summaryrefslogtreecommitdiffstats
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/changelog10
-rw-r--r--debian/control3
-rw-r--r--debian/patches/CVE-2024-38428.patch75
-rw-r--r--debian/patches/series1
-rwxr-xr-xdebian/rules2
5 files changed, 89 insertions, 2 deletions
diff --git a/debian/changelog b/debian/changelog
index 1d05665..e262b6f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+wget (1.24.5-2) unstable; urgency=medium
+
+ * patch from git to fix CVE-2024-38428 URL parser issue with semicolons
+ closes: Bug#1073523
+ * debian/rules replace cp by dh_update_autotools_config
+ * debian/control raised Standards-Version to 4.7.0, no changes needed
+ * debian/control add Vcs-Browser
+
+ -- Noël Köthe <noel@debian.org> Sun, 28 Jul 2024 06:49:33 +0200
+
wget (1.24.5-1) unstable; urgency=medium
* new upstream release from 2024-03-10
diff --git a/debian/control b/debian/control
index 466eb9e..a1132a9 100644
--- a/debian/control
+++ b/debian/control
@@ -3,8 +3,9 @@ Section: web
Priority: standard
Maintainer: Noël Köthe <noel@debian.org>
Build-Depends: debhelper-compat (= 13), pkgconf, gettext, texinfo, libidn2-dev, uuid-dev, libpsl-dev, libpcre2-dev, libgnutls28-dev (>= 3.3.15-5), automake, libssl-dev (>= 0.9.8k), zlib1g-dev, dh-strip-nondeterminism
-Standards-Version: 4.6.0
+Standards-Version: 4.7.0
Homepage: https://www.gnu.org/software/wget/
+Vcs-Browser: https://salsa.debian.org/noel/wget
Rules-Requires-Root: no
Package: wget
diff --git a/debian/patches/CVE-2024-38428.patch b/debian/patches/CVE-2024-38428.patch
new file mode 100644
index 0000000..b27f1cb
--- /dev/null
+++ b/debian/patches/CVE-2024-38428.patch
@@ -0,0 +1,75 @@
+From ed0c7c7e0e8f7298352646b2fd6e06a11e242ace Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Sun, 2 Jun 2024 12:40:16 +0200
+Subject: Properly re-implement userinfo parsing (rfc2396)
+
+* src/url.c (url_skip_credentials): Properly re-implement userinfo parsing (rfc2396)
+
+The reason why the implementation is based on RFC 2396, an outdated standard,
+is that the whole file is based on that RFC, and mixing standard here might be
+dangerous.
+---
+ src/url.c | 40 ++++++++++++++++++++++++++++++++++------
+ 1 file changed, 34 insertions(+), 6 deletions(-)
+
+diff --git a/src/url.c b/src/url.c
+index 69e948b..07c3bc8 100644
+--- a/src/url.c
++++ b/src/url.c
+@@ -41,6 +41,7 @@ as that of the covered work. */
+ #include "url.h"
+ #include "host.h" /* for is_valid_ipv6_address */
+ #include "c-strcase.h"
++#include "c-ctype.h"
+
+ #ifdef HAVE_ICONV
+ # include <iconv.h>
+@@ -526,12 +527,39 @@ scheme_leading_string (enum url_scheme scheme)
+ static const char *
+ url_skip_credentials (const char *url)
+ {
+- /* Look for '@' that comes before terminators, such as '/', '?',
+- '#', or ';'. */
+- const char *p = (const char *)strpbrk (url, "@/?#;");
+- if (!p || *p != '@')
+- return url;
+- return p + 1;
++ /*
++ * This whole file implements https://www.rfc-editor.org/rfc/rfc2396 .
++ * RFC 2396 is outdated since 2005 and needs a rewrite or a thorough re-visit.
++ *
++ * The RFC says
++ * server = [ [ userinfo "@" ] hostport ]
++ * userinfo = *( unreserved | escaped | ";" | ":" | "&" | "=" | "+" | "$" | "," )
++ * unreserved = alphanum | mark
++ * mark = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")"
++ */
++ static const char *allowed = "-_.!~*'();:&=+$,";
++
++ for (const char *p = url; *p; p++)
++ {
++ if (c_isalnum(*p))
++ continue;
++
++ if (strchr(allowed, *p))
++ continue;
++
++ if (*p == '%' && c_isxdigit(p[1]) && c_isxdigit(p[2]))
++ {
++ p += 2;
++ continue;
++ }
++
++ if (*p == '@')
++ return p + 1;
++
++ break;
++ }
++
++ return url;
+ }
+
+ /* Parse credentials contained in [BEG, END). The region is expected
+--
+cgit v1.1
+
diff --git a/debian/patches/series b/debian/patches/series
index daa608f..19fb5e7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
+CVE-2024-38428.patch
wget-doc-remove-usr-local-in-sample.wgetrc
wget-doc-remove-usr-local-in-wget.texi
wget-passive_ftp-default
diff --git a/debian/rules b/debian/rules
index e055f9f..e9addae 100755
--- a/debian/rules
+++ b/debian/rules
@@ -24,7 +24,7 @@ CFLAGS += -DNO_SSLv2 -D_FILE_OFFSET_BITS=64 -g -Wall
configure-stamp: configure-udeb-stamp
dh_testdir
- cp /usr/share/misc/config.guess /usr/share/misc/config.sub .
+ dh_update_autotools_config
mkdir -p build
# Add here commands to configure the package.
cd build && CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" LDFLAGS="$(LDFLAGS)" ../configure \