[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/01: gnu: wget: Update to 1.19.2 [fixes CVE-2017-13089 and CVE-2017-13
|
From: |
Marius Bakke |
|
Subject: |
01/01: gnu: wget: Update to 1.19.2 [fixes CVE-2017-13089 and CVE-2017-13090]. |
|
Date: |
Thu, 26 Oct 2017 17:46:51 -0400 (EDT) |
mbakke pushed a commit to branch master
in repository guix.
commit 6b88912eb6c414467234678c347990181dbf848b
Author: Marius Bakke <address@hidden>
Date: Thu Oct 26 23:23:44 2017 +0200
gnu: wget: Update to 1.19.2 [fixes CVE-2017-13089 and CVE-2017-13090].
* gnu/packages/wget.scm (wget): Update to 1.19.2.
[source](uri): Change to '.lz' tarball.
[source](patches): Remove.
[native-inputs]: Add LZIP.
* gnu/packages/patches/wget-CVE-2017-6508.patch,
gnu/packages/patches/wget-fix-504-test-timeout.patch,
gnu/packages/patches/wget-perl-5.26.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
---
gnu/local.mk | 3 -
gnu/packages/patches/wget-CVE-2017-6508.patch | 45 ------
.../patches/wget-fix-504-test-timeout.patch | 160 ---------------------
gnu/packages/patches/wget-perl-5.26.patch | 96 -------------
gnu/packages/wget.scm | 13 +-
5 files changed, 6 insertions(+), 311 deletions(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index f318bcd..2aa2f7b 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1100,9 +1100,6 @@ dist_patch_DATA =
\
%D%/packages/patches/vte-CVE-2012-2738-pt1.patch \
%D%/packages/patches/vte-CVE-2012-2738-pt2.patch \
%D%/packages/patches/weechat-python.patch \
- %D%/packages/patches/wget-CVE-2017-6508.patch \
- %D%/packages/patches/wget-fix-504-test-timeout.patch \
- %D%/packages/patches/wget-perl-5.26.patch \
%D%/packages/patches/wicd-bitrate-none-fix.patch \
%D%/packages/patches/wicd-get-selected-profile-fix.patch \
%D%/packages/patches/wicd-urwid-1.3.patch \
diff --git a/gnu/packages/patches/wget-CVE-2017-6508.patch
b/gnu/packages/patches/wget-CVE-2017-6508.patch
deleted file mode 100644
index 0218fce..0000000
--- a/gnu/packages/patches/wget-CVE-2017-6508.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-Fix CVE-2017-6508:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6508
-
-Patch copied from upstream source repository:
-
-https://git.savannah.gnu.org/cgit/wget.git/commit/?id=4d729e322fae359a1aefaafec1144764a54e8ad4
-
-From 4d729e322fae359a1aefaafec1144764a54e8ad4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Tim=20R=C3=BChsen?= <address@hidden>
-Date: Mon, 6 Mar 2017 10:04:22 +0100
-Subject: [PATCH] Fix CRLF injection in Wget host part
-
-* src/url.c (url_parse): Reject control characters in host part of URL
-
-Reported-by: Orange Tsai
----
- src/url.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/src/url.c b/src/url.c
-index 8f8ff0b8..7d36b27d 100644
---- a/src/url.c
-+++ b/src/url.c
-@@ -925,6 +925,17 @@ url_parse (const char *url, int *error, struct iri *iri,
bool percent_encode)
- url_unescape (u->host);
- host_modified = true;
-
-+ /* check for invalid control characters in host name */
-+ for (p = u->host; *p; p++)
-+ {
-+ if (c_iscntrl(*p))
-+ {
-+ url_free(u);
-+ error_code = PE_INVALID_HOST_NAME;
-+ goto error;
-+ }
-+ }
-+
- /* Apply IDNA regardless of iri->utf8_encode status */
- if (opt.enable_iri && iri)
- {
---
-2.12.0
-
diff --git a/gnu/packages/patches/wget-fix-504-test-timeout.patch
b/gnu/packages/patches/wget-fix-504-test-timeout.patch
deleted file mode 100644
index d9bf154..0000000
--- a/gnu/packages/patches/wget-fix-504-test-timeout.patch
+++ /dev/null
@@ -1,160 +0,0 @@
-This patch is from upstream. If a machine is too slow it can cause
-test-504.py to fail.
-http://git.savannah.gnu.org/cgit/wget.git/patch/?id=ac4fed32204e9ec1874e7cb5ecc55f1b35c1c8de
-
-From ac4fed32204e9ec1874e7cb5ecc55f1b35c1c8de Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Tim=20R=C3=BChsen?= <address@hidden>
-Date: Tue, 14 Feb 2017 16:20:26 +0100
-Subject: Fix 504 status handling
-
-* src/http.c (gethttp): Move 504 handling to correct place.
- (http_loop): Fix memeory leak.
-* testenv/server/http/http_server.py: Add Content-Length header on non-2xx
- status codes with a body
-
-Reported-by: Adam Sampson
----
- src/http.c | 30 +++++++++++-------------------
- testenv/server/http/http_server.py | 9 +++++----
- 2 files changed, 16 insertions(+), 23 deletions(-)
-
-diff --git a/src/http.c b/src/http.c
-index 898e184..d2c5c77 100644
---- a/src/http.c
-+++ b/src/http.c
-@@ -3476,7 +3476,7 @@ gethttp (const struct url *u, struct url *original_url,
struct http_stat *hs,
-
- #ifdef HAVE_METALINK
- /* We need to check for the Metalink data in the very first response
-- we get from the server (before redirectionrs, authorization, etc.). */
-+ we get from the server (before redirections, authorization, etc.). */
- if (metalink)
- {
- hs->metalink = metalink_from_http (resp, hs, u);
-@@ -3496,7 +3496,7 @@ gethttp (const struct url *u, struct url *original_url,
struct http_stat *hs,
- uerr_t auth_err = RETROK;
- bool retry;
- /* Normally we are not interested in the response body.
-- But if we are writing a WARC file we are: we like to keep everyting.
*/
-+ But if we are writing a WARC file we are: we like to keep
everything. */
- if (warc_enabled)
- {
- int _err;
-@@ -3556,20 +3556,6 @@ gethttp (const struct url *u, struct url *original_url,
struct http_stat *hs,
- pconn.authorized = true;
- }
-
-- if (statcode == HTTP_STATUS_GATEWAY_TIMEOUT)
-- {
-- hs->len = 0;
-- hs->res = 0;
-- hs->restval = 0;
--
-- CLOSE_FINISH (sock);
-- xfree (hs->message);
--
-- retval = GATEWAYTIMEOUT;
-- goto cleanup;
-- }
--
--
- {
- uerr_t ret = check_file_output (u, hs, resp, hdrval, sizeof hdrval);
- if (ret != RETROK)
-@@ -3910,8 +3896,8 @@ gethttp (const struct url *u, struct url *original_url,
struct http_stat *hs,
- retval = _err;
- goto cleanup;
- }
-- else
-- CLOSE_FINISH (sock);
-+
-+ CLOSE_FINISH (sock);
- }
- else
- {
-@@ -3934,7 +3920,11 @@ gethttp (const struct url *u, struct url *original_url,
struct http_stat *hs,
- CLOSE_INVALIDATE (sock);
- }
-
-- retval = RETRFINISHED;
-+ if (statcode == HTTP_STATUS_GATEWAY_TIMEOUT)
-+ retval = GATEWAYTIMEOUT;
-+ else
-+ retval = RETRFINISHED;
-+
- goto cleanup;
- }
-
-@@ -4208,6 +4198,8 @@ http_loop (const struct url *u, struct url
*original_url, char **newloc,
- bring them to "while" statement at the end, to judge
- whether the number of tries was exceeded. */
- printwhat (count, opt.ntry);
-+ xfree (hstat.message);
-+ xfree (hstat.error);
- continue;
- case FWRITEERR: case FOPENERR:
- /* Another fatal error. */
-diff --git a/testenv/server/http/http_server.py
b/testenv/server/http/http_server.py
-index e96f6e8..b222df0 100644
---- a/testenv/server/http/http_server.py
-+++ b/testenv/server/http/http_server.py
-@@ -204,7 +204,6 @@ class _Handler(BaseHTTPRequestHandler):
-
- def Response(self, resp_obj):
- self.send_response(resp_obj.response_code)
-- self.finish_headers()
- if resp_obj.response_code == 304:
- raise NoBodyServerError("Conditional get falling to head")
- raise ServerError("Custom Response code sent.")
-@@ -329,7 +328,6 @@ class _Handler(BaseHTTPRequestHandler):
- except AuthError as se:
- self.send_response(401, "Authorization Required")
- self.send_challenge(auth_rule.auth_type, auth_rule.auth_parm)
-- self.finish_headers()
- raise se
-
- def handle_auth(self, auth_rule):
-@@ -362,7 +360,6 @@ class _Handler(BaseHTTPRequestHandler):
- if header_recd is None or header_recd != exp_headers[header_line]:
- self.send_error(400, "Expected Header %s not found" %
- header_line)
-- self.finish_headers()
- raise ServerError("Header " + header_line + " not found")
-
- def RejectHeader(self, header_obj):
-@@ -372,7 +369,6 @@ class _Handler(BaseHTTPRequestHandler):
- if header_recd and header_recd == rej_headers[header_line]:
- self.send_error(400, 'Blacklisted Header %s received' %
- header_line)
-- self.finish_headers()
- raise ServerError("Header " + header_line + ' received')
-
- def __log_request(self, method):
-@@ -400,6 +396,7 @@ class _Handler(BaseHTTPRequestHandler):
-
- content = self.server.fileSys.get(path)
- content_length = len(content)
-+
- for rule_name in self.rules:
- try:
- assert hasattr(self, rule_name)
-@@ -410,12 +407,16 @@ class _Handler(BaseHTTPRequestHandler):
- return(None, None)
- except AuthError as ae:
- print(ae.__str__())
-+ self.finish_headers()
- return(None, None)
- except NoBodyServerError as nbse:
- print(nbse.__str__())
-+ self.finish_headers()
- return(None, None)
- except ServerError as se:
- print(se.__str__())
-+ self.add_header("Content-Length", content_length)
-+ self.finish_headers()
- return(content, None)
-
- try:
---
-cgit v1.0-41-gc330
-
diff --git a/gnu/packages/patches/wget-perl-5.26.patch
b/gnu/packages/patches/wget-perl-5.26.patch
deleted file mode 100644
index ee3a984..0000000
--- a/gnu/packages/patches/wget-perl-5.26.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-This upstream commit adjusts tests for Perl 5.26.
-
-commit 7ffe93cabb181f39ad5091c31ab9f61bd940a55f
-Author: Anton Yuzhaninov <address@hidden>
-Date: Wed Apr 5 19:06:42 2017 +0300
-
- Fix perl warnings in tests
-
- * tests/FTPServer.pm: Escape '{' in RE to fix warnings
- * tests/FTPTest.pm: Likewise
- * tests/HTTPServer.pm: Likewise
- * tests/HTTPTest.pm: Likewise
- * tests/Test-proxied-https-auth-keepalive.px: Likewise
- * tests/Test-proxied-https-auth.px: Likewise
- Escape '{' in RE to fix warnings:
- Unescaped left brace in regex is deprecated, passed through in regex;
- marked by <-- HERE in m/{{ <-- HERE port}}/
-
-diff --git a/tests/FTPServer.pm b/tests/FTPServer.pm
-index a5185d66..cac80942 100644
---- a/tests/FTPServer.pm
-+++ b/tests/FTPServer.pm
-@@ -589,7 +589,7 @@ sub new
- foreach my $file (keys %{$self->{_input}})
- {
- my $ref = \$self->{_input}{$file}{content};
-- $$ref =~ s/{{port}}/$self->sockport/eg;
-+ $$ref =~ s/\Q{{port}}/$self->sockport/eg;
- }
-
- return $self;
-diff --git a/tests/FTPTest.pm b/tests/FTPTest.pm
-index 50385ad0..0a1c768c 100644
---- a/tests/FTPTest.pm
-+++ b/tests/FTPTest.pm
-@@ -53,7 +53,7 @@ sub _substitute_port
- {
- my $self = shift;
- my $ret = shift;
-- $ret =~ s/{{port}}/$self->{_server}->sockport/eg;
-+ $ret =~ s/\Q{{port}}/$self->{_server}->sockport/eg;
- return $ret;
- }
-
-diff --git a/tests/HTTPServer.pm b/tests/HTTPServer.pm
-index dd8ec043..78609f65 100644
---- a/tests/HTTPServer.pm
-+++ b/tests/HTTPServer.pm
-@@ -310,7 +310,7 @@ sub _substitute_port
- {
- my $self = shift;
- my $ret = shift;
-- $ret =~ s/{{port}}/$self->sockport/eg;
-+ $ret =~ s/\Q{{port}}/$self->sockport/eg;
- return $ret;
- }
-
-diff --git a/tests/HTTPTest.pm b/tests/HTTPTest.pm
-index 00f079f8..6225c7f1 100644
---- a/tests/HTTPTest.pm
-+++ b/tests/HTTPTest.pm
-@@ -47,7 +47,7 @@ sub _substitute_port
- {
- my $self = shift;
- my $ret = shift;
-- $ret =~ s/{{port}}/$self->{_server}->sockport/eg;
-+ $ret =~ s/\Q{{port}}/$self->{_server}->sockport/eg;
- return $ret;
- }
-
-diff --git a/tests/Test-proxied-https-auth-keepalive.px
b/tests/Test-proxied-https-auth-keepalive.px
-index 049bebec..2a18ccfd 100755
---- a/tests/Test-proxied-https-auth-keepalive.px
-+++ b/tests/Test-proxied-https-auth-keepalive.px
-@@ -153,7 +153,7 @@ my $cmdline = $WgetTest::WGETPATH . "
--user=fiddle-dee-dee"
- . " --password=Dodgson -e https_proxy=localhost:{{port}}"
- . " --no-check-certificate"
- . " https://no.such.domain/needs-auth.txt";;
--$cmdline =~ s/{{port}}/$SOCKET->sockport()/e;
-+$cmdline =~ s/\Q{{port}}/$SOCKET->sockport()/e;
-
- if (defined $srcdir) {
- $VALGRIND_SUPP_FILE = $srcdir . '/valgrind-suppressions-ssl';
-diff --git a/tests/Test-proxied-https-auth.px
b/tests/Test-proxied-https-auth.px
-index ce4e736c..878114e7 100755
---- a/tests/Test-proxied-https-auth.px
-+++ b/tests/Test-proxied-https-auth.px
-@@ -152,7 +152,7 @@ my $cmdline = $WgetTest::WGETPATH . "
--user=fiddle-dee-dee"
- . " --password=Dodgson -e https_proxy=localhost:{{port}}"
- . " --no-check-certificate"
- . " https://no.such.domain/needs-auth.txt";;
--$cmdline =~ s/{{port}}/$SOCKET->sockport()/e;
-+$cmdline =~ s/\Q{{port}}/$SOCKET->sockport()/e;
-
- if (defined $srcdir) {
- $VALGRIND_SUPP_FILE = $srcdir . '/valgrind-suppressions-ssl';
diff --git a/gnu/packages/wget.scm b/gnu/packages/wget.scm
index 3673ad5..bfcfcad 100644
--- a/gnu/packages/wget.scm
+++ b/gnu/packages/wget.scm
@@ -21,6 +21,7 @@
(define-module (gnu packages wget)
#:use-module (guix licenses)
#:use-module (gnu packages)
+ #:use-module (gnu packages compression)
#:use-module (gnu packages libidn)
#:use-module (gnu packages python)
#:use-module (gnu packages perl)
@@ -34,18 +35,15 @@
(define-public wget
(package
(name "wget")
- (version "1.19.1")
+ (version "1.19.2")
(source
(origin
(method url-fetch)
(uri (string-append "mirror://gnu/wget/wget-"
- version ".tar.xz"))
- (patches (search-patches "wget-CVE-2017-6508.patch"
- "wget-fix-504-test-timeout.patch"
- "wget-perl-5.26.patch"))
+ version ".tar.lz"))
(sha256
(base32
- "1ljcfhbkdsd0zjfm520rbl1ai62fc34i7c45sfj244l8f6b0p58c"))))
+ "01yzal7xm85543x02bij3capnigr063d6c5vc039f8n5s9d796nm"))))
(build-system gnu-build-system)
(arguments
'(#:phases (modify-phases %standard-phases
@@ -65,7 +63,8 @@
(inputs
`(("gnutls" ,gnutls)
("libidn2" ,libidn2)
- ("libpsl" ,libpsl)))
+ ("libpsl" ,libpsl)
+ ("lzip" ,lzip)))
(native-inputs
`(("pkg-config" ,pkg-config)
("perl" ,perl)