!47 [sync] PR-42: fix CVE-2024-10524

From: @openeuler-sync-bot 
Reviewed-by: @sunsuwan 
Signed-off-by: @sunsuwan

backport-CVE-2024-10524.patch

@@ -0,0 +1,191 @@
+From c419542d956a2607bbce5df64b9d378a8588d778 Mon Sep 17 00:00:00 2001
+From: Tim Rühsen <tim.ruehsen@gmx.de>
+Date: Sun, 27 Oct 2024 19:53:14 +0100
+Subject: Fix CVE-2024-10524 (drop support for shorthand URLs)
+
+* doc/wget.texi: Add documentation for removed support for shorthand URLs.
+* src/html-url.c (src/html-url.c): Call maybe_prepend_scheme.
+* src/main.c (main): Likewise.
+* src/retr.c (getproxy): Likewise.
+* src/url.c: Rename definition of rewrite_shorthand_url to maybe_prepend_scheme,
+  add new function is_valid_port.
+* src/url.h: Rename declaration of rewrite_shorthand_url to maybe_prepend_scheme.
+
+Reported-by: Goni Golan <gonig@jfrog.com>
+---
+ doc/wget.texi  | 12 ++++--------
+ src/html-url.c |  2 +-
+ src/main.c     |  2 +-
+ src/retr.c     |  2 +-
+ src/url.c      | 57 ++++++++++++++++++---------------------------------------
+ src/url.h      |  2 +-
+ 6 files changed, 26 insertions(+), 51 deletions(-)
+
+diff --git a/doc/wget.texi b/doc/wget.texi
+index 1d026d72..d46da375 100644
+--- a/doc/wget.texi
++++ b/doc/wget.texi
+@@ -314,8 +314,8 @@ for text files.  Here is an example:
+ ftp://host/directory/file;type=a
+ @end example
+ 
+-Two alternative variants of @sc{url} specification are also supported,
+-because of historical (hysterical?) reasons and their widespreaded use.
++The two alternative variants of @sc{url} specifications are no longer
++supported because of security considerations:
+ 
+ @sc{ftp}-only syntax (supported by @code{NcFTP}):
+ @example
+@@ -327,12 +327,8 @@ host:/dir/file
+ host[:port]/dir/file
+ @end example
+ 
+-These two alternative forms are deprecated, and may cease being
+-supported in the future.
+-
+-If you do not understand the difference between these notations, or do
+-not know which one to use, just use the plain ordinary format you use
+-with your favorite browser, like @code{Lynx} or @code{Netscape}.
++These two alternative forms have been deprecated long time ago,
++and support is removed with version 1.22.0.
+ 
+ @c man begin OPTIONS
+ 
+diff --git a/src/html-url.c b/src/html-url.c
+index 8e960092..99914943 100644
+--- a/src/html-url.c
++++ b/src/html-url.c
+@@ -932,7 +932,7 @@ get_urls_file (const char *file, bool *read_again)
+           url_text = merged;
+         }
+ 
+-      new_url = rewrite_shorthand_url (url_text);
++      new_url = maybe_prepend_scheme (url_text);
+       if (new_url)
+         {
+           xfree (url_text);
+diff --git a/src/main.c b/src/main.c
+index 77b1a0b6..6858d2da 100644
+--- a/src/main.c
++++ b/src/main.c
+@@ -2126,7 +2126,7 @@ only if outputting to a regular file.\n"));
+       struct iri *iri = iri_new ();
+       struct url *url_parsed;
+ 
+-      t = rewrite_shorthand_url (argv[optind]);
++      t = maybe_prepend_scheme (argv[optind]);
+       if (!t)
+         t = argv[optind];
+ 
+diff --git a/src/retr.c b/src/retr.c
+index 5422963c..26eb9f17 100644
+--- a/src/retr.c
++++ b/src/retr.c
+@@ -1546,7 +1546,7 @@ getproxy (struct url *u)
+ 
+   /* Handle shorthands.  `rewritten_storage' is a kludge to allow
+      getproxy() to return static storage. */
+-  rewritten_url = rewrite_shorthand_url (proxy);
++  rewritten_url = maybe_prepend_scheme (proxy);
+   if (rewritten_url)
+     return rewritten_url;
+ 
+diff --git a/src/url.c b/src/url.c
+index 07c3bc87..2f27c48a 100644
+--- a/src/url.c
++++ b/src/url.c
+@@ -594,60 +594,39 @@ parse_credentials (const char *beg, const char *end, char **user, char **passwd)
+   return true;
+ }
+ 
+-/* Used by main.c: detect URLs written using the "shorthand" URL forms
+-   originally popularized by Netscape and NcFTP.  HTTP shorthands look
+-   like this:
+-
+-   www.foo.com[:port]/dir/file   -> http://www.foo.com[:port]/dir/file
+-   www.foo.com[:port]            -> http://www.foo.com[:port]
+-
+-   FTP shorthands look like this:
+-
+-   foo.bar.com:dir/file          -> ftp://foo.bar.com/dir/file
+-   foo.bar.com:/absdir/file      -> ftp://foo.bar.com//absdir/file
++static bool is_valid_port(const char *p)
++{
++  unsigned port = (unsigned) atoi (p);
++  if (port == 0 || port > 65535)
++    return false;
+ 
+-   If the URL needs not or cannot be rewritten, return NULL.  */
++  int digits = strspn (p, "0123456789");
++  return digits && (p[digits] == '/' || p[digits] == '\0');
++}
+ 
++/* Prepend "http://" to url if scheme is missing, otherwise return NULL. */
+ char *
+-rewrite_shorthand_url (const char *url)
++maybe_prepend_scheme (const char *url)
+ {
+-  const char *p;
+-  char *ret;
+-
+   if (url_scheme (url) != SCHEME_INVALID)
+     return NULL;
+ 
+-  /* Look for a ':' or '/'.  The former signifies NcFTP syntax, the
+-     latter Netscape.  */
+-  p = strpbrk (url, ":/");
++  const char *p = strchr (url, ':');
+   if (p == url)
+     return NULL;
+ 
+   /* If we're looking at "://", it means the URL uses a scheme we
+      don't support, which may include "https" when compiled without
+-     SSL support.  Don't bogusly rewrite such URLs.  */
++     SSL support.  Don't bogusly prepend "http://" to such URLs.  */
+   if (p && p[0] == ':' && p[1] == '/' && p[2] == '/')
+     return NULL;
+ 
+-  if (p && *p == ':')
+-    {
+-      /* Colon indicates ftp, as in foo.bar.com:path.  Check for
+-         special case of http port number ("localhost:10000").  */
+-      int digits = strspn (p + 1, "0123456789");
+-      if (digits && (p[1 + digits] == '/' || p[1 + digits] == '\0'))
+-        goto http;
+-
+-      /* Turn "foo.bar.com:path" to "ftp://foo.bar.com/path". */
+-      if ((ret = aprintf ("ftp://%s", url)) != NULL)
+-        ret[6 + (p - url)] = '/';
+-    }
+-  else
+-    {
+-    http:
+-      /* Just prepend "http://" to URL. */
+-      ret = aprintf ("http://%s", url);
+-    }
+-  return ret;
++  if (p && p[0] == ':' && !is_valid_port (p + 1))
++    return NULL;
++
++
++  fprintf(stderr, "Prepended http:// to '%s'\n", url);
++  return aprintf ("http://%s", url);
+ }
+ 
+ static void split_path (const char *, char **, char **);
+diff --git a/src/url.h b/src/url.h
+index 2dfbf30b..7796a21c 100644
+--- a/src/url.h
++++ b/src/url.h
+@@ -128,7 +128,7 @@ char *uri_merge (const char *, const char *);
+ 
+ int mkalldirs (const char *);
+ 
+-char *rewrite_shorthand_url (const char *);
++char *maybe_prepend_scheme (const char *);
+ bool schemes_are_similar_p (enum url_scheme a, enum url_scheme b);
+ 
+ bool are_urls_equal (const char *u1, const char *u2);
+-- 
+cgit v1.2.3-70-g09d2
+

backport-CVE-2024-38428.patch

@@ -0,0 +1,76 @@
+From ed0c7c7e0e8f7298352646b2fd6e06a11e242ace Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Sun, 2 Jun 2024 12:40:16 +0200
+Subject: Properly re-implement userinfo parsing (rfc2396)
+
+* src/url.c (url_skip_credentials): Properly re-implement userinfo parsing (rfc2396)
+
+The reason why the implementation is based on RFC 2396, an outdated standard,
+is that the whole file is based on that RFC, and mixing standard here might be
+dangerous.
+
+---
+ src/url.c | 40 ++++++++++++++++++++++++++++++++++------
+ 1 file changed, 34 insertions(+), 6 deletions(-)
+
+diff --git a/src/url.c b/src/url.c
+index 2ff0b55..0acd3f3 100644
+--- a/src/url.c
++++ b/src/url.c
+@@ -41,6 +41,7 @@ as that of the covered work.  */
+ #include "url.h"
+ #include "host.h"  /* for is_valid_ipv6_address */
+ #include "c-strcase.h"
++#include "c-ctype.h"
+ 
+ #ifdef HAVE_ICONV
+ # include <iconv.h>
+@@ -526,12 +527,39 @@ scheme_leading_string (enum url_scheme scheme)
+ static const char *
+ url_skip_credentials (const char *url)
+ {
+-  /* Look for '@' that comes before terminators, such as '/', '?',
+-     '#', or ';'.  */
+-  const char *p = (const char *)strpbrk (url, "@/?#;");
+-  if (!p || *p != '@')
+-    return url;
+-  return p + 1;
++  /*
++   * This whole file implements https://www.rfc-editor.org/rfc/rfc2396 .
++   * RFC 2396 is outdated since 2005 and needs a rewrite or a thorough re-visit.
++   *
++   * The RFC says
++   * server        = [ [ userinfo "@" ] hostport ]
++   * userinfo      = *( unreserved | escaped | ";" | ":" | "&" | "=" | "+" | "$" | "," )
++   * unreserved    = alphanum | mark
++   * mark          = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")"
++   */
++  static const char *allowed = "-_.!~*'();:&=+$,";
++
++  for (const char *p = url; *p; p++)
++    {
++      if (c_isalnum(*p))
++        continue;
++
++      if (strchr(allowed, *p))
++        continue;
++
++      if (*p == '%' && c_isxdigit(p[1]) && c_isxdigit(p[2]))
++        {
++          p += 2;
++          continue;
++        }
++
++      if (*p == '@')
++        return p + 1;
++
++      break;
++    }
++
++  return url;
+ }
+ 
+ /* Parse credentials contained in [BEG, END).  The region is expected
+-- 
+2.33.0
+

backport-src-url.c-maybe_prepend_scheme-Print-message-only-in.patch

@@ -0,0 +1,26 @@
+From d98df662121977f3d3ba69d0cfbd4d3322714f2d Mon Sep 17 00:00:00 2001
+From: Darshit Shah <darnir@gnu.org>
+Date: Fri, 15 Nov 2024 22:28:41 +0100
+Subject: [PATCH] * src/url.c (maybe_prepend_scheme): Print message only in
+ verbose mode
+
+---
+ src/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/url.c b/src/url.c
+index 2f27c48a..913db4f1 100644
+--- a/src/url.c
++++ b/src/url.c
+@@ -625,7 +625,7 @@ maybe_prepend_scheme (const char *url)
+     return NULL;
+ 
+ 
+-  fprintf(stderr, "Prepended http:// to '%s'\n", url);
++  logprintf (LOG_VERBOSE, _ ("Prepended http:// to '%s'\n"), url);
+   return aprintf ("http://%s", url);
+ }
+ 
+-- 
+2.23.0
+

backport-wget-1.17-path.patch

@@ -0,0 +1,172 @@
+diff --git a/NEWS b/NEWS
+index d23ae95..aa3247f 100644
+--- a/NEWS
++++ b/NEWS
+@@ -935,7 +935,7 @@ distributed with Wget.
+ 
+ ** Compiles on pre-ANSI compilers.
+ 
+-** Global wgetrc now goes to /usr/local/etc (i.e. $sysconfdir).
++** Global wgetrc now goes to /etc (i.e. $sysconfdir).
+ 
+ ** Lots of bugfixes.
+ 
+@@ -998,7 +998,7 @@ Emacs, standalone info, or converted to HTML, dvi or postscript.
+ ** Fixed a long-standing bug, so that Wget now works over SLIP
+ connections.
+ 
+-** You can have a system-wide wgetrc (/usr/local/lib/wgetrc by
++** You can have a system-wide wgetrc (/etc/wgetrc by
+ default). Settings in $HOME/.wgetrc override the global ones, of
+ course :-)
+ 
+diff --git a/README b/README
+index 692e1c6..38231c9 100644
+--- a/README
++++ b/README
+@@ -33,7 +33,7 @@ for socks.
+ 
+ Most of the features are configurable, either through command-line
+ options, or via initialization file .wgetrc.  Wget allows you to
+-install a global startup file (/usr/local/etc/wgetrc by default) for
++install a global startup file (/etc/wgetrc by default) for
+ site settings.
+ 
+ Wget works under almost all Unix variants in use today and, unlike
+diff --git a/doc/sample.wgetrc b/doc/sample.wgetrc
+index c0d0779..9a73ada 100644
+--- a/doc/sample.wgetrc
++++ b/doc/sample.wgetrc
+@@ -10,7 +10,7 @@
+ ## Or online here:
+ ##   https://www.gnu.org/software/wget/manual/wget.html#Startup-File
+ ##
+-## Wget initialization file can reside in /usr/local/etc/wgetrc
++## Wget initialization file can reside in /etc/wgetrc
+ ## (global, for all users) or $HOME/.wgetrc (for a single user).
+ ##
+ ## To use the settings in this file, you will have to uncomment them,
+@@ -22,7 +22,7 @@
+ 
+ 
+ ##
+-## Global settings (useful for setting up in /usr/local/etc/wgetrc).
++## Global settings (useful for setting up in /etc/wgetrc).
+ ## Think well before you change them, since they may reduce wget's
+ ## functionality, and make it behave contrary to the documentation:
+ ##
+diff --git a/doc/sample.wgetrc.munged_for_texi_inclusion b/doc/sample.wgetrc.munged_for_texi_inclusion
+index 3c7f2f4..521ef16 100644
+--- a/doc/sample.wgetrc.munged_for_texi_inclusion
++++ b/doc/sample.wgetrc.munged_for_texi_inclusion
+@@ -10,7 +10,7 @@
+ ## Or online here:
+ ##   https://www.gnu.org/software/wget/manual/wget.html#Startup-File
+ ##
+-## Wget initialization file can reside in /usr/local/etc/wgetrc
++## Wget initialization file can reside in /etc/wgetrc
+ ## (global, for all users) or $HOME/.wgetrc (for a single user).
+ ##
+ ## To use the settings in this file, you will have to uncomment them,
+@@ -22,7 +22,7 @@
+ 
+ 
+ ##
+-## Global settings (useful for setting up in /usr/local/etc/wgetrc).
++## Global settings (useful for setting up in /etc/wgetrc).
+ ## Think well before you change them, since they may reduce wget's
+ ## functionality, and make it behave contrary to the documentation:
+ ##
+diff --git a/doc/wget.info b/doc/wget.info
+index 40ce0d4..89c6652 100644
+--- a/doc/wget.info
++++ b/doc/wget.info
+@@ -109,7 +109,7 @@ retrieval through HTTP proxies.
+    • Most of the features are fully configurable, either through command
+      line options, or via the initialization file ‘.wgetrc’ (*note
+      Startup File::).  Wget allows you to define “global” startup files
+-     (‘/usr/local/etc/wgetrc’ by default) for site settings.  You can
++     (‘/etc/wgetrc’ by default) for site settings.  You can
+      also specify the location of a startup file with the –config
+      option.  To disable the reading of config files, use –no-config.
+      If both –config and –no-config are given, –no-config is ignored.
+@@ -2825,8 +2825,8 @@ File: wget.info,  Node: Wgetrc Location,  Next: Wgetrc Syntax,  Prev: Startup Fi
+ ===================
+ 
+ When initializing, Wget will look for a “global” startup file,
+-‘/usr/local/etc/wgetrc’ by default (or some prefix other than
+-‘/usr/local’, if Wget was not installed there) and read commands from
++‘/etc/wgetrc’ by default (or some prefix other than
++‘/etc’, if Wget was not installed there) and read commands from
+ there, if it exists.
+ 
+    Then it will look for the user’s file.  If the environmental variable
+@@ -2837,7 +2837,7 @@ further attempts will be made.
+ 
+    The fact that user’s settings are loaded after the system-wide ones
+ means that in case of collision user’s wgetrc _overrides_ the
+-system-wide wgetrc (in ‘/usr/local/etc/wgetrc’ by default).  Fascist
++system-wide wgetrc (in ‘/etc/wgetrc’ by default).  Fascist
+ admins, away!
+ 
+ 
+@@ -3380,7 +3380,7 @@ its line.
+      ## Or online here:
+      ##   https://www.gnu.org/software/wget/manual/wget.html#Startup-File
+      ##
+-     ## Wget initialization file can reside in /usr/local/etc/wgetrc
++     ## Wget initialization file can reside in /etc/wgetrc
+      ## (global, for all users) or $HOME/.wgetrc (for a single user).
+      ##
+      ## To use the settings in this file, you will have to uncomment them,
+@@ -3392,7 +3392,7 @@ its line.
+ 
+ 
+      ##
+-     ## Global settings (useful for setting up in /usr/local/etc/wgetrc).
++     ## Global settings (useful for setting up in /etc/wgetrc).
+      ## Think well before you change them, since they may reduce wget's
+      ## functionality, and make it behave contrary to the documentation:
+      ##
+diff --git a/doc/wget.texi b/doc/wget.texi
+index eaf6b38..608d008 100644
+--- a/doc/wget.texi
++++ b/doc/wget.texi
+@@ -190,7 +190,7 @@ gauge can be customized to your preferences.
+ Most of the features are fully configurable, either through command line
+ options, or via the initialization file @file{.wgetrc} (@pxref{Startup
+ File}).  Wget allows you to define @dfn{global} startup files
+-(@file{/usr/local/etc/wgetrc} by default) for site settings. You can also
++(@file{/etc/wgetrc} by default) for site settings. You can also
+ specify the location of a startup file with the --config option.
+ To disable the reading of config files, use --no-config.
+ If both --config and --no-config are given, --no-config is ignored.
+@@ -199,7 +199,7 @@ If both --config and --no-config are given, --no-config is ignored.
+ @ignore
+ @c man begin FILES
+ @table @samp
+-@item /usr/local/etc/wgetrc
++@item /etc/wgetrc
+ Default location of the @dfn{global} startup file.
+ 
+ @item .wgetrc
+@@ -3154,8 +3154,8 @@ commands.
+ @cindex location of wgetrc
+ 
+ When initializing, Wget will look for a @dfn{global} startup file,
+-@file{/usr/local/etc/wgetrc} by default (or some prefix other than
+-@file{/usr/local}, if Wget was not installed there) and read commands
++@file{/etc/wgetrc} by default (or some prefix other than
++@file{/etc}, if Wget was not installed there) and read commands
+ from there, if it exists.
+ 
+ Then it will look for the user's file.  If the environmental variable
+@@ -3166,7 +3166,7 @@ If @code{WGETRC} is not set, Wget will try to load @file{$HOME/.wgetrc}.
+ 
+ The fact that user's settings are loaded after the system-wide ones
+ means that in case of collision user's wgetrc @emph{overrides} the
+-system-wide wgetrc (in @file{/usr/local/etc/wgetrc} by default).
++system-wide wgetrc (in @file{/etc/wgetrc} by default).
+ Fascist admins, away!
+ 
+ @node Wgetrc Syntax, Wgetrc Commands, Wgetrc Location, Startup File

backport-wget-1.21-ssl-init-output.patch

@@ -1,21 +0,0 @@
-diff --git a/src/gnutls.c b/src/gnutls.c
-index 0ecf2c81..81fe9518 100644
---- a/src/gnutls.c
-+++ b/src/gnutls.c
-@@ -99,7 +99,6 @@ static gnutls_certificate_credentials_t credentials;
- bool
- ssl_init (void)
- {
--  fprintf(stderr,"SSL_INIT\n");
-   /* Becomes true if GnuTLS is initialized. */
-   const char *ca_directory;
-   DIR *dir;
-@@ -237,8 +236,6 @@ cert to be of the same type.\n"));
- void
- ssl_cleanup (void)
- {
--  fprintf(stderr,"SSL_CLEANUP\n");
--
-   if (!ssl_initialized)
-     return;
- 

wget.spec

@@ -1,15 +1,18 @@
 Name:          wget
-Version:       1.21.2
-Release:       1
+Version:       1.21.4
+Release:       3
 Summary:       A package for retrieving files using HTTP, HTTPS, FTP and FTPS the most widely-used Internet protocols.
-License:       GPLv3+
+License:       GPL-3.0-or-later AND LGPL-2.1-or-later
 Url:           http://www.gnu.org/software/wget/
 Source:        https://ftp.gnu.org/gnu/wget/wget-%{version}.tar.gz
 
-Patch6000:     backport-wget-1.21-ssl-init-output.patch
+Patch0:        backport-wget-1.17-path.patch
+Patch1:        backport-CVE-2024-38428.patch
+Patch2:        backport-CVE-2024-10524.patch
+Patch3:        backport-src-url.c-maybe_prepend_scheme-Print-message-only-in.patch 
 
 Provides:      webclient bundled(gnulib)
-BuildRequires: perl-HTTP-Daemon python3 libuuid-devel perl-podlators libpsl-devel libmetalink-devel
+BuildRequires: make perl-HTTP-Daemon python3 libuuid-devel perl-podlators libpsl-devel libmetalink-devel
 BuildRequires: gnutls-devel pkgconfig texinfo gettext autoconf libidn2-devel gpgme-devel zlib-devel
 BuildRequires: gcc
 
@@ -54,6 +57,36 @@ make check
 %{_infodir}/*
 
 %changelog
+* Thu Nov 21 2024 Han Jinpeng <hanjinpeng@kylinos.cn> -1.21.4-3
+- Type:CVE
+- ID:CVE-2024-10524
+- SUG:NA
+- DESC: fix CVE-2024-10524 and also fix Print message issue
+
+* Sun Jun 16 2024 xuchenchen <xuchenchen@kylinos.cn> -1.21.4-2
+- Type:CVES
+- ID:NA
+- SUG:NA
+- DESC:backport CVE-2024-38428
+
+* Fri Jul 28 2023 xingwei <xingwei14@h-partners.com> - 1.21.4-1
+- Type:requirements
+- ID:NA
+- SUG:NA
+- DESC:update wget to 1.21.4
+
+* Fri Feb 03 2023 xingwei <xingwei14@h-partners.com> - 1.21.3-1
+- Type:requirements
+- ID:NA
+- SUG:NA
+- DESC:update wget to 1.21.3
+
+* Sat Oct 22 2022 gaihuiying <eaglegai@163.com> - 1.21.2-2
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix find_cell(): wget killed by SIGSEGV
+
 * Tue Mar 22 2022 xihaochen <xihaochen@huawei.com> - 1.21.2-1
 - Type:requirements
 - ID:NA