packages/wget
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

backport CVE-2024-38428

Browse Source 
(cherry picked from commit 85e1a6fffd1cd148fe7c0e06434d2c6bb2f952d8)
This commit is contained in:
xuchenchen 2024-06-16 18:24:21 +08:00 committed by openeuler-sync-bot
parent 1b555c2956
commit 98e91f2a1c
2 changed files with 84 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
backport-CVE-2024-38428.patch Normal file
View File

@ -0,0 +1,76 @@
From ed0c7c7e0e8f7298352646b2fd6e06a11e242ace Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Sun, 2 Jun 2024 12:40:16 +0200
Subject: Properly re-implement userinfo parsing (rfc2396)
* src/url.c (url_skip_credentials): Properly re-implement userinfo parsing (rfc2396)
The reason why the implementation is based on RFC 2396, an outdated standard,
is that the whole file is based on that RFC, and mixing standard here might be
dangerous.
---
src/url.c | 40 ++++++++++++++++++++++++++++++++++------
1 file changed, 34 insertions(+), 6 deletions(-)
diff --git a/src/url.c b/src/url.c
index 2ff0b55..0acd3f3 100644
--- a/src/url.c
+++ b/src/url.c
@@ -41,6 +41,7 @@ as that of the covered work. */
#include "url.h"
#include "host.h" /* for is_valid_ipv6_address */
#include "c-strcase.h"
+#include "c-ctype.h"
#ifdef HAVE_ICONV
# include <iconv.h>
@@ -526,12 +527,39 @@ scheme_leading_string (enum url_scheme scheme)
static const char *
url_skip_credentials (const char *url)
{
- /* Look for '@' that comes before terminators, such as '/', '?',
- '#', or ';'. */
- const char *p = (const char *)strpbrk (url, "@/?#;");
- if (!p || *p != '@')
- return url;
- return p + 1;
+ /*
+ * This whole file implements https://www.rfc-editor.org/rfc/rfc2396 .
+ * RFC 2396 is outdated since 2005 and needs a rewrite or a thorough re-visit.
+ *
+ * The RFC says
+ * server = [ [ userinfo "@" ] hostport ]
+ * userinfo = *( unreserved | escaped | ";" | ":" | "&" | "=" | "+" | "$" | "," )
+ * unreserved = alphanum | mark
+ * mark = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")"
+ */
+ static const char *allowed = "-_.!~*'();:&=+$,";
+
+ for (const char *p = url; *p; p++)
+ {
+ if (c_isalnum(*p))
+ continue;
+
+ if (strchr(allowed, *p))
+ continue;
+
+ if (*p == '%' && c_isxdigit(p[1]) && c_isxdigit(p[2]))
+ {
+ p += 2;
+ continue;
+ }
+
+ if (*p == '@')
+ return p + 1;
+
+ break;
+ }
+
+ return url;
}
/* Parse credentials contained in [BEG, END). The region is expected
--
2.33.0

9
wget.spec
View File

@ -1,12 +1,13 @@
Name: wget Name: wget
Version: 1.21.4 Version: 1.21.4
Release: 1 Release: 2
Summary: A package for retrieving files using HTTP, HTTPS, FTP and FTPS the most widely-used Internet protocols. Summary: A package for retrieving files using HTTP, HTTPS, FTP and FTPS the most widely-used Internet protocols.
License: GPL-3.0-or-later AND LGPL-2.1-or-later License: GPL-3.0-or-later AND LGPL-2.1-or-later
Url: http://www.gnu.org/software/wget/ Url: http://www.gnu.org/software/wget/
Source: https://ftp.gnu.org/gnu/wget/wget-%{version}.tar.gz Source: https://ftp.gnu.org/gnu/wget/wget-%{version}.tar.gz
Patch0: backport-wget-1.17-path.patch Patch0: backport-wget-1.17-path.patch
Patch1: backport-CVE-2024-38428.patch
Provides: webclient bundled(gnulib) Provides: webclient bundled(gnulib)
BuildRequires: make perl-HTTP-Daemon python3 libuuid-devel perl-podlators libpsl-devel libmetalink-devel BuildRequires: make perl-HTTP-Daemon python3 libuuid-devel perl-podlators libpsl-devel libmetalink-devel
@ -54,6 +55,12 @@ make check
%{_infodir}/* %{_infodir}/*
%changelog %changelog
* Sun Jun 16 2024 xuchenchen <xuchenchen@kylinos.cn> -1.21.4-2
- Type:CVES
- ID:NA
- SUG:NA
- DESC:backport CVE-2024-38428
* Fri Jul 28 2023 xingwei <xingwei14@h-partners.com> - 1.21.4-1 * Fri Jul 28 2023 xingwei <xingwei14@h-partners.com> - 1.21.4-1
- Type:requirements - Type:requirements
- ID:NA - ID:NA