int _err;
|
||||
@@ -3556,20 +3556,6 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
|
||||
pconn.authorized = true;
|
||||
}
|
||||
|
||||
- if (statcode == HTTP_STATUS_GATEWAY_TIMEOUT)
|
||||
- {
|
||||
- hs->len = 0;
|
||||
- hs->res = 0;
|
||||
- hs->restval = 0;
|
||||
-
|
||||
- CLOSE_FINISH (sock);
|
||||
- xfree (hs->message);
|
||||
-
|
||||
- retval = GATEWAYTIMEOUT;
|
||||
- goto cleanup;
|
||||
- }
|
||||
-
|
||||
-
|
||||
{
|
||||
uerr_t ret = check_file_output (u, hs, resp, hdrval, sizeof hdrval);
|
||||
if (ret != RETROK)
|
||||
@@ -3910,8 +3896,8 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
|
||||
retval = _err;
|
||||
goto cleanup;
|
||||
}
|
||||
- else
|
||||
- CLOSE_FINISH (sock);
|
||||
+
|
||||
+ CLOSE_FINISH (sock);
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -3934,7 +3920,11 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
|
||||
CLOSE_INVALIDATE (sock);
|
||||
}
|
||||
|
||||
- retval = RETRFINISHED;
|
||||
+ if (statcode == HTTP_STATUS_GATEWAY_TIMEOUT)
|
||||
+ retval = GATEWAYTIMEOUT;
|
||||
+ else
|
||||
+ retval = RETRFINISHED;
|
||||
+
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
@@ -4208,6 +4198,8 @@ http_loop (const struct url *u, struct url *original_url, char **newloc,
|
||||
bring them to "while" statement at the end, to judge
|
||||
whether the number of tries was exceeded. */
|
||||
printwhat (count, opt.ntry);
|
||||
+ xfree (hstat.message);
|
||||
+ xfree (hstat.error);
|
||||
continue;
|
||||
case FWRITEERR: case FOPENERR:
|
||||
/* Another fatal error. */
|
||||
diff --git a/testenv/server/http/http_server.py b/testenv/server/http/http_server.py
|
||||
index e96f6e8..b222df0 100644
|
||||
--- a/testenv/server/http/http_server.py
|
||||
+++ b/testenv/server/http/http_server.py
|
||||
@@ -204,7 +204,6 @@ class _Handler(BaseHTTPRequestHandler):
|
||||
|
||||
def Response(self, resp_obj):
|
||||
self.send_response(resp_obj.response_code)
|
||||
- self.finish_headers()
|
||||
if resp_obj.response_code == 304:
|
||||
raise NoBodyServerError("Conditional get falling to head")
|
||||
raise ServerError("Custom Response code sent.")
|
||||
@@ -329,7 +328,6 @@ class _Handler(BaseHTTPRequestHandler):
|
||||
except AuthError as se:
|
||||
self.send_response(401, "Authorization Required")
|
||||
self.send_challenge(auth_rule.auth_type, auth_rule.auth_parm)
|
||||
- self.finish_headers()
|
||||
raise se
|
||||
|
||||
def handle_auth(self, auth_rule):
|
||||
@@ -362,7 +360,6 @@ class _Handler(BaseHTTPRequestHandler):
|
||||
if header_recd is None or header_recd != exp_headers[header_line]:
|
||||
self.send_error(400, "Expected Header %s not found" %
|
||||
header_line)
|
||||
- self.finish_headers()
|
||||
raise ServerError("Header " + header_line + " not found")
|
||||
|
||||
def RejectHeader(self, header_obj):
|
||||
@@ -372,7 +369,6 @@ class _Handler(BaseHTTPRequestHandler):
|
||||
if header_recd and header_recd == rej_headers[header_line]:
|
||||
self.send_error(400, 'Blacklisted Header %s received' %
|
||||
header_line)
|
||||
- self.finish_headers()
|
||||
raise ServerError("Header " + header_line + ' received')
|
||||
|
||||
def __log_request(self, method):
|
||||
@@ -400,6 +396,7 @@ class _Handler(BaseHTTPRequestHandler):
|
||||
|
||||
content = self.server.fileSys.get(path)
|
||||
content_length = len(content)
|
||||
+
|
||||
for rule_name in self.rules:
|
||||
try:
|
||||
assert hasattr(self, rule_name)
|
||||
@@ -410,12 +407,16 @@ class _Handler(BaseHTTPRequestHandler):
|
||||
return(None, None)
|
||||
except AuthError as ae:
|
||||
print(ae.__str__())
|
||||
+ self.finish_headers()
|
||||
return(None, None)
|
||||
except NoBodyServerError as nbse:
|
||||
print(nbse.__str__())
|
||||
+ self.finish_headers()
|
||||
return(None, None)
|
||||
except ServerError as se:
|
||||
print(se.__str__())
|
||||
+ self.add_header("Content-Length", content_length)
|
||||
+ self.finish_headers()
|
||||
return(content, None)
|
||||
|
||||
try:
|
||||
--
|
||||
cgit v1.0-41-gc330
|
||||
|
@ -1,96 +0,0 @@
|
||||
This upstream commit adjusts tests for Perl 5.26.
|
||||
|
||||
commit 7ffe93cabb181f39ad5091c31ab9f61bd940a55f
|
||||
Author: Anton Yuzhaninov <citrin+github@citrin.ru>
|
||||
Date: Wed Apr 5 19:06:42 2017 +0300
|
||||
|
||||
Fix perl warnings in tests
|
||||
|
||||
* tests/FTPServer.pm: Escape '{' in RE to fix warnings
|
||||
* tests/FTPTest.pm: Likewise
|
||||
* tests/HTTPServer.pm: Likewise
|
||||
* tests/HTTPTest.pm: Likewise
|
||||
* tests/Test-proxied-https-auth-keepalive.px: Likewise
|
||||
* tests/Test-proxied-https-auth.px: Likewise
|
||||
Escape '{' in RE to fix warnings:
|
||||
Unescaped left brace in regex is deprecated, passed through in regex;
|
||||
marked by <-- HERE in m/{{ <-- HERE port}}/
|
||||
|
||||
diff --git a/tests/FTPServer.pm b/tests/FTPServer.pm
|
||||
index a5185d66..cac80942 100644
|
||||
--- a/tests/FTPServer.pm
|
||||
+++ b/tests/FTPServer.pm
|
||||
@@ -589,7 +589,7 @@ sub new
|
||||
foreach my $file (keys %{$self->{_input}})
|
||||
{
|
||||
my $ref = \$self->{_input}{$file}{content};
|
||||
- $$ref =~ s/{{port}}/$self->sockport/eg;
|
||||
+ $$ref =~ s/\Q{{port}}/$self->sockport/eg;
|
||||
}
|
||||
|
||||
return $self;
|
||||
diff --git a/tests/FTPTest.pm b/tests/FTPTest.pm
|
||||
index 50385ad0..0a1c768c 100644
|
||||
--- a/tests/FTPTest.pm
|
||||
+++ b/tests/FTPTest.pm
|
||||
@@ -53,7 +53,7 @@ sub _substitute_port
|
||||
{
|
||||
my $self = shift;
|
||||
my $ret = shift;
|
||||
- $ret =~ s/{{port}}/$self->{_server}->sockport/eg;
|
||||
+ $ret =~ s/\Q{{port}}/$self->{_server}->sockport/eg;
|
||||
return $ret;
|
||||
}
|
||||
|
||||
diff --git a/tests/HTTPServer.pm b/tests/HTTPServer.pm
|
||||
index dd8ec043..78609f65 100644
|
||||
--- a/tests/HTTPServer.pm
|
||||
+++ b/tests/HTTPServer.pm
|
||||
@@ -310,7 +310,7 @@ sub _substitute_port
|
||||
{
|
||||
my $self = shift;
|
||||
my $ret = shift;
|
||||
- $ret =~ s/{{port}}/$self->sockport/eg;
|
||||
+ $ret =~ s/\Q{{port}}/$self->sockport/eg;
|
||||
return $ret;
|
||||
}
|
||||
|
||||
diff --git a/tests/HTTPTest.pm b/tests/HTTPTest.pm
|
||||
index 00f079f8..6225c7f1 100644
|
||||
--- a/tests/HTTPTest.pm
|
||||
+++ b/tests/HTTPTest.pm
|
||||
@@ -47,7 +47,7 @@ sub _substitute_port
|
||||
{
|
||||
my $self = shift;
|
||||
my $ret = shift;
|
||||
- $ret =~ s/{{port}}/$self->{_server}->sockport/eg;
|
||||
+ $ret =~ s/\Q{{port}}/$self->{_server}->sockport/eg;
|
||||
return $ret;
|
||||
}
|
||||
|
||||
diff --git a/tests/Test-proxied-https-auth-keepalive.px b/tests/Test-proxied-https-auth-keepalive.px
|
||||
index 049bebec..2a18ccfd 100755
|
||||
--- a/tests/Test-proxied-https-auth-keepalive.px
|
||||
+++ b/tests/Test-proxied-https-auth-keepalive.px
|
||||
@@ -153,7 +153,7 @@ my $cmdline = $WgetTest::WGETPATH . " --user=fiddle-dee-dee"
|
||||
. " --password=Dodgson -e https_proxy=localhost:{{port}}"
|
||||
. " --no-check-certificate"
|
||||
. " https://no.such.domain/needs-auth.txt";
|
||||
-$cmdline =~ s/{{port}}/$SOCKET->sockport()/e;
|
||||
+$cmdline =~ s/\Q{{port}}/$SOCKET->sockport()/e;
|
||||
|
||||
if (defined $srcdir) {
|
||||
$VALGRIND_SUPP_FILE = $srcdir . '/valgrind-suppressions-ssl';
|
||||
diff --git a/tests/Test-proxied-https-auth.px b/tests/Test-proxied-https-auth.px
|
||||
index ce4e736c..878114e7 100755
|
||||
--- a/tests/Test-proxied-https-auth.px
|
||||
+++ b/tests/Test-proxied-https-auth.px
|
||||
@@ -152,7 +152,7 @@ my $cmdline = $WgetTest::WGETPATH . " --user=fiddle-dee-dee"
|
||||
. " --password=Dodgson -e https_proxy=localhost:{{port}}"
|
||||
. " --no-check-certificate"
|
||||
. " https://no.such.domain/needs-auth.txt";
|
||||
-$cmdline =~ s/{{port}}/$SOCKET->sockport()/e;
|
||||
+$cmdline =~ s/\Q{{port}}/$SOCKET->sockport()/e;
|
||||
|
||||
if (defined $srcdir) {
|
||||
$VALGRIND_SUPP_FILE = $srcdir . '/valgrind-suppressions-ssl';
|
@ -21,6 +21,7 @@
|
||||
(define-module (gnu packages wget)
|
||||
#:use-module (guix licenses)
|
||||
#:use-module (gnu packages)
|
||||
#:use-module (gnu packages compression)
|
||||
#:use-module (gnu packages libidn)
|
||||
#:use-module (gnu packages python)
|
||||
#:use-module (gnu packages perl)
|
||||
@ -34,18 +35,15 @@
|
||||
(define-public wget
|
||||
(package
|
||||
(name "wget")
|
||||
(version "1.19.1")
|
||||
(version "1.19.2")
|
||||
(source
|
||||
(origin
|
||||
(method url-fetch)
|
||||
(uri (string-append "mirror://gnu/wget/wget-"
|
||||
version ".tar.xz"))
|
||||
(patches (search-patches "wget-CVE-2017-6508.patch"
|
||||
"wget-fix-504-test-timeout.patch"
|
||||
"wget-perl-5.26.patch"))
|
||||
version ".tar.lz"))
|
||||
(sha256
|
||||
(base32
|
||||
"1ljcfhbkdsd0zjfm520rbl1ai62fc34i7c45sfj244l8f6b0p58c"))))
|
||||
"01yzal7xm85543x02bij3capnigr063d6c5vc039f8n5s9d796nm"))))
|
||||
(build-system gnu-build-system)
|
||||
(arguments
|
||||
'(#:phases (modify-phases %standard-phases
|
||||
@ -65,7 +63,8 @@
|
||||
(inputs
|
||||
`(("gnutls" ,gnutls)
|
||||
("libidn2" ,libidn2)
|
||||
("libpsl" ,libpsl)))
|
||||
("libpsl" ,libpsl)
|
||||
("lzip" ,lzip)))
|
||||
(native-inputs
|
||||
`(("pkg-config" ,pkg-config)
|
||||
("perl" ,perl)
|
||||
|
Loading…
Reference in New Issue
Block a user