diff options
| -rw-r--r-- | debian/changelog | 10 | ||||
| -rw-r--r-- | debian/control | 5 | ||||
| -rw-r--r-- | debian/patches/CVE-2024-38428.patch | 75 | ||||
| -rw-r--r-- | debian/patches/series | 1 | ||||
| -rwxr-xr-x | debian/rules | 2 |
5 files changed, 90 insertions, 3 deletions
diff --git a/debian/changelog b/debian/changelog index 3983458..bdba5ff 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +wget (1.24.5-2) unstable; urgency=medium + + * patch from git to fix CVE-2024-38428 URL parser issue with semicolons + closes: Bug#1073523 + * debian/rules replace cp by dh_update_autotools_config + * debian/control raised Standards-Version to 4.7.0, no changes needed + * debian/control add Vcs-Browser + + -- Noël Köthe <noel@debian.org> Sun, 28 Jul 2024 06:49:33 +0200 + wget (1.24.5-1~progress7.99u1) graograman-backports; urgency=medium * Uploading to graograman-backports, remaining changes: diff --git a/debian/control b/debian/control index 90937de..a54c579 100644 --- a/debian/control +++ b/debian/control @@ -5,12 +5,13 @@ Maintainer: Progress Linux Maintainers <maintainers@lists.progress-linux.org> XSBC-Uploaders: Daniel Baumann <daniel.baumann@progress-linux.org> XSBC-Original-Maintainer: Noël Köthe <noel@debian.org> Bugs: mailto:maintainers@lists.progress-linux.org -Build-Depends: debhelper-compat (= 13), pkgconf, gettext, texinfo, libidn2-dev, uuid-dev, libpsl-dev, libpcre2-dev, automake, libssl-dev (>= 0.9.8k), zlib1g-dev, dh-strip-nondeterminism -Standards-Version: 4.6.0 +Build-Depends: debhelper-compat (= 13), pkgconf, gettext, texinfo, libidn2-dev, uuid-dev, libpsl-dev, libpcre2-dev, libgnutls28-dev (>= 3.3.15-5), automake, libssl-dev (>= 0.9.8k), zlib1g-dev, dh-strip-nondeterminism +Standards-Version: 4.7.0 Homepage: https://www.gnu.org/software/wget/ Rules-Requires-Root: no Vcs-Browser: https://git.progress-linux.org/packages/graograman-backports/wget Vcs-Git: https://git.progress-linux.org/packages/graograman-backports/wget +XSBC-Original-Vcs-Browser: https://salsa.debian.org/noel/wget Package: wget Architecture: any diff --git a/debian/patches/CVE-2024-38428.patch b/debian/patches/CVE-2024-38428.patch new file mode 100644 index 0000000..b27f1cb --- /dev/null +++ b/debian/patches/CVE-2024-38428.patch @@ -0,0 +1,75 @@ +From ed0c7c7e0e8f7298352646b2fd6e06a11e242ace Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de> +Date: Sun, 2 Jun 2024 12:40:16 +0200 +Subject: Properly re-implement userinfo parsing (rfc2396) + +* src/url.c (url_skip_credentials): Properly re-implement userinfo parsing (rfc2396) + +The reason why the implementation is based on RFC 2396, an outdated standard, +is that the whole file is based on that RFC, and mixing standard here might be +dangerous. +--- + src/url.c | 40 ++++++++++++++++++++++++++++++++++------ + 1 file changed, 34 insertions(+), 6 deletions(-) + +diff --git a/src/url.c b/src/url.c +index 69e948b..07c3bc8 100644 +--- a/src/url.c ++++ b/src/url.c +@@ -41,6 +41,7 @@ as that of the covered work. */ + #include "url.h" + #include "host.h" /* for is_valid_ipv6_address */ + #include "c-strcase.h" ++#include "c-ctype.h" + + #ifdef HAVE_ICONV + # include <iconv.h> +@@ -526,12 +527,39 @@ scheme_leading_string (enum url_scheme scheme) + static const char * + url_skip_credentials (const char *url) + { +- /* Look for '@' that comes before terminators, such as '/', '?', +- '#', or ';'. */ +- const char *p = (const char *)strpbrk (url, "@/?#;"); +- if (!p || *p != '@') +- return url; +- return p + 1; ++ /* ++ * This whole file implements https://www.rfc-editor.org/rfc/rfc2396 . ++ * RFC 2396 is outdated since 2005 and needs a rewrite or a thorough re-visit. ++ * ++ * The RFC says ++ * server = [ [ userinfo "@" ] hostport ] ++ * userinfo = *( unreserved | escaped | ";" | ":" | "&" | "=" | "+" | "$" | "," ) ++ * unreserved = alphanum | mark ++ * mark = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")" ++ */ ++ static const char *allowed = "-_.!~*'();:&=+$,"; ++ ++ for (const char *p = url; *p; p++) ++ { ++ if (c_isalnum(*p)) ++ continue; ++ ++ if (strchr(allowed, *p)) ++ continue; ++ ++ if (*p == '%' && c_isxdigit(p[1]) && c_isxdigit(p[2])) ++ { ++ p += 2; ++ continue; ++ } ++ ++ if (*p == '@') ++ return p + 1; ++ ++ break; ++ } ++ ++ return url; + } + + /* Parse credentials contained in [BEG, END). The region is expected +-- +cgit v1.1 + diff --git a/debian/patches/series b/debian/patches/series index 3e88066..0304313 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ +CVE-2024-38428.patch wget-doc-remove-usr-local-in-sample.wgetrc wget-doc-remove-usr-local-in-wget.texi wget-passive_ftp-default diff --git a/debian/rules b/debian/rules index 498252b..663d0ac 100755 --- a/debian/rules +++ b/debian/rules @@ -24,7 +24,7 @@ CFLAGS += -DNO_SSLv2 -D_FILE_OFFSET_BITS=64 -g -Wall configure-stamp: configure-udeb-stamp dh_testdir - cp /usr/share/misc/config.guess /usr/share/misc/config.sub . + dh_update_autotools_config mkdir -p build # Add here commands to configure the package. cd build && CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" LDFLAGS="$(LDFLAGS)" ../configure \ |