Skip to content
Snippets Groups Projects
Verified Commit 61541739 authored by T.J. Townsend's avatar T.J. Townsend
Browse files

upgpkg: 1.24.5-3: fix CVE-2024-38428

parent 2d855249
No related branches found
No related tags found
No related merge requests found
pkgbase = wget
pkgdesc = Network utility to retrieve files from the Web
pkgver = 1.24.5
pkgrel = 2
pkgrel = 3
url = https://www.gnu.org/software/wget/wget.html
arch = x86_64
license = GPL3
......@@ -24,12 +24,15 @@ pkgbase = wget
backup = etc/wgetrc
source = https://ftp.gnu.org/gnu/wget/wget-1.24.5.tar.lz
source = https://ftp.gnu.org/gnu/wget/wget-1.24.5.tar.lz.sig
source = CVE-2024-38428.patch
validpgpkeys = AC404C1C0BF735C63FF4D562263D6DF2E163E1EA
validpgpkeys = 7845120B07CBD8D6ECE5FF2B2A1743EDA91A35B6
validpgpkeys = 1CB27DBC98614B2D5841646D08302DB6A2670428
sha256sums = 57a107151e4ef94fdf94affecfac598963f372f13293ed9c74032105390b36ee
sha256sums = SKIP
sha256sums = 9da45c5d34163fe0c0cc8d75402b2d1e6a752b794e52187da5d9141b825db24f
b2sums = 8057e5992ddaf39b3daffbde99871ddec1328c6bbafbc6b9f1d3cd294bb928b2a80f813024d4cd664c396f84477f1d93d5a21c60c6fe2932f9196d29bb9aa896
b2sums = SKIP
b2sums = fb0cf748b4f5aa34e0b43cc7c010e8f95324433fb3298365065708f8d092ab63c57f778fc1bfa17a121c651a6cd3296331992c5abe3958c368d523d11b3db067
pkgname = wget
From ed0c7c7e0e8f7298352646b2fd6e06a11e242ace Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Sun, 2 Jun 2024 12:40:16 +0200
Subject: Properly re-implement userinfo parsing (rfc2396)
* src/url.c (url_skip_credentials): Properly re-implement userinfo parsing (rfc2396)
The reason why the implementation is based on RFC 2396, an outdated standard,
is that the whole file is based on that RFC, and mixing standard here might be
dangerous.
---
src/url.c | 40 ++++++++++++++++++++++++++++++++++------
1 file changed, 34 insertions(+), 6 deletions(-)
diff --git a/src/url.c b/src/url.c
index 69e948b..07c3bc8 100644
--- a/src/url.c
+++ b/src/url.c
@@ -41,6 +41,7 @@ as that of the covered work. */
#include "url.h"
#include "host.h" /* for is_valid_ipv6_address */
#include "c-strcase.h"
+#include "c-ctype.h"
#ifdef HAVE_ICONV
# include <iconv.h>
@@ -526,12 +527,39 @@ scheme_leading_string (enum url_scheme scheme)
static const char *
url_skip_credentials (const char *url)
{
- /* Look for '@' that comes before terminators, such as '/', '?',
- '#', or ';'. */
- const char *p = (const char *)strpbrk (url, "@/?#;");
- if (!p || *p != '@')
- return url;
- return p + 1;
+ /*
+ * This whole file implements https://www.rfc-editor.org/rfc/rfc2396 .
+ * RFC 2396 is outdated since 2005 and needs a rewrite or a thorough re-visit.
+ *
+ * The RFC says
+ * server = [ [ userinfo "@" ] hostport ]
+ * userinfo = *( unreserved | escaped | ";" | ":" | "&" | "=" | "+" | "$" | "," )
+ * unreserved = alphanum | mark
+ * mark = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")"
+ */
+ static const char *allowed = "-_.!~*'();:&=+$,";
+
+ for (const char *p = url; *p; p++)
+ {
+ if (c_isalnum(*p))
+ continue;
+
+ if (strchr(allowed, *p))
+ continue;
+
+ if (*p == '%' && c_isxdigit(p[1]) && c_isxdigit(p[2]))
+ {
+ p += 2;
+ continue;
+ }
+
+ if (*p == '@')
+ return p + 1;
+
+ break;
+ }
+
+ return url;
}
/* Parse credentials contained in [BEG, END). The region is expected
--
cgit v1.1
......@@ -4,7 +4,7 @@
pkgname=wget
pkgver=1.24.5
pkgrel=2
pkgrel=3
pkgdesc='Network utility to retrieve files from the Web'
url='https://www.gnu.org/software/wget/wget.html'
arch=('x86_64')
......@@ -14,11 +14,14 @@ depends=('glibc' 'zlib' 'gnutls' 'libidn2' 'libidn2.so' 'util-linux-libs' 'libuu
checkdepends=('perl-http-daemon' 'perl-io-socket-ssl' 'python')
optdepends=('ca-certificates: HTTPS downloads')
backup=('etc/wgetrc')
source=(https://ftp.gnu.org/gnu/${pkgname}/${pkgname}-${pkgver}.tar.lz{,.sig})
source=(https://ftp.gnu.org/gnu/${pkgname}/${pkgname}-${pkgver}.tar.lz{,.sig}
CVE-2024-38428.patch)
sha256sums=('57a107151e4ef94fdf94affecfac598963f372f13293ed9c74032105390b36ee'
'SKIP')
'SKIP'
'9da45c5d34163fe0c0cc8d75402b2d1e6a752b794e52187da5d9141b825db24f')
b2sums=('8057e5992ddaf39b3daffbde99871ddec1328c6bbafbc6b9f1d3cd294bb928b2a80f813024d4cd664c396f84477f1d93d5a21c60c6fe2932f9196d29bb9aa896'
'SKIP')
'SKIP'
'fb0cf748b4f5aa34e0b43cc7c010e8f95324433fb3298365065708f8d092ab63c57f778fc1bfa17a121c651a6cd3296331992c5abe3958c368d523d11b3db067')
validpgpkeys=(
'AC404C1C0BF735C63FF4D562263D6DF2E163E1EA' # Giuseppe Scrivano <gscrivano@gnu.org>
'7845120B07CBD8D6ECE5FF2B2A1743EDA91A35B6' # Darshit Shah <darnir@gnu.org>
......@@ -27,6 +30,7 @@ validpgpkeys=(
prepare() {
cd ${pkgname}-${pkgver}
patch -Np1 -i ../CVE-2024-38428.patch
cat >> doc/sample.wgetrc <<EOF
# default root certs location
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment