diff --git a/backport-CVE-2024-10524.patch b/backport-CVE-2024-10524.patch deleted file mode 100644 index 36759ff583df4c4e2b08b2b95c2cefa6f7bb1d39..0000000000000000000000000000000000000000 --- a/backport-CVE-2024-10524.patch +++ /dev/null @@ -1,191 +0,0 @@ -From c419542d956a2607bbce5df64b9d378a8588d778 Mon Sep 17 00:00:00 2001 -From: Tim Rühsen -Date: Sun, 27 Oct 2024 19:53:14 +0100 -Subject: Fix CVE-2024-10524 (drop support for shorthand URLs) - -* doc/wget.texi: Add documentation for removed support for shorthand URLs. -* src/html-url.c (src/html-url.c): Call maybe_prepend_scheme. -* src/main.c (main): Likewise. -* src/retr.c (getproxy): Likewise. -* src/url.c: Rename definition of rewrite_shorthand_url to maybe_prepend_scheme, - add new function is_valid_port. -* src/url.h: Rename declaration of rewrite_shorthand_url to maybe_prepend_scheme. - -Reported-by: Goni Golan ---- - doc/wget.texi | 12 ++++-------- - src/html-url.c | 2 +- - src/main.c | 2 +- - src/retr.c | 2 +- - src/url.c | 57 ++++++++++++++++++--------------------------------------- - src/url.h | 2 +- - 6 files changed, 26 insertions(+), 51 deletions(-) - -diff --git a/doc/wget.texi b/doc/wget.texi -index 1d026d72..d46da375 100644 ---- a/doc/wget.texi -+++ b/doc/wget.texi -@@ -314,8 +314,8 @@ for text files. Here is an example: - ftp://host/directory/file;type=a - @end example - --Two alternative variants of @sc{url} specification are also supported, --because of historical (hysterical?) reasons and their widespreaded use. -+The two alternative variants of @sc{url} specifications are no longer -+supported because of security considerations: - - @sc{ftp}-only syntax (supported by @code{NcFTP}): - @example -@@ -327,12 +327,8 @@ host:/dir/file - host[:port]/dir/file - @end example - --These two alternative forms are deprecated, and may cease being --supported in the future. -- --If you do not understand the difference between these notations, or do --not know which one to use, just use the plain ordinary format you use --with your favorite browser, like @code{Lynx} or @code{Netscape}. -+These two alternative forms have been deprecated long time ago, -+and support is removed with version 1.22.0. - - @c man begin OPTIONS - -diff --git a/src/html-url.c b/src/html-url.c -index 8e960092..99914943 100644 ---- a/src/html-url.c -+++ b/src/html-url.c -@@ -932,7 +932,7 @@ get_urls_file (const char *file, bool *read_again) - url_text = merged; - } - -- new_url = rewrite_shorthand_url (url_text); -+ new_url = maybe_prepend_scheme (url_text); - if (new_url) - { - xfree (url_text); -diff --git a/src/main.c b/src/main.c -index 77b1a0b6..6858d2da 100644 ---- a/src/main.c -+++ b/src/main.c -@@ -2126,7 +2126,7 @@ only if outputting to a regular file.\n")); - struct iri *iri = iri_new (); - struct url *url_parsed; - -- t = rewrite_shorthand_url (argv[optind]); -+ t = maybe_prepend_scheme (argv[optind]); - if (!t) - t = argv[optind]; - -diff --git a/src/retr.c b/src/retr.c -index 5422963c..26eb9f17 100644 ---- a/src/retr.c -+++ b/src/retr.c -@@ -1546,7 +1546,7 @@ getproxy (struct url *u) - - /* Handle shorthands. `rewritten_storage' is a kludge to allow - getproxy() to return static storage. */ -- rewritten_url = rewrite_shorthand_url (proxy); -+ rewritten_url = maybe_prepend_scheme (proxy); - if (rewritten_url) - return rewritten_url; - -diff --git a/src/url.c b/src/url.c -index 07c3bc87..2f27c48a 100644 ---- a/src/url.c -+++ b/src/url.c -@@ -594,60 +594,39 @@ parse_credentials (const char *beg, const char *end, char **user, char **passwd) - return true; - } - --/* Used by main.c: detect URLs written using the "shorthand" URL forms -- originally popularized by Netscape and NcFTP. HTTP shorthands look -- like this: -- -- www.foo.com[:port]/dir/file -> http://www.foo.com[:port]/dir/file -- www.foo.com[:port] -> http://www.foo.com[:port] -- -- FTP shorthands look like this: -- -- foo.bar.com:dir/file -> ftp://foo.bar.com/dir/file -- foo.bar.com:/absdir/file -> ftp://foo.bar.com//absdir/file -+static bool is_valid_port(const char *p) -+{ -+ unsigned port = (unsigned) atoi (p); -+ if (port == 0 || port > 65535) -+ return false; - -- If the URL needs not or cannot be rewritten, return NULL. */ -+ int digits = strspn (p, "0123456789"); -+ return digits && (p[digits] == '/' || p[digits] == '\0'); -+} - -+/* Prepend "http://" to url if scheme is missing, otherwise return NULL. */ - char * --rewrite_shorthand_url (const char *url) -+maybe_prepend_scheme (const char *url) - { -- const char *p; -- char *ret; -- - if (url_scheme (url) != SCHEME_INVALID) - return NULL; - -- /* Look for a ':' or '/'. The former signifies NcFTP syntax, the -- latter Netscape. */ -- p = strpbrk (url, ":/"); -+ const char *p = strchr (url, ':'); - if (p == url) - return NULL; - - /* If we're looking at "://", it means the URL uses a scheme we - don't support, which may include "https" when compiled without -- SSL support. Don't bogusly rewrite such URLs. */ -+ SSL support. Don't bogusly prepend "http://" to such URLs. */ - if (p && p[0] == ':' && p[1] == '/' && p[2] == '/') - return NULL; - -- if (p && *p == ':') -- { -- /* Colon indicates ftp, as in foo.bar.com:path. Check for -- special case of http port number ("localhost:10000"). */ -- int digits = strspn (p + 1, "0123456789"); -- if (digits && (p[1 + digits] == '/' || p[1 + digits] == '\0')) -- goto http; -- -- /* Turn "foo.bar.com:path" to "ftp://foo.bar.com/path". */ -- if ((ret = aprintf ("ftp://%s", url)) != NULL) -- ret[6 + (p - url)] = '/'; -- } -- else -- { -- http: -- /* Just prepend "http://" to URL. */ -- ret = aprintf ("http://%s", url); -- } -- return ret; -+ if (p && p[0] == ':' && !is_valid_port (p + 1)) -+ return NULL; -+ -+ -+ fprintf(stderr, "Prepended http:// to '%s'\n", url); -+ return aprintf ("http://%s", url); - } - - static void split_path (const char *, char **, char **); -diff --git a/src/url.h b/src/url.h -index 2dfbf30b..7796a21c 100644 ---- a/src/url.h -+++ b/src/url.h -@@ -128,7 +128,7 @@ char *uri_merge (const char *, const char *); - - int mkalldirs (const char *); - --char *rewrite_shorthand_url (const char *); -+char *maybe_prepend_scheme (const char *); - bool schemes_are_similar_p (enum url_scheme a, enum url_scheme b); - - bool are_urls_equal (const char *u1, const char *u2); --- -cgit v1.2.3-70-g09d2 - diff --git a/backport-CVE-2024-38428.patch b/backport-CVE-2024-38428.patch deleted file mode 100644 index 914020546e36b34588c752ad3f109ba9795f049f..0000000000000000000000000000000000000000 --- a/backport-CVE-2024-38428.patch +++ /dev/null @@ -1,76 +0,0 @@ -From ed0c7c7e0e8f7298352646b2fd6e06a11e242ace Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Tim=20R=C3=BChsen?= -Date: Sun, 2 Jun 2024 12:40:16 +0200 -Subject: Properly re-implement userinfo parsing (rfc2396) - -* src/url.c (url_skip_credentials): Properly re-implement userinfo parsing (rfc2396) - -The reason why the implementation is based on RFC 2396, an outdated standard, -is that the whole file is based on that RFC, and mixing standard here might be -dangerous. - ---- - src/url.c | 40 ++++++++++++++++++++++++++++++++++------ - 1 file changed, 34 insertions(+), 6 deletions(-) - -diff --git a/src/url.c b/src/url.c -index 2ff0b55..0acd3f3 100644 ---- a/src/url.c -+++ b/src/url.c -@@ -41,6 +41,7 @@ as that of the covered work. */ - #include "url.h" - #include "host.h" /* for is_valid_ipv6_address */ - #include "c-strcase.h" -+#include "c-ctype.h" - - #ifdef HAVE_ICONV - # include -@@ -526,12 +527,39 @@ scheme_leading_string (enum url_scheme scheme) - static const char * - url_skip_credentials (const char *url) - { -- /* Look for '@' that comes before terminators, such as '/', '?', -- '#', or ';'. */ -- const char *p = (const char *)strpbrk (url, "@/?#;"); -- if (!p || *p != '@') -- return url; -- return p + 1; -+ /* -+ * This whole file implements https://www.rfc-editor.org/rfc/rfc2396 . -+ * RFC 2396 is outdated since 2005 and needs a rewrite or a thorough re-visit. -+ * -+ * The RFC says -+ * server = [ [ userinfo "@" ] hostport ] -+ * userinfo = *( unreserved | escaped | ";" | ":" | "&" | "=" | "+" | "$" | "," ) -+ * unreserved = alphanum | mark -+ * mark = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")" -+ */ -+ static const char *allowed = "-_.!~*'();:&=+$,"; -+ -+ for (const char *p = url; *p; p++) -+ { -+ if (c_isalnum(*p)) -+ continue; -+ -+ if (strchr(allowed, *p)) -+ continue; -+ -+ if (*p == '%' && c_isxdigit(p[1]) && c_isxdigit(p[2])) -+ { -+ p += 2; -+ continue; -+ } -+ -+ if (*p == '@') -+ return p + 1; -+ -+ break; -+ } -+ -+ return url; - } - - /* Parse credentials contained in [BEG, END). The region is expected --- -2.33.0 - diff --git a/backport-src-url.c-maybe_prepend_scheme-Print-message-only-in.patch b/backport-src-url.c-maybe_prepend_scheme-Print-message-only-in.patch deleted file mode 100644 index 8e8e21694e4eca44847c8be82a8a2dc13be9ccc2..0000000000000000000000000000000000000000 --- a/backport-src-url.c-maybe_prepend_scheme-Print-message-only-in.patch +++ /dev/null @@ -1,26 +0,0 @@ -From d98df662121977f3d3ba69d0cfbd4d3322714f2d Mon Sep 17 00:00:00 2001 -From: Darshit Shah -Date: Fri, 15 Nov 2024 22:28:41 +0100 -Subject: [PATCH] * src/url.c (maybe_prepend_scheme): Print message only in - verbose mode - ---- - src/url.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/url.c b/src/url.c -index 2f27c48a..913db4f1 100644 ---- a/src/url.c -+++ b/src/url.c -@@ -625,7 +625,7 @@ maybe_prepend_scheme (const char *url) - return NULL; - - -- fprintf(stderr, "Prepended http:// to '%s'\n", url); -+ logprintf (LOG_VERBOSE, _ ("Prepended http:// to '%s'\n"), url); - return aprintf ("http://%s", url); - } - --- -2.23.0 - diff --git a/backport-wget-1.17-path.patch b/wget-1.25.0-etc-path.patch similarity index 80% rename from backport-wget-1.17-path.patch rename to wget-1.25.0-etc-path.patch index 3d1461031634fdaf6011f3698785f1cd206bd538..47b1b02293c294252258bc6b725df8d0139281b7 100644 --- a/backport-wget-1.17-path.patch +++ b/wget-1.25.0-etc-path.patch @@ -1,8 +1,8 @@ diff --git a/NEWS b/NEWS -index d23ae95..aa3247f 100644 +index 99c6723..e6c8538 100644 --- a/NEWS +++ b/NEWS -@@ -935,7 +935,7 @@ distributed with Wget. +@@ -1075,7 +1075,7 @@ distributed with Wget. ** Compiles on pre-ANSI compilers. @@ -11,7 +11,7 @@ index d23ae95..aa3247f 100644 ** Lots of bugfixes. -@@ -998,7 +998,7 @@ Emacs, standalone info, or converted to HTML, dvi or postscript. +@@ -1138,7 +1138,7 @@ Emacs, standalone info, or converted to HTML, dvi or postscript. ** Fixed a long-standing bug, so that Wget now works over SLIP connections. @@ -21,7 +21,7 @@ index d23ae95..aa3247f 100644 course :-) diff --git a/README b/README -index 692e1c6..38231c9 100644 +index 3b7cc70..ca51780 100644 --- a/README +++ b/README @@ -33,7 +33,7 @@ for socks. @@ -78,7 +78,7 @@ index 3c7f2f4..521ef16 100644 ## functionality, and make it behave contrary to the documentation: ## diff --git a/doc/wget.info b/doc/wget.info -index 40ce0d4..89c6652 100644 +index 06ab42f..08c8f49 100644 --- a/doc/wget.info +++ b/doc/wget.info @@ -109,7 +109,7 @@ retrieval through HTTP proxies. @@ -87,30 +87,28 @@ index 40ce0d4..89c6652 100644 Startup File::). Wget allows you to define “global” startup files - (‘/usr/local/etc/wgetrc’ by default) for site settings. You can + (‘/etc/wgetrc’ by default) for site settings. You can - also specify the location of a startup file with the –config - option. To disable the reading of config files, use –no-config. - If both –config and –no-config are given, –no-config is ignored. -@@ -2825,8 +2825,8 @@ File: wget.info, Node: Wgetrc Location, Next: Wgetrc Syntax, Prev: Startup Fi + also specify the location of a startup file with the -config + option. To disable the reading of config files, use -no-config. + If both -config and -no-config are given, -no-config is ignored. +@@ -2855,7 +2855,7 @@ File: wget.info, Node: Wgetrc Location, Next: Wgetrc Syntax, Prev: Startup Fi =================== When initializing, Wget will look for a “global” startup file, -‘/usr/local/etc/wgetrc’ by default (or some prefix other than --‘/usr/local’, if Wget was not installed there) and read commands from +‘/etc/wgetrc’ by default (or some prefix other than -+‘/etc’, if Wget was not installed there) and read commands from + ‘/usr/local’, if Wget was not installed there) and read commands from there, if it exists. - Then it will look for the user’s file. If the environmental variable -@@ -2837,7 +2837,7 @@ further attempts will be made. +@@ -2867,7 +2867,7 @@ further attempts will be made. - The fact that user’s settings are loaded after the system-wide ones - means that in case of collision user’s wgetrc _overrides_ the + The fact that user's settings are loaded after the system-wide ones + means that in case of collision user's wgetrc _overrides_ the -system-wide wgetrc (in ‘/usr/local/etc/wgetrc’ by default). Fascist +system-wide wgetrc (in ‘/etc/wgetrc’ by default). Fascist admins, away!  -@@ -3380,7 +3380,7 @@ its line. +@@ -3410,7 +3410,7 @@ its line. ## Or online here: ## https://www.gnu.org/software/wget/manual/wget.html#Startup-File ## @@ -119,7 +117,7 @@ index 40ce0d4..89c6652 100644 ## (global, for all users) or $HOME/.wgetrc (for a single user). ## ## To use the settings in this file, you will have to uncomment them, -@@ -3392,7 +3392,7 @@ its line. +@@ -3422,7 +3422,7 @@ its line. ## @@ -129,10 +127,10 @@ index 40ce0d4..89c6652 100644 ## functionality, and make it behave contrary to the documentation: ## diff --git a/doc/wget.texi b/doc/wget.texi -index eaf6b38..608d008 100644 +index d46da37..7089750 100644 --- a/doc/wget.texi +++ b/doc/wget.texi -@@ -190,7 +190,7 @@ gauge can be customized to your preferences. +@@ -195,7 +195,7 @@ gauge can be customized to your preferences. Most of the features are fully configurable, either through command line options, or via the initialization file @file{.wgetrc} (@pxref{Startup File}). Wget allows you to define @dfn{global} startup files @@ -141,7 +139,7 @@ index eaf6b38..608d008 100644 specify the location of a startup file with the --config option. To disable the reading of config files, use --no-config. If both --config and --no-config are given, --no-config is ignored. -@@ -199,7 +199,7 @@ If both --config and --no-config are given, --no-config is ignored. +@@ -204,7 +204,7 @@ If both --config and --no-config are given, --no-config is ignored. @ignore @c man begin FILES @table @samp @@ -150,18 +148,16 @@ index eaf6b38..608d008 100644 Default location of the @dfn{global} startup file. @item .wgetrc -@@ -3154,8 +3154,8 @@ commands. +@@ -3188,7 +3188,7 @@ commands. @cindex location of wgetrc When initializing, Wget will look for a @dfn{global} startup file, -@file{/usr/local/etc/wgetrc} by default (or some prefix other than --@file{/usr/local}, if Wget was not installed there) and read commands +@file{/etc/wgetrc} by default (or some prefix other than -+@file{/etc}, if Wget was not installed there) and read commands + @file{/usr/local}, if Wget was not installed there) and read commands from there, if it exists. - Then it will look for the user's file. If the environmental variable -@@ -3166,7 +3166,7 @@ If @code{WGETRC} is not set, Wget will try to load @file{$HOME/.wgetrc}. +@@ -3200,7 +3200,7 @@ If @code{WGETRC} is not set, Wget will try to load @file{$HOME/.wgetrc}. The fact that user's settings are loaded after the system-wide ones means that in case of collision user's wgetrc @emph{overrides} the diff --git a/wget-1.21.4.tar.gz b/wget-1.25.0.tar.gz similarity index 46% rename from wget-1.21.4.tar.gz rename to wget-1.25.0.tar.gz index d6c4f5e5e1baa7070baace66311d0dc9c13f630d..14eb72d5f7891d8baffc8e9d1116b6b756b5d094 100644 Binary files a/wget-1.21.4.tar.gz and b/wget-1.25.0.tar.gz differ diff --git a/wget.spec b/wget.spec index 964a9987347780c15eabcbec80230a73b8bd0383..c1f6c79de1e9f5999e9b6250135941d3df64e260 100644 --- a/wget.spec +++ b/wget.spec @@ -1,15 +1,12 @@ Name: wget -Version: 1.21.4 -Release: 3 +Version: 1.25.0 +Release: 1 Summary: A package for retrieving files using HTTP, HTTPS, FTP and FTPS the most widely-used Internet protocols. License: GPL-3.0-or-later AND LGPL-2.1-or-later -Url: http://www.gnu.org/software/wget/ +Url: https://www.gnu.org/software/wget/ Source: https://ftp.gnu.org/gnu/wget/wget-%{version}.tar.gz -Patch0: backport-wget-1.17-path.patch -Patch1: backport-CVE-2024-38428.patch -Patch2: backport-CVE-2024-10524.patch -Patch3: backport-src-url.c-maybe_prepend_scheme-Print-message-only-in.patch +Patch0: wget-1.25.0-etc-path.patch Provides: webclient bundled(gnulib) BuildRequires: make perl-HTTP-Daemon python3 libuuid-devel perl-podlators libpsl-devel libmetalink-devel @@ -22,12 +19,7 @@ FTP and FTPS the most widely-used Internet protocols. It is a non-interactive commandline tool, so it may easily be called from scripts, cron jobs, terminals without X-Windows support, etc. -%package help -Summary: help package for %{name} - -%description help -This is the help package for %{name}. It includes some doc -files and man, info files. +%package_help %prep %autosetup -p1 @@ -47,7 +39,8 @@ rm -f %{buildroot}%{_infodir}/dir make check %files -f %{name}.lang -f %{name}-gnulib.lang -%doc AUTHORS COPYING +%license COPYING +%doc AUTHORS %config(noreplace) %{_sysconfdir}/wgetrc %{_bindir}/wget @@ -57,13 +50,19 @@ make check %{_infodir}/* %changelog -* Thu Nov 21 2024 Han Jinpeng -1.21.4-3 +* Thu Jan 23 2025 Funda Wang - 1.25.0-1 +- Type:requirements +- ID:NA +- SUG:NA +- DESC: update to 1.25.0 + +* Thu Nov 21 2024 Han Jinpeng - 1.21.4-3 - Type:CVE - ID:CVE-2024-10524 - SUG:NA - DESC: fix CVE-2024-10524 and also fix Print message issue -* Sun Jun 16 2024 xuchenchen -1.21.4-2 +* Sun Jun 16 2024 xuchenchen - 1.21.4-2 - Type:CVES - ID:NA - SUG:NA diff --git a/wget.yaml b/wget.yaml index c40d00ad0f87687333e068c5672fb1a84592a9cc..af0163221b72840875006811e6d682d7d1f582ef 100644 --- a/wget.yaml +++ b/wget.yaml @@ -1,4 +1,4 @@ -version_control: github -src_repo: mirror/wget +version_control: git +src_repo: https://git.savannah.gnu.org/git/wget.git tag_prefix: ^v -seperator: . +separator: .