Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK)) by mollari.NetBSD.org (Postfix) with ESMTPS id 781367A269 for ; Sun, 30 Oct 2016 20:55:41 +0000 (UTC) Received: by mail.netbsd.org (Postfix, from userid 605) id E93CA855E3; Sun, 30 Oct 2016 20:55:40 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 7ABCA855DC for ; Sun, 30 Oct 2016 20:55:40 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id k3cKXy-abLHv for ; Sun, 30 Oct 2016 20:55:40 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.netbsd.org [199.233.217.197]) by mail.netbsd.org (Postfix) with ESMTP id ED82B84D04 for ; Sun, 30 Oct 2016 20:55:39 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id E7957FB9F; Sun, 30 Oct 2016 20:55:39 +0000 (UTC) Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_1477860939193200" MIME-Version: 1.0 Date: Sun, 30 Oct 2016 20:55:39 +0000 From: "S.P.Zeidler" Subject: CVS commit: pkgsrc/net/wget To: pkgsrc-changes@NetBSD.org Reply-To: spz@netbsd.org X-Mailer: log_accum Message-Id: <20161030205539.E7957FB9F@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk This is a multi-part message in MIME format. --_----------=_1477860939193200 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Module Name: pkgsrc Committed By: spz Date: Sun Oct 30 20:55:39 UTC 2016 Modified Files: pkgsrc/net/wget: Makefile distinfo Added Files: pkgsrc/net/wget/patches: patch-CVE-2016-7098 Log Message: add a patch for CVE-2016-7098 from upstream To generate a diff of this commit: cvs rdiff -u -r1.132 -r1.133 pkgsrc/net/wget/Makefile cvs rdiff -u -r1.51 -r1.52 pkgsrc/net/wget/distinfo cvs rdiff -u -r0 -r1.1 pkgsrc/net/wget/patches/patch-CVE-2016-7098 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. --_----------=_1477860939193200 Content-Disposition: inline Content-Length: 3443 Content-Transfer-Encoding: binary Content-Type: text/x-diff; charset=us-ascii Modified files: Index: pkgsrc/net/wget/Makefile diff -u pkgsrc/net/wget/Makefile:1.132 pkgsrc/net/wget/Makefile:1.133 --- pkgsrc/net/wget/Makefile:1.132 Mon Sep 19 13:04:26 2016 +++ pkgsrc/net/wget/Makefile Sun Oct 30 20:55:39 2016 @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.132 2016/09/19 13:04:26 wiz Exp $ +# $NetBSD: Makefile,v 1.133 2016/10/30 20:55:39 spz Exp $ DISTNAME= wget-1.18 -PKGREVISION= 2 +PKGREVISION= 3 CATEGORIES= net MASTER_SITES= ${MASTER_SITE_GNU:=wget/} EXTRACT_SUFX= .tar.xz Index: pkgsrc/net/wget/distinfo diff -u pkgsrc/net/wget/distinfo:1.51 pkgsrc/net/wget/distinfo:1.52 --- pkgsrc/net/wget/distinfo:1.51 Sat Jun 11 18:33:22 2016 +++ pkgsrc/net/wget/distinfo Sun Oct 30 20:55:39 2016 @@ -1,8 +1,9 @@ -$NetBSD: distinfo,v 1.51 2016/06/11 18:33:22 wiz Exp $ +$NetBSD: distinfo,v 1.52 2016/10/30 20:55:39 spz Exp $ SHA1 (wget-1.18.tar.xz) = 02d451e658f600ee519c42cbf4d3bfe4e49b6c4f RMD160 (wget-1.18.tar.xz) = 4fdf9c523b434050eeccfbd14b98c90c591d7ce4 SHA512 (wget-1.18.tar.xz) = a3f6fe2f44a8d797659d55cffaf81eb82b770c96222a0ee29bc4931b13846f8d8b9a07806f2197723c873a1248922d59cca5a81869661d9c6c3107447c184338 Size (wget-1.18.tar.xz) = 1922376 bytes +SHA1 (patch-CVE-2016-7098) = fa6c96a24590c191440ae91f76e5c10e8db84d4b SHA1 (patch-configure) = 4d65f3e3c4d60174442aa1b75b64b7511bbc6497 SHA1 (patch-doc_wget.texi) = 6db25b3500ff4617b5ade34d9013b1f9876104f8 Added files: Index: pkgsrc/net/wget/patches/patch-CVE-2016-7098 diff -u /dev/null pkgsrc/net/wget/patches/patch-CVE-2016-7098:1.1 --- /dev/null Sun Oct 30 20:55:39 2016 +++ pkgsrc/net/wget/patches/patch-CVE-2016-7098 Sun Oct 30 20:55:39 2016 @@ -0,0 +1,56 @@ +patch for CVE-2016-7098 from +http://git.savannah.gnu.org/cgit/wget.git/commit/?id=9ffb64ba6a8121909b01e984deddce8d096c498d +http://git.savannah.gnu.org/cgit/wget.git/commit/?id=690c47e3b18c099843cdf557a0425d701fca4957 +(only the compilable parts) + +--- src/http.c.orig 2016-06-09 16:10:14.000000000 +0000 ++++ src/http.c 2016-10-27 20:02:46.000000000 +0000 +@@ -39,6 +39,7 @@ as that of the covered work. */ + #include + #include + #include ++#include + + #include "hash.h" + #include "http.h" +@@ -1564,6 +1565,7 @@ struct http_stat + #ifdef HAVE_METALINK + metalink_t *metalink; + #endif ++ bool temporary; /* downloading a temporary file */ + }; + + static void +@@ -2254,6 +2256,15 @@ check_file_output (struct url *u, struct + xfree (local_file); + } + ++ hs->temporary = opt.delete_after || opt.spider || !acceptable (hs->local_file); ++ if (hs->temporary) ++ { ++ char *tmp = NULL; ++ asprintf (&tmp, "%s.tmp", hs->local_file); ++ xfree (hs->local_file); ++ hs->local_file = tmp; ++ } ++ + /* TODO: perform this check only once. */ + if (!hs->existence_checked && file_exists_p (hs->local_file)) + { +@@ -2467,7 +2478,15 @@ open_output_stream (struct http_stat *hs + open_id = 22; + *fp = fopen (hs->local_file, "wb", FOPEN_OPT_ARGS); + #else /* def __VMS */ +- *fp = fopen (hs->local_file, "wb"); ++ if (hs->temporary) ++ { ++ *fp = fdopen (open (hs->local_file, O_BINARY | O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR), "wb"); ++ } ++ else ++ { ++ *fp = fopen (hs->local_file, "wb"); ++ } ++ + #endif /* def __VMS [else] */ + } + else --_----------=_1477860939193200--