wget 1.19.5: latest patches (01-03)
Commit Message
For details see:
http://git.savannah.gnu.org/cgit/wget.git
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
lfs/wget | 4 +++
...1-src_hosts_c_remove_void_assignment.patch | 13 +++++++++
.../02-src_version_h_add_header_guard.patch | 20 +++++++++++++
.../wget/03-src_hsts_h_fix_header_guard.patch | 29 +++++++++++++++++++
4 files changed, 66 insertions(+)
create mode 100644 src/patches/wget/01-src_hosts_c_remove_void_assignment.patch
create mode 100644 src/patches/wget/02-src_version_h_add_header_guard.patch
create mode 100644 src/patches/wget/03-src_hsts_h_fix_header_guard.patch
Comments
Hi,
are any of these security-relevant?
Best,
-Michael
On Tue, 2018-05-08 at 20:05 +0200, Matthias Fischer wrote:
> For details see:
> http://git.savannah.gnu.org/cgit/wget.git
>
> Best,
> Matthias
>
> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
> ---
> lfs/wget | 4 +++
> ...1-src_hosts_c_remove_void_assignment.patch | 13 +++++++++
> .../02-src_version_h_add_header_guard.patch | 20 +++++++++++++
> .../wget/03-src_hsts_h_fix_header_guard.patch | 29 +++++++++++++++++++
> 4 files changed, 66 insertions(+)
> create mode 100644 src/patches/wget/01-
> src_hosts_c_remove_void_assignment.patch
> create mode 100644 src/patches/wget/02-src_version_h_add_header_guard.patch
> create mode 100644 src/patches/wget/03-src_hsts_h_fix_header_guard.patch
>
> diff --git a/lfs/wget b/lfs/wget
> index 39f59ba80..f753bef1a 100644
> --- a/lfs/wget
> +++ b/lfs/wget
> @@ -71,6 +71,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> @$(PREBUILD)
> @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
>
> + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/wget/01-
> src_hosts_c_remove_void_assignment.patch
> + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/wget/02-
> src_version_h_add_header_guard.patch
> + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/wget/03-
> src_hsts_h_fix_header_guard.patch
> +
> cd $(DIR_APP) && ./configure \
> --prefix=/usr \
> --sysconfdir=/etc \
> diff --git a/src/patches/wget/01-src_hosts_c_remove_void_assignment.patch
> b/src/patches/wget/01-src_hosts_c_remove_void_assignment.patch
> new file mode 100644
> index 000000000..ba488571c
> --- /dev/null
> +++ b/src/patches/wget/01-src_hosts_c_remove_void_assignment.patch
> @@ -0,0 +1,13 @@
> +diff --git a/src/host.c b/src/host.c
> +index 4597f46..b42cd6e 100644
> +--- a/src/host.c
> ++++ b/src/host.c
> +@@ -732,7 +732,7 @@ wait_ares (ares_channel channel)
> + ares_process (channel, &read_fds, &write_fds);
> + }
> + if (timer)
> +- timer = ptimer_destroy (timer);
> ++ ptimer_destroy (timer);
> + }
> +
> + static void
> diff --git a/src/patches/wget/02-src_version_h_add_header_guard.patch
> b/src/patches/wget/02-src_version_h_add_header_guard.patch
> new file mode 100644
> index 000000000..5fd75b975
> --- /dev/null
> +++ b/src/patches/wget/02-src_version_h_add_header_guard.patch
> @@ -0,0 +1,20 @@
> +diff --git a/src/version.h b/src/version.h
> +index aeae086..ee40bb1 100644
> +--- a/src/version.h
> ++++ b/src/version.h
> +@@ -27,6 +27,9 @@ Corresponding Source for a non-source form of such a
> combination
> + shall include the source code for the parts of OpenSSL used as well
> + as that of the covered work. */
> +
> ++#ifndef WGET_VERSION_H
> ++#define WGET_VERSION_H
> ++
> + /* Extern declarations for strings in version.c */
> + extern const char *version_string;
> + extern const char *compilation_string;
> +@@ -34,3 +37,5 @@ extern const char *link_string;
> +
> + /* Extern declaration for string in build_info.c */
> + extern const char *compiled_features[];
> ++
> ++#endif /* WGET_VERSION_H */
> diff --git a/src/patches/wget/03-src_hsts_h_fix_header_guard.patch
> b/src/patches/wget/03-src_hsts_h_fix_header_guard.patch
> new file mode 100644
> index 000000000..786d28851
> --- /dev/null
> +++ b/src/patches/wget/03-src_hsts_h_fix_header_guard.patch
> @@ -0,0 +1,29 @@
> +diff --git a/src/hsts.h b/src/hsts.h
> +index 257f0b0..0065d9f 100644
> +--- a/src/hsts.h
> ++++ b/src/hsts.h
> +@@ -26,13 +26,13 @@ grants you additional permission to convey the resulting
> work.
> + Corresponding Source for a non-source form of such a combination
> + shall include the source code for the parts of OpenSSL used as well
> + as that of the covered work. */
> +-#include "wget.h"
> +
> +-#ifdef HAVE_HSTS
> ++#ifndef WGET_HSTS_H
> ++#define WGET_HSTS_H
> +
> +-#ifndef HSTS_H
> +-#define HSTS_H
> ++#ifdef HAVE_HSTS
> +
> ++#include "wget.h"
> + #include "url.h"
> +
> + typedef struct hsts_store *hsts_store_t;
> +@@ -48,5 +48,5 @@ bool hsts_store_entry (hsts_store_t,
> + time_t, bool);
> + bool hsts_match (hsts_store_t, struct url *);
> +
> +-#endif /* HSTS_H */
> + #endif /* HAVE_HSTS */
> ++#endif /* WGET_HSTS_H */
Hi,
On 09.05.2018 13:14, Michael Tremer wrote:
> Hi,
>
> are any of these security-relevant?
I'm not sure - I read this discussion on bug-wget@gnu.org:
***SNIP***
On 05/08/2018 09:16 AM, Josef Moellers wrote:
> > Hi,
> >
> > While trying to upgrade to 1.19.5, we found a bug in wget
> > (src/host.c)
> > where the (non-existing) return value of a void function is assigned
> > to
> > a variable.
> >
> > A patch is appended.
Thanks,
setting timer to NULL is not needed here.
I'll amended and pushed the patch.
With Best Regards, Tim
***SNAP***
Being curious, I looked at http://git.savannah.gnu.org/cgit/wget.git,
found the two other patches and thought they could be of help.
Unfortunately, I can'T judge what effects these bugs have or why they
where added. By now, they're undocumented.
Best,
Matthias
> Best,
> -Michael
>
> On Tue, 2018-05-08 at 20:05 +0200, Matthias Fischer wrote:
>> For details see:
>> http://git.savannah.gnu.org/cgit/wget.git
>>
>> Best,
>> Matthias
>>
>> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
>> ---
>> lfs/wget | 4 +++
>> ...1-src_hosts_c_remove_void_assignment.patch | 13 +++++++++
>> .../02-src_version_h_add_header_guard.patch | 20 +++++++++++++
>> .../wget/03-src_hsts_h_fix_header_guard.patch | 29 +++++++++++++++++++
>> 4 files changed, 66 insertions(+)
>> create mode 100644 src/patches/wget/01-
>> src_hosts_c_remove_void_assignment.patch
>> create mode 100644 src/patches/wget/02-src_version_h_add_header_guard.patch
>> create mode 100644 src/patches/wget/03-src_hsts_h_fix_header_guard.patch
>>
>> diff --git a/lfs/wget b/lfs/wget
>> index 39f59ba80..f753bef1a 100644
>> --- a/lfs/wget
>> +++ b/lfs/wget
>> @@ -71,6 +71,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>> @$(PREBUILD)
>> @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
>>
>> + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/wget/01-
>> src_hosts_c_remove_void_assignment.patch
>> + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/wget/02-
>> src_version_h_add_header_guard.patch
>> + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/wget/03-
>> src_hsts_h_fix_header_guard.patch
>> +
>> cd $(DIR_APP) && ./configure \
>> --prefix=/usr \
>> --sysconfdir=/etc \
>> diff --git a/src/patches/wget/01-src_hosts_c_remove_void_assignment.patch
>> b/src/patches/wget/01-src_hosts_c_remove_void_assignment.patch
>> new file mode 100644
>> index 000000000..ba488571c
>> --- /dev/null
>> +++ b/src/patches/wget/01-src_hosts_c_remove_void_assignment.patch
>> @@ -0,0 +1,13 @@
>> +diff --git a/src/host.c b/src/host.c
>> +index 4597f46..b42cd6e 100644
>> +--- a/src/host.c
>> ++++ b/src/host.c
>> +@@ -732,7 +732,7 @@ wait_ares (ares_channel channel)
>> + ares_process (channel, &read_fds, &write_fds);
>> + }
>> + if (timer)
>> +- timer = ptimer_destroy (timer);
>> ++ ptimer_destroy (timer);
>> + }
>> +
>> + static void
>> diff --git a/src/patches/wget/02-src_version_h_add_header_guard.patch
>> b/src/patches/wget/02-src_version_h_add_header_guard.patch
>> new file mode 100644
>> index 000000000..5fd75b975
>> --- /dev/null
>> +++ b/src/patches/wget/02-src_version_h_add_header_guard.patch
>> @@ -0,0 +1,20 @@
>> +diff --git a/src/version.h b/src/version.h
>> +index aeae086..ee40bb1 100644
>> +--- a/src/version.h
>> ++++ b/src/version.h
>> +@@ -27,6 +27,9 @@ Corresponding Source for a non-source form of such a
>> combination
>> + shall include the source code for the parts of OpenSSL used as well
>> + as that of the covered work. */
>> +
>> ++#ifndef WGET_VERSION_H
>> ++#define WGET_VERSION_H
>> ++
>> + /* Extern declarations for strings in version.c */
>> + extern const char *version_string;
>> + extern const char *compilation_string;
>> +@@ -34,3 +37,5 @@ extern const char *link_string;
>> +
>> + /* Extern declaration for string in build_info.c */
>> + extern const char *compiled_features[];
>> ++
>> ++#endif /* WGET_VERSION_H */
>> diff --git a/src/patches/wget/03-src_hsts_h_fix_header_guard.patch
>> b/src/patches/wget/03-src_hsts_h_fix_header_guard.patch
>> new file mode 100644
>> index 000000000..786d28851
>> --- /dev/null
>> +++ b/src/patches/wget/03-src_hsts_h_fix_header_guard.patch
>> @@ -0,0 +1,29 @@
>> +diff --git a/src/hsts.h b/src/hsts.h
>> +index 257f0b0..0065d9f 100644
>> +--- a/src/hsts.h
>> ++++ b/src/hsts.h
>> +@@ -26,13 +26,13 @@ grants you additional permission to convey the resulting
>> work.
>> + Corresponding Source for a non-source form of such a combination
>> + shall include the source code for the parts of OpenSSL used as well
>> + as that of the covered work. */
>> +-#include "wget.h"
>> +
>> +-#ifdef HAVE_HSTS
>> ++#ifndef WGET_HSTS_H
>> ++#define WGET_HSTS_H
>> +
>> +-#ifndef HSTS_H
>> +-#define HSTS_H
>> ++#ifdef HAVE_HSTS
>> +
>> ++#include "wget.h"
>> + #include "url.h"
>> +
>> + typedef struct hsts_store *hsts_store_t;
>> +@@ -48,5 +48,5 @@ bool hsts_store_entry (hsts_store_t,
>> + time_t, bool);
>> + bool hsts_match (hsts_store_t, struct url *);
>> +
>> +-#endif /* HSTS_H */
>> + #endif /* HAVE_HSTS */
>> ++#endif /* WGET_HSTS_H */
>
Okay, I will merge this one, but there is no need to follow wget really closely
and patch every bug unless someone runs into it.
They had quite a number of severe security issues, hence I was asking.
Best,
-Michael
On Wed, 2018-05-09 at 19:36 +0200, Matthias Fischer wrote:
> Hi,
>
> On 09.05.2018 13:14, Michael Tremer wrote:
> > Hi,
> >
> > are any of these security-relevant?
>
> I'm not sure - I read this discussion on bug-wget@gnu.org:
>
> ***SNIP***
> On 05/08/2018 09:16 AM, Josef Moellers wrote:
> > > Hi,
> > >
> > > While trying to upgrade to 1.19.5, we found a bug in wget
> > > (src/host.c)
> > > where the (non-existing) return value of a void function is assigned
> > > to
> > > a variable.
> > >
> > > A patch is appended.
>
> Thanks,
>
> setting timer to NULL is not needed here.
>
> I'll amended and pushed the patch.
>
> With Best Regards, Tim
> ***SNAP***
>
> Being curious, I looked at http://git.savannah.gnu.org/cgit/wget.git,
> found the two other patches and thought they could be of help.
>
> Unfortunately, I can'T judge what effects these bugs have or why they
> where added. By now, they're undocumented.
>
> Best,
> Matthias
>
> > Best,
> > -Michael
> >
> > On Tue, 2018-05-08 at 20:05 +0200, Matthias Fischer wrote:
> > > For details see:
> > > http://git.savannah.gnu.org/cgit/wget.git
> > >
> > > Best,
> > > Matthias
> > >
> > > Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
> > > ---
> > > lfs/wget | 4 +++
> > > ...1-src_hosts_c_remove_void_assignment.patch | 13 +++++++++
> > > .../02-src_version_h_add_header_guard.patch | 20 +++++++++++++
> > > .../wget/03-src_hsts_h_fix_header_guard.patch | 29 +++++++++++++++++++
> > > 4 files changed, 66 insertions(+)
> > > create mode 100644 src/patches/wget/01-
> > > src_hosts_c_remove_void_assignment.patch
> > > create mode 100644 src/patches/wget/02-
> > > src_version_h_add_header_guard.patch
> > > create mode 100644 src/patches/wget/03-src_hsts_h_fix_header_guard.patch
> > >
> > > diff --git a/lfs/wget b/lfs/wget
> > > index 39f59ba80..f753bef1a 100644
> > > --- a/lfs/wget
> > > +++ b/lfs/wget
> > > @@ -71,6 +71,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> > > @$(PREBUILD)
> > > @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf
> > > $(DIR_DL)/$(DL_FILE)
> > >
> > > + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/wget/01-
> > > src_hosts_c_remove_void_assignment.patch
> > > + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/wget/02-
> > > src_version_h_add_header_guard.patch
> > > + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/wget/03-
> > > src_hsts_h_fix_header_guard.patch
> > > +
> > > cd $(DIR_APP) && ./configure \
> > > --prefix=/usr \
> > > --sysconfdir=/etc \
> > > diff --git a/src/patches/wget/01-src_hosts_c_remove_void_assignment.patch
> > > b/src/patches/wget/01-src_hosts_c_remove_void_assignment.patch
> > > new file mode 100644
> > > index 000000000..ba488571c
> > > --- /dev/null
> > > +++ b/src/patches/wget/01-src_hosts_c_remove_void_assignment.patch
> > > @@ -0,0 +1,13 @@
> > > +diff --git a/src/host.c b/src/host.c
> > > +index 4597f46..b42cd6e 100644
> > > +--- a/src/host.c
> > > ++++ b/src/host.c
> > > +@@ -732,7 +732,7 @@ wait_ares (ares_channel channel)
> > > + ares_process (channel, &read_fds, &write_fds);
> > > + }
> > > + if (timer)
> > > +- timer = ptimer_destroy (timer);
> > > ++ ptimer_destroy (timer);
> > > + }
> > > +
> > > + static void
> > > diff --git a/src/patches/wget/02-src_version_h_add_header_guard.patch
> > > b/src/patches/wget/02-src_version_h_add_header_guard.patch
> > > new file mode 100644
> > > index 000000000..5fd75b975
> > > --- /dev/null
> > > +++ b/src/patches/wget/02-src_version_h_add_header_guard.patch
> > > @@ -0,0 +1,20 @@
> > > +diff --git a/src/version.h b/src/version.h
> > > +index aeae086..ee40bb1 100644
> > > +--- a/src/version.h
> > > ++++ b/src/version.h
> > > +@@ -27,6 +27,9 @@ Corresponding Source for a non-source form of such a
> > > combination
> > > + shall include the source code for the parts of OpenSSL used as well
> > > + as that of the covered work. */
> > > +
> > > ++#ifndef WGET_VERSION_H
> > > ++#define WGET_VERSION_H
> > > ++
> > > + /* Extern declarations for strings in version.c */
> > > + extern const char *version_string;
> > > + extern const char *compilation_string;
> > > +@@ -34,3 +37,5 @@ extern const char *link_string;
> > > +
> > > + /* Extern declaration for string in build_info.c */
> > > + extern const char *compiled_features[];
> > > ++
> > > ++#endif /* WGET_VERSION_H */
> > > diff --git a/src/patches/wget/03-src_hsts_h_fix_header_guard.patch
> > > b/src/patches/wget/03-src_hsts_h_fix_header_guard.patch
> > > new file mode 100644
> > > index 000000000..786d28851
> > > --- /dev/null
> > > +++ b/src/patches/wget/03-src_hsts_h_fix_header_guard.patch
> > > @@ -0,0 +1,29 @@
> > > +diff --git a/src/hsts.h b/src/hsts.h
> > > +index 257f0b0..0065d9f 100644
> > > +--- a/src/hsts.h
> > > ++++ b/src/hsts.h
> > > +@@ -26,13 +26,13 @@ grants you additional permission to convey the
> > > resulting
> > > work.
> > > + Corresponding Source for a non-source form of such a combination
> > > + shall include the source code for the parts of OpenSSL used as well
> > > + as that of the covered work. */
> > > +-#include "wget.h"
> > > +
> > > +-#ifdef HAVE_HSTS
> > > ++#ifndef WGET_HSTS_H
> > > ++#define WGET_HSTS_H
> > > +
> > > +-#ifndef HSTS_H
> > > +-#define HSTS_H
> > > ++#ifdef HAVE_HSTS
> > > +
> > > ++#include "wget.h"
> > > + #include "url.h"
> > > +
> > > + typedef struct hsts_store *hsts_store_t;
> > > +@@ -48,5 +48,5 @@ bool hsts_store_entry (hsts_store_t,
> > > + time_t, bool);
> > > + bool hsts_match (hsts_store_t, struct url *);
> > > +
> > > +-#endif /* HSTS_H */
> > > + #endif /* HAVE_HSTS */
> > > ++#endif /* WGET_HSTS_H */
>
>
@@ -71,6 +71,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/wget/01-src_hosts_c_remove_void_assignment.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/wget/02-src_version_h_add_header_guard.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/wget/03-src_hsts_h_fix_header_guard.patch
+
cd $(DIR_APP) && ./configure \
--prefix=/usr \
--sysconfdir=/etc \
new file mode 100644
@@ -0,0 +1,13 @@
+diff --git a/src/host.c b/src/host.c
+index 4597f46..b42cd6e 100644
+--- a/src/host.c
++++ b/src/host.c
+@@ -732,7 +732,7 @@ wait_ares (ares_channel channel)
+ ares_process (channel, &read_fds, &write_fds);
+ }
+ if (timer)
+- timer = ptimer_destroy (timer);
++ ptimer_destroy (timer);
+ }
+
+ static void
new file mode 100644
@@ -0,0 +1,20 @@
+diff --git a/src/version.h b/src/version.h
+index aeae086..ee40bb1 100644
+--- a/src/version.h
++++ b/src/version.h
+@@ -27,6 +27,9 @@ Corresponding Source for a non-source form of such a combination
+ shall include the source code for the parts of OpenSSL used as well
+ as that of the covered work. */
+
++#ifndef WGET_VERSION_H
++#define WGET_VERSION_H
++
+ /* Extern declarations for strings in version.c */
+ extern const char *version_string;
+ extern const char *compilation_string;
+@@ -34,3 +37,5 @@ extern const char *link_string;
+
+ /* Extern declaration for string in build_info.c */
+ extern const char *compiled_features[];
++
++#endif /* WGET_VERSION_H */
new file mode 100644
@@ -0,0 +1,29 @@
+diff --git a/src/hsts.h b/src/hsts.h
+index 257f0b0..0065d9f 100644
+--- a/src/hsts.h
++++ b/src/hsts.h
+@@ -26,13 +26,13 @@ grants you additional permission to convey the resulting work.
+ Corresponding Source for a non-source form of such a combination
+ shall include the source code for the parts of OpenSSL used as well
+ as that of the covered work. */
+-#include "wget.h"
+
+-#ifdef HAVE_HSTS
++#ifndef WGET_HSTS_H
++#define WGET_HSTS_H
+
+-#ifndef HSTS_H
+-#define HSTS_H
++#ifdef HAVE_HSTS
+
++#include "wget.h"
+ #include "url.h"
+
+ typedef struct hsts_store *hsts_store_t;
+@@ -48,5 +48,5 @@ bool hsts_store_entry (hsts_store_t,
+ time_t, bool);
+ bool hsts_match (hsts_store_t, struct url *);
+
+-#endif /* HSTS_H */
+ #endif /* HAVE_HSTS */
++#endif /* WGET_HSTS_H */