* [ptxdist] [PATCH] wget: version bump to 1.19.1 @ 2017-08-07 5:59 Denis OSTERLAND 2017-08-07 7:46 ` Michael Olbrich 2017-08-07 12:14 ` [ptxdist] [PATCH v2] wget: version bump 1.11.4 -> 1.19.1 Denis OSTERLAND 0 siblings, 2 replies; 5+ messages in thread From: Denis OSTERLAND @ 2017-08-07 5:59 UTC (permalink / raw) To: ptxdist Signed-off-by: Denis Osterland <Denis.Osterland@diehl.com> --- patches/wget-1.19.1/CVE-2017-6508.patch | 31 +++++++++++++++++++++++++++++++ patches/wget-1.19.1/series | 1 + rules/wget.make | 5 ++--- 3 files changed, 34 insertions(+), 3 deletions(-) create mode 100644 patches/wget-1.19.1/CVE-2017-6508.patch create mode 100644 patches/wget-1.19.1/series diff --git a/patches/wget-1.19.1/CVE-2017-6508.patch b/patches/wget-1.19.1/CVE-2017-6508.patch new file mode 100644 index 0000000..bb2f63f --- /dev/null +++ b/patches/wget-1.19.1/CVE-2017-6508.patch @@ -0,0 +1,31 @@ +From: Tim Rühsen <tim.ruehsen@gmx.de> +Date: Mon Mar 6 10:04:22 2017 +0100 +Subject: Fix CRLF injection in Wget host part + +* src/url.c (url_parse): Reject control characters in host part of URL + +Reported-by: Orange Tsai + +commit 4d729e322fae359a1aefaafec1144764a54e8ad4 +diff --git a/src/url.c b/src/url.c +index 8f8ff0b8..7d36b27d 100644 +--- a/src/url.c ++++ b/src/url.c +@@ -925,6 +925,17 @@ url_parse (const char *url, int *error, struct iri *iri, bool percent_encode) + url_unescape (u->host); + host_modified = true; + ++ /* check for invalid control characters in host name */ ++ for (p = u->host; *p; p++) ++ { ++ if (c_iscntrl(*p)) ++ { ++ url_free(u); ++ error_code = PE_INVALID_HOST_NAME; ++ goto error; ++ } ++ } ++ + /* Apply IDNA regardless of iri->utf8_encode status */ + if (opt.enable_iri && iri) + { diff --git a/patches/wget-1.19.1/series b/patches/wget-1.19.1/series new file mode 100644 index 0000000..f58bfe3 --- /dev/null +++ b/patches/wget-1.19.1/series @@ -0,0 +1 @@ +CVE-2017-6508.patch diff --git a/rules/wget.make b/rules/wget.make index a315e01..d4d3494 100644 --- a/rules/wget.make +++ b/rules/wget.make @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_WGET) += wget # # Paths and names # -WGET_VERSION := 1.11.4 -WGET_MD5 := 69e8a7296c0e12c53bd9ffd786462e87 +WGET_VERSION := 1.19.1 +WGET_MD5 := 87cea36b7161fd43e3fd51a4e8b89689 WGET := wget-$(WGET_VERSION) WGET_SUFFIX := tar.gz WGET_URL := $(call ptx/mirror, GNU, wget/$(WGET).$(WGET_SUFFIX)) @@ -40,7 +40,6 @@ WGET_ENV := \ WGET_AUTOCONF := \ $(CROSS_AUTOCONF_USR) \ $(GLOBAL_IPV6_OPTION) \ - --without-socks \ --without-ssl # ---------------------------------------------------------------------------- -- 2.7.4 Diehl AKO Stiftung & Co. KG, Pfannerstraße 75-83, 88239 Wangen im Allgäu Bereichsvorstand: Dipl.-Ing. Michael Siedentop (Sprecher), Josef Fellner (Mitglied) Sitz der Gesellschaft: Wangen i.A. – Registergericht: Amtsgericht Ulm HRA 620609 – Persönlich haftende Gesellschafterin: Diehl Verwaltungs-Stiftung – Sitz: Nürnberg – Registergericht: Amtsgericht Nürnberg HRA 11756 – Vorstand: Dr.-Ing. E.h. Thomas Diehl (†) (Vorsitzender), Herr Dipl.-Wirtsch.-Ing. Wolfgang Weggen (stellvertretender Vorsitzender), Dipl.-Kfm. Claus Günther, Dipl.-Kfm. Frank Gutzeit, Dr.-Ing. Heinrich Schunk, Dr.-Ing. Michael Siedentop , Dipl.-Kfm. Dr.-Ing. Martin Sommer, Dipl.-Ing. (FH) Rainer von Borstel, Vorsitzender des Aufsichtsrates: Dr. Klaus Maier ___________________________________________________________________________________________________ Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen. Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht. Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt. The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited. _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [ptxdist] [PATCH] wget: version bump to 1.19.1 2017-08-07 5:59 [ptxdist] [PATCH] wget: version bump to 1.19.1 Denis OSTERLAND @ 2017-08-07 7:46 ` Michael Olbrich 2017-08-07 7:59 ` Denis OSTERLAND 2017-08-07 12:14 ` [ptxdist] [PATCH v2] wget: version bump 1.11.4 -> 1.19.1 Denis OSTERLAND 1 sibling, 1 reply; 5+ messages in thread From: Michael Olbrich @ 2017-08-07 7:46 UTC (permalink / raw) To: ptxdist On Mon, Aug 07, 2017 at 05:59:17AM +0000, Denis OSTERLAND wrote: > Signed-off-by: Denis Osterland <Denis.Osterland@diehl.com> This patch does not apply. Michael > --- > patches/wget-1.19.1/CVE-2017-6508.patch | 31 +++++++++++++++++++++++++++++++ > patches/wget-1.19.1/series | 1 + > rules/wget.make | 5 ++--- > 3 files changed, 34 insertions(+), 3 deletions(-) > create mode 100644 patches/wget-1.19.1/CVE-2017-6508.patch > create mode 100644 patches/wget-1.19.1/series > > diff --git a/patches/wget-1.19.1/CVE-2017-6508.patch b/patches/wget-1.19.1/CVE-2017-6508.patch > new file mode 100644 > index 0000000..bb2f63f > --- /dev/null > +++ b/patches/wget-1.19.1/CVE-2017-6508.patch > @@ -0,0 +1,31 @@ > +From: Tim Rühsen <tim.ruehsen@gmx.de> > +Date: Mon Mar 6 10:04:22 2017 +0100 > +Subject: Fix CRLF injection in Wget host part > + > +* src/url.c (url_parse): Reject control characters in host part of URL > + > +Reported-by: Orange Tsai > + > +commit 4d729e322fae359a1aefaafec1144764a54e8ad4 > +diff --git a/src/url.c b/src/url.c > +index 8f8ff0b8..7d36b27d 100644 > +--- a/src/url.c > ++++ b/src/url.c > +@@ -925,6 +925,17 @@ url_parse (const char *url, int *error, struct iri *iri, bool percent_encode) > + url_unescape (u->host); > + host_modified = true; > + > ++ /* check for invalid control characters in host name */ > ++ for (p = u->host; *p; p++) > ++ { > ++ if (c_iscntrl(*p)) > ++ { > ++ url_free(u); > ++ error_code = PE_INVALID_HOST_NAME; > ++ goto error; > ++ } > ++ } > ++ > + /* Apply IDNA regardless of iri->utf8_encode status */ > + if (opt.enable_iri && iri) > + { > diff --git a/patches/wget-1.19.1/series b/patches/wget-1.19.1/series > new file mode 100644 > index 0000000..f58bfe3 > --- /dev/null > +++ b/patches/wget-1.19.1/series > @@ -0,0 +1 @@ > +CVE-2017-6508.patch > diff --git a/rules/wget.make b/rules/wget.make > index a315e01..d4d3494 100644 > --- a/rules/wget.make > +++ b/rules/wget.make > @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_WGET) += wget > # > # Paths and names > # > -WGET_VERSION := 1.11.4 > -WGET_MD5 := 69e8a7296c0e12c53bd9ffd786462e87 > +WGET_VERSION := 1.19.1 > +WGET_MD5 := 87cea36b7161fd43e3fd51a4e8b89689 > WGET := wget-$(WGET_VERSION) > WGET_SUFFIX := tar.gz > WGET_URL := $(call ptx/mirror, GNU, wget/$(WGET).$(WGET_SUFFIX)) > @@ -40,7 +40,6 @@ WGET_ENV := \ > WGET_AUTOCONF := \ > $(CROSS_AUTOCONF_USR) \ > $(GLOBAL_IPV6_OPTION) \ > - --without-socks \ > --without-ssl > > # ---------------------------------------------------------------------------- > -- > 2.7.4 > > > Diehl AKO Stiftung & Co. KG, Pfannerstraße 75-83, 88239 Wangen im Allgäu > Bereichsvorstand: Dipl.-Ing. Michael Siedentop (Sprecher), Josef Fellner (Mitglied) > Sitz der Gesellschaft: Wangen i.A. – Registergericht: Amtsgericht Ulm HRA 620609 – Persönlich haftende Gesellschafterin: Diehl Verwaltungs-Stiftung – Sitz: Nürnberg – Registergericht: Amtsgericht Nürnberg HRA 11756 – > Vorstand: Dr.-Ing. E.h. Thomas Diehl (†) (Vorsitzender), Herr Dipl.-Wirtsch.-Ing. Wolfgang Weggen (stellvertretender Vorsitzender), Dipl.-Kfm. Claus Günther, Dipl.-Kfm. Frank Gutzeit, Dr.-Ing. Heinrich Schunk, Dr.-Ing. Michael Siedentop , Dipl.-Kfm. Dr.-Ing. Martin Sommer, Dipl.-Ing. (FH) Rainer von Borstel, Vorsitzender des Aufsichtsrates: Dr. Klaus Maier > ___________________________________________________________________________________________________ > Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen. > Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht. Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt. > The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited. > _______________________________________________ > ptxdist mailing list > ptxdist@pengutronix.de -- Pengutronix e.K. | | Industrial Linux Solutions | http://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [ptxdist] [PATCH] wget: version bump to 1.19.1 2017-08-07 7:46 ` Michael Olbrich @ 2017-08-07 7:59 ` Denis OSTERLAND 2017-08-07 8:21 ` Michael Olbrich 0 siblings, 1 reply; 5+ messages in thread From: Denis OSTERLAND @ 2017-08-07 7:59 UTC (permalink / raw) To: ptxdist Am Montag, den 07.08.2017, 09:46 +0200 schrieb Michael Olbrich: > On Mon, Aug 07, 2017 at 05:59:17AM +0000, Denis OSTERLAND wrote: > > > > Signed-off-by: Denis Osterland <Denis.Osterland@diehl.com> > This patch does not apply. On my PC mbox received from ptxdist mailing-list applies to 22c4eb289f151c4aba96a7906a57fb811392bfb3. Do you have some additional info why? osterlad@cwpc1435:~/buildbox/ptxdist/ptxdist-master$ git describe ptxdist-2017.07.0-11-g22c4eb2 osterlad@cwpc1435:~/buildbox/ptxdist/ptxdist-master$ git am ~/tmp/\[ptxdist\]_\[PATCH\]_wget\:_version_bump_to_1.19.1.mbox Applying: wget: version bump to 1.19.1 .git/rebase-apply/patch:31: trailing whitespace. warning: 1 line adds whitespace errors. osterlad@cwpc1435:~/buildbox/ptxdist/ptxdist-master$ git describe ptxdist-2017.07.0-12-gbb44dc0 > > Michael > > > > > --- > > patches/wget-1.19.1/CVE-2017-6508.patch | 31 +++++++++++++++++++++++++++++++ > > patches/wget-1.19.1/series | 1 + > > rules/wget.make | 5 ++--- > > 3 files changed, 34 insertions(+), 3 deletions(-) > > create mode 100644 patches/wget-1.19.1/CVE-2017-6508.patch > > create mode 100644 patches/wget-1.19.1/series > > > > diff --git a/patches/wget-1.19.1/CVE-2017-6508.patch b/patches/wget-1.19.1/CVE-2017-6508.patch > > new file mode 100644 > > index 0000000..bb2f63f > > --- /dev/null > > +++ b/patches/wget-1.19.1/CVE-2017-6508.patch > > @@ -0,0 +1,31 @@ > > +From: Tim Rühsen <tim.ruehsen@gmx.de> > > +Date: Mon Mar 6 10:04:22 2017 +0100 > > +Subject: Fix CRLF injection in Wget host part > > + > > +* src/url.c (url_parse): Reject control characters in host part of URL > > + > > +Reported-by: Orange Tsai > > + > > +commit 4d729e322fae359a1aefaafec1144764a54e8ad4 > > +diff --git a/src/url.c b/src/url.c > > +index 8f8ff0b8..7d36b27d 100644 > > +--- a/src/url.c > > ++++ b/src/url.c > > +@@ -925,6 +925,17 @@ url_parse (const char *url, int *error, struct iri *iri, bool percent_encode) > > + url_unescape (u->host); > > + host_modified = true; > > + > > ++ /* check for invalid control characters in host name */ > > ++ for (p = u->host; *p; p++) > > ++ { > > ++ if (c_iscntrl(*p)) > > ++ { > > ++ url_free(u); > > ++ error_code = PE_INVALID_HOST_NAME; > > ++ goto error; > > ++ } > > ++ } > > ++ > > + /* Apply IDNA regardless of iri->utf8_encode status */ > > + if (opt.enable_iri && iri) > > + { > > diff --git a/patches/wget-1.19.1/series b/patches/wget-1.19.1/series > > new file mode 100644 > > index 0000000..f58bfe3 > > --- /dev/null > > +++ b/patches/wget-1.19.1/series > > @@ -0,0 +1 @@ > > +CVE-2017-6508.patch > > diff --git a/rules/wget.make b/rules/wget.make > > index a315e01..d4d3494 100644 > > --- a/rules/wget.make > > +++ b/rules/wget.make > > @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_WGET) += wget > > # > > # Paths and names > > # > > -WGET_VERSION := 1.11.4 > > -WGET_MD5 := 69e8a7296c0e12c53bd9ffd786462e87 > > +WGET_VERSION := 1.19.1 > > +WGET_MD5 := 87cea36b7161fd43e3fd51a4e8b89689 > > WGET := wget-$(WGET_VERSION) > > WGET_SUFFIX := tar.gz > > WGET_URL := $(call ptx/mirror, GNU, wget/$(WGET).$(WGET_SUFFIX)) > > @@ -40,7 +40,6 @@ WGET_ENV := \ > > WGET_AUTOCONF := \ > > $(CROSS_AUTOCONF_USR) \ > > $(GLOBAL_IPV6_OPTION) \ > > - --without-socks \ > > --without-ssl > > > > # ---------------------------------------------------------------------------- > > -- > > 2.7.4 > > > > > > Diehl AKO Stiftung & Co. KG, Pfannerstraße 75-83, 88239 Wangen im Allgäu > > Bereichsvorstand: Dipl.-Ing. Michael Siedentop (Sprecher), Josef Fellner (Mitglied) > > Sitz der Gesellschaft: Wangen i.A. – Registergericht: Amtsgericht Ulm HRA 620609 – Persönlich haftende Gesellschafterin: Diehl Verwaltungs- > > Stiftung – Sitz: Nürnberg – Registergericht: Amtsgericht Nürnberg HRA 11756 – > > Vorstand: Dr.-Ing. E.h. Thomas Diehl (†) (Vorsitzender), Herr Dipl.-Wirtsch.-Ing. Wolfgang Weggen (stellvertretender Vorsitzender), Dipl.-Kfm. > > Claus Günther, Dipl.-Kfm. Frank Gutzeit, Dr.-Ing. Heinrich Schunk, Dr.-Ing. Michael Siedentop , Dipl.-Kfm. Dr.-Ing. Martin Sommer, Dipl.-Ing. (FH) > > Rainer von Borstel, Vorsitzender des Aufsichtsrates: Dr. Klaus Maier > > ___________________________________________________________________________________________________ > > Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen. > > Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht. Jede > > unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt. > > The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please > > inform us if you have received this e-mail by mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, > > distribution and/or publication of this e-mail is strictly prohibited. > > _______________________________________________ > > ptxdist mailing list > > ptxdist@pengutronix.de Diehl AKO Stiftung & Co. KG, Pfannerstraße 75-83, 88239 Wangen im Allgäu Bereichsvorstand: Dipl.-Ing. Michael Siedentop (Sprecher), Josef Fellner (Mitglied) Sitz der Gesellschaft: Wangen i.A. – Registergericht: Amtsgericht Ulm HRA 620609 – Persönlich haftende Gesellschafterin: Diehl Verwaltungs-Stiftung – Sitz: Nürnberg – Registergericht: Amtsgericht Nürnberg HRA 11756 – Vorstand: Dr.-Ing. E.h. Thomas Diehl (†) (Vorsitzender), Herr Dipl.-Wirtsch.-Ing. Wolfgang Weggen (stellvertretender Vorsitzender), Dipl.-Kfm. Claus Günther, Dipl.-Kfm. Frank Gutzeit, Dr.-Ing. Heinrich Schunk, Dr.-Ing. Michael Siedentop , Dipl.-Kfm. Dr.-Ing. Martin Sommer, Dipl.-Ing. (FH) Rainer von Borstel, Vorsitzender des Aufsichtsrates: Dr. Klaus Maier ___________________________________________________________________________________________________ Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen. Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht. Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt. The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited. _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [ptxdist] [PATCH] wget: version bump to 1.19.1 2017-08-07 7:59 ` Denis OSTERLAND @ 2017-08-07 8:21 ` Michael Olbrich 0 siblings, 0 replies; 5+ messages in thread From: Michael Olbrich @ 2017-08-07 8:21 UTC (permalink / raw) To: ptxdist On Mon, Aug 07, 2017 at 07:59:53AM +0000, Denis OSTERLAND wrote: > Am Montag, den 07.08.2017, 09:46 +0200 schrieb Michael Olbrich: > > On Mon, Aug 07, 2017 at 05:59:17AM +0000, Denis OSTERLAND wrote: > > > > > > Signed-off-by: Denis Osterland <Denis.Osterland@diehl.com> > > This patch does not apply. > On my PC mbox received from ptxdist mailing-list applies to 22c4eb289f151c4aba96a7906a57fb811392bfb3. > Do you have some additional info why? I think it's some encoding issue. I'm not sure what's wrong but I found a way to apply it, so don't worry about it. About the patch itself: The configure options changed. Update those as well. See my other review for hints how to do that and ask here if you are unsure. Michael > osterlad@cwpc1435:~/buildbox/ptxdist/ptxdist-master$ git describe > ptxdist-2017.07.0-11-g22c4eb2 > osterlad@cwpc1435:~/buildbox/ptxdist/ptxdist-master$ git am ~/tmp/\[ptxdist\]_\[PATCH\]_wget\:_version_bump_to_1.19.1.mbox > Applying: wget: version bump to 1.19.1 > .git/rebase-apply/patch:31: trailing whitespace. > > warning: 1 line adds whitespace errors. > osterlad@cwpc1435:~/buildbox/ptxdist/ptxdist-master$ git describe > ptxdist-2017.07.0-12-gbb44dc0 > > > > Michael > > > > > > > > --- > > > patches/wget-1.19.1/CVE-2017-6508.patch | 31 +++++++++++++++++++++++++++++++ > > > patches/wget-1.19.1/series | 1 + > > > rules/wget.make | 5 ++--- > > > 3 files changed, 34 insertions(+), 3 deletions(-) > > > create mode 100644 patches/wget-1.19.1/CVE-2017-6508.patch > > > create mode 100644 patches/wget-1.19.1/series > > > > > > diff --git a/patches/wget-1.19.1/CVE-2017-6508.patch b/patches/wget-1.19.1/CVE-2017-6508.patch > > > new file mode 100644 > > > index 0000000..bb2f63f > > > --- /dev/null > > > +++ b/patches/wget-1.19.1/CVE-2017-6508.patch > > > @@ -0,0 +1,31 @@ > > > +From: Tim Rühsen <tim.ruehsen@gmx.de> > > > +Date: Mon Mar 6 10:04:22 2017 +0100 > > > +Subject: Fix CRLF injection in Wget host part > > > + > > > +* src/url.c (url_parse): Reject control characters in host part of URL > > > + > > > +Reported-by: Orange Tsai > > > + > > > +commit 4d729e322fae359a1aefaafec1144764a54e8ad4 > > > +diff --git a/src/url.c b/src/url.c > > > +index 8f8ff0b8..7d36b27d 100644 > > > +--- a/src/url.c > > > ++++ b/src/url.c > > > +@@ -925,6 +925,17 @@ url_parse (const char *url, int *error, struct iri *iri, bool percent_encode) > > > + url_unescape (u->host); > > > + host_modified = true; > > > + > > > ++ /* check for invalid control characters in host name */ > > > ++ for (p = u->host; *p; p++) > > > ++ { > > > ++ if (c_iscntrl(*p)) > > > ++ { > > > ++ url_free(u); > > > ++ error_code = PE_INVALID_HOST_NAME; > > > ++ goto error; > > > ++ } > > > ++ } > > > ++ > > > + /* Apply IDNA regardless of iri->utf8_encode status */ > > > + if (opt.enable_iri && iri) > > > + { > > > diff --git a/patches/wget-1.19.1/series b/patches/wget-1.19.1/series > > > new file mode 100644 > > > index 0000000..f58bfe3 > > > --- /dev/null > > > +++ b/patches/wget-1.19.1/series > > > @@ -0,0 +1 @@ > > > +CVE-2017-6508.patch > > > diff --git a/rules/wget.make b/rules/wget.make > > > index a315e01..d4d3494 100644 > > > --- a/rules/wget.make > > > +++ b/rules/wget.make > > > @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_WGET) += wget > > > # > > > # Paths and names > > > # > > > -WGET_VERSION := 1.11.4 > > > -WGET_MD5 := 69e8a7296c0e12c53bd9ffd786462e87 > > > +WGET_VERSION := 1.19.1 > > > +WGET_MD5 := 87cea36b7161fd43e3fd51a4e8b89689 > > > WGET := wget-$(WGET_VERSION) > > > WGET_SUFFIX := tar.gz > > > WGET_URL := $(call ptx/mirror, GNU, wget/$(WGET).$(WGET_SUFFIX)) > > > @@ -40,7 +40,6 @@ WGET_ENV := \ > > > WGET_AUTOCONF := \ > > > $(CROSS_AUTOCONF_USR) \ > > > $(GLOBAL_IPV6_OPTION) \ > > > - --without-socks \ > > > --without-ssl > > > > > > # ---------------------------------------------------------------------------- > > > -- > > > 2.7.4 -- Pengutronix e.K. | | Industrial Linux Solutions | http://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de ^ permalink raw reply [flat|nested] 5+ messages in thread
* [ptxdist] [PATCH v2] wget: version bump 1.11.4 -> 1.19.1 2017-08-07 5:59 [ptxdist] [PATCH] wget: version bump to 1.19.1 Denis OSTERLAND 2017-08-07 7:46 ` Michael Olbrich @ 2017-08-07 12:14 ` Denis OSTERLAND 1 sibling, 0 replies; 5+ messages in thread From: Denis OSTERLAND @ 2017-08-07 12:14 UTC (permalink / raw) To: ptxdist From: Denis OSTERLAND <denis.osterland@diehl.com> Add configure commandline options. Signed-off-by: Denis Osterland <Denis.Osterland@diehl.com> --- patches/wget-1.19.1/CVE-2017-6508.patch | 31 +++++++++++++++++++++++++++++++ patches/wget-1.19.1/series | 1 + rules/wget.make | 23 +++++++++++++++++++---- 3 files changed, 51 insertions(+), 4 deletions(-) create mode 100644 patches/wget-1.19.1/CVE-2017-6508.patch create mode 100644 patches/wget-1.19.1/series diff --git a/patches/wget-1.19.1/CVE-2017-6508.patch b/patches/wget-1.19.1/CVE-2017-6508.patch new file mode 100644 index 0000000..bb2f63f --- /dev/null +++ b/patches/wget-1.19.1/CVE-2017-6508.patch @@ -0,0 +1,31 @@ +From: Tim Rühsen <tim.ruehsen@gmx.de> +Date: Mon Mar 6 10:04:22 2017 +0100 +Subject: Fix CRLF injection in Wget host part + +* src/url.c (url_parse): Reject control characters in host part of URL + +Reported-by: Orange Tsai + +commit 4d729e322fae359a1aefaafec1144764a54e8ad4 +diff --git a/src/url.c b/src/url.c +index 8f8ff0b8..7d36b27d 100644 +--- a/src/url.c ++++ b/src/url.c +@@ -925,6 +925,17 @@ url_parse (const char *url, int *error, struct iri *iri, bool percent_encode) + url_unescape (u->host); + host_modified = true; + ++ /* check for invalid control characters in host name */ ++ for (p = u->host; *p; p++) ++ { ++ if (c_iscntrl(*p)) ++ { ++ url_free(u); ++ error_code = PE_INVALID_HOST_NAME; ++ goto error; ++ } ++ } ++ + /* Apply IDNA regardless of iri->utf8_encode status */ + if (opt.enable_iri && iri) + { diff --git a/patches/wget-1.19.1/series b/patches/wget-1.19.1/series new file mode 100644 index 0000000..f58bfe3 --- /dev/null +++ b/patches/wget-1.19.1/series @@ -0,0 +1 @@ +CVE-2017-6508.patch diff --git a/rules/wget.make b/rules/wget.make index a315e01..0c54bc4 100644 --- a/rules/wget.make +++ b/rules/wget.make @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_WGET) += wget # # Paths and names # -WGET_VERSION := 1.11.4 -WGET_MD5 := 69e8a7296c0e12c53bd9ffd786462e87 +WGET_VERSION := 1.19.1 +WGET_MD5 := 87cea36b7161fd43e3fd51a4e8b89689 WGET := wget-$(WGET_VERSION) WGET_SUFFIX := tar.gz WGET_URL := $(call ptx/mirror, GNU, wget/$(WGET).$(WGET_SUFFIX)) @@ -40,8 +40,23 @@ WGET_ENV := \ WGET_AUTOCONF := \ $(CROSS_AUTOCONF_USR) \ $(GLOBAL_IPV6_OPTION) \ - --without-socks \ - --without-ssl + --disable-iri \ + --disable-pcre \ + --disable-xattr \ + --enable-assert \ + --enable-threads=posix \ + --disable-valgrind-tests \ + --with-cares \ + --with-included-libunistring \ + --with-libidn=/usr \ + --with-metalink \ + --without-openssl \ + --without-included-regex \ + --without-libpsl \ + --without-libuuid \ + --without-ssl \ + --without-zlib + # ---------------------------------------------------------------------------- # Target-Install -- 2.7.4 Diehl AKO Stiftung & Co. KG, Pfannerstraße 75-83, 88239 Wangen im Allgäu Bereichsvorstand: Dipl.-Ing. Michael Siedentop (Sprecher), Josef Fellner (Mitglied) Sitz der Gesellschaft: Wangen i.A. – Registergericht: Amtsgericht Ulm HRA 620609 – Persönlich haftende Gesellschafterin: Diehl Verwaltungs-Stiftung – Sitz: Nürnberg – Registergericht: Amtsgericht Nürnberg HRA 11756 – Vorstand: Dr.-Ing. E.h. Thomas Diehl (†) (Vorsitzender), Herr Dipl.-Wirtsch.-Ing. Wolfgang Weggen (stellvertretender Vorsitzender), Dipl.-Kfm. Claus Günther, Dipl.-Kfm. Frank Gutzeit, Dr.-Ing. Heinrich Schunk, Dr.-Ing. Michael Siedentop , Dipl.-Kfm. Dr.-Ing. Martin Sommer, Dipl.-Ing. (FH) Rainer von Borstel, Vorsitzender des Aufsichtsrates: Dr. Klaus Maier ___________________________________________________________________________________________________ Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen. Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht. Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt. The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited. _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-08-07 12:15 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-08-07 5:59 [ptxdist] [PATCH] wget: version bump to 1.19.1 Denis OSTERLAND 2017-08-07 7:46 ` Michael Olbrich 2017-08-07 7:59 ` Denis OSTERLAND 2017-08-07 8:21 ` Michael Olbrich 2017-08-07 12:14 ` [ptxdist] [PATCH v2] wget: version bump 1.11.4 -> 1.19.1 Denis OSTERLAND
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox