Tue Nov 23 21:14:45 2010 UTC ()
Pullup ticket 3278 - requested by tron
security fixes
Revisions pulled up:
- pkgsrc/net/wget/Makefile 1.102
- pkgsrc/net/wget/distinfo 1.36
Files added:
pkgsrc/net/wget/patches/patch-aa
pkgsrc/net/wget/patches/patch-ab
pkgsrc/net/wget/patches/patch-ac
pkgsrc/net/wget/patches/patch-ad
pkgsrc/net/wget/patches/patch-ae
pkgsrc/net/wget/patches/patch-af
-------------------------------------------------------------------------
Module Name: pkgsrc
Committed By: tron
Date: Tue Nov 23 08:22:47 UTC 2010
Modified Files:
pkgsrc/net/wget: Makefile distinfo
Added Files:
pkgsrc/net/wget/patches: patch-aa patch-ab patch-ac patch-ad patch-ae
patch-af
Log Message:
Add Debian's "wget" 1.12 backport of the fix for CVE-2010-2252.
To generate a diff of this commit:
cvs rdiff -u -r1.101 -r1.102 pkgsrc/net/wget/Makefile
cvs rdiff -u -r1.35 -r1.36 pkgsrc/net/wget/distinfo
cvs rdiff -u -r0 -r1.11 pkgsrc/net/wget/patches/patch-aa \
pkgsrc/net/wget/patches/patch-ac
cvs rdiff -u -r0 -r1.9 pkgsrc/net/wget/patches/patch-ab
cvs rdiff -u -r0 -r1.10 pkgsrc/net/wget/patches/patch-ad
cvs rdiff -u -r0 -r1.8 pkgsrc/net/wget/patches/patch-ae
cvs rdiff -u -r0 -r1.6 pkgsrc/net/wget/patches/patch-af
(spz)
diff -r1.101 -r1.101.8.1 pkgsrc/net/wget/Makefile
diff -r1.35 -r1.35.8.1 pkgsrc/net/wget/distinfo
diff -r0 -r1.11.2.2 pkgsrc/net/wget/patches/patch-aa
diff -r0 -r1.11.2.2 pkgsrc/net/wget/patches/patch-ac
diff -r0 -r1.9.2.2 pkgsrc/net/wget/patches/patch-ab
diff -r0 -r1.10.2.2 pkgsrc/net/wget/patches/patch-ad
diff -r0 -r1.8.2.2 pkgsrc/net/wget/patches/patch-ae
diff -r0 -r1.6.2.2 pkgsrc/net/wget/patches/patch-af
--- pkgsrc/net/wget/Makefile 2009/10/31 02:29:14 1.101
+++ pkgsrc/net/wget/Makefile 2010/11/23 21:14:44 1.101.8.1
| @@ -1,16 +1,17 @@ | | | @@ -1,16 +1,17 @@ |
1 | # $NetBSD: Makefile,v 1.101 2009/10/31 02:29:14 wiz Exp $ | | 1 | # $NetBSD: Makefile,v 1.101.8.1 2010/11/23 21:14:44 spz Exp $ |
2 | | | 2 | |
3 | DISTNAME= wget-1.12 | | 3 | DISTNAME= wget-1.12 |
| | | 4 | PKGREVISION= 1 |
4 | CATEGORIES= net | | 5 | CATEGORIES= net |
5 | MASTER_SITES= ${MASTER_SITE_GNU:=wget/} | | 6 | MASTER_SITES= ${MASTER_SITE_GNU:=wget/} |
6 | | | 7 | |
7 | MAINTAINER= pkgsrc-users@NetBSD.org | | 8 | MAINTAINER= pkgsrc-users@NetBSD.org |
8 | HOMEPAGE= http://www.gnu.org/software/wget/wget.html | | 9 | HOMEPAGE= http://www.gnu.org/software/wget/wget.html |
9 | COMMENT= Retrieve files from the 'net via HTTP and FTP | | 10 | COMMENT= Retrieve files from the 'net via HTTP and FTP |
10 | LICENSE= gnu-gpl-v3 | | 11 | LICENSE= gnu-gpl-v3 |
11 | | | 12 | |
12 | PKG_DESTDIR_SUPPORT= user-destdir | | 13 | PKG_DESTDIR_SUPPORT= user-destdir |
13 | | | 14 | |
14 | USE_TOOLS+= perl | | 15 | USE_TOOLS+= perl |
15 | | | 16 | |
16 | GNU_CONFIGURE= YES | | 17 | GNU_CONFIGURE= YES |
--- pkgsrc/net/wget/distinfo 2009/10/31 02:29:14 1.35
+++ pkgsrc/net/wget/distinfo 2010/11/23 21:14:44 1.35.8.1
| @@ -1,5 +1,11 @@ | | | @@ -1,5 +1,11 @@ |
1 | $NetBSD: distinfo,v 1.35 2009/10/31 02:29:14 wiz Exp $ | | 1 | $NetBSD: distinfo,v 1.35.8.1 2010/11/23 21:14:44 spz Exp $ |
2 | | | 2 | |
3 | SHA1 (wget-1.12.tar.gz) = 50d4ed2441e67db7aa5061d8a4dde41ee0e94248 | | 3 | SHA1 (wget-1.12.tar.gz) = 50d4ed2441e67db7aa5061d8a4dde41ee0e94248 |
4 | RMD160 (wget-1.12.tar.gz) = 232d0aa6fb36731c162d2b7374aa9ab59e671b7d | | 4 | RMD160 (wget-1.12.tar.gz) = 232d0aa6fb36731c162d2b7374aa9ab59e671b7d |
5 | Size (wget-1.12.tar.gz) = 2464747 bytes | | 5 | Size (wget-1.12.tar.gz) = 2464747 bytes |
| | | 6 | SHA1 (patch-aa) = f3f3c4f5aac5aac9c93dcc9f9a5d4e8e438192fd |
| | | 7 | SHA1 (patch-ab) = 0c9a4ace8bd119718013efd175d00232b655cb0d |
| | | 8 | SHA1 (patch-ac) = 4a1f6c08a15d76610cd1aa5e50c165e1c43017ac |
| | | 9 | SHA1 (patch-ad) = f1c32ea0921c455fc48ec153032221e156c785a1 |
| | | 10 | SHA1 (patch-ae) = 9a17a2ecf2e73c8d678bbe3e507002a64258ce40 |
| | | 11 | SHA1 (patch-af) = eaccff4347cec71d1951624a05f36975996fb4db |
$NetBSD: patch-aa,v 1.11.2.2 2010/11/23 21:14:45 spz Exp $
Back port of patch for CVE-2010-2252 for to version 1.12 of "wget" taken
from Debian:
http://packages.debian.org/sid/wget
http://ftp.de.debian.org/debian/pool/main/w/wget/wget_1.12-2.1.debian.tar.gz
--- src/http.c.orig 2009-09-22 04:02:18.000000000 +0100
+++ src/http.c 2010-11-22 18:53:25.000000000 +0000
@@ -2410,8 +2410,9 @@
/* The genuine HTTP loop! This is the part where the retrieval is
retried, and retried, and retried, and... */
uerr_t
-http_loop (struct url *u, char **newloc, char **local_file, const char *referer,
- int *dt, struct url *proxy, struct iri *iri)
+http_loop (struct url *u, struct url *original_url, char **newloc,
+ char **local_file, const char *referer, int *dt, struct url *proxy,
+ struct iri *iri)
{
int count;
bool got_head = false; /* used for time-stamping and filename detection */
@@ -2457,7 +2458,8 @@
}
else if (!opt.content_disposition)
{
- hstat.local_file = url_file_name (u);
+ hstat.local_file =
+ url_file_name (opt.trustservernames ? u : original_url);
got_name = true;
}
@@ -2497,7 +2499,7 @@
/* Send preliminary HEAD request if -N is given and we have an existing
* destination file. */
- file_name = url_file_name (u);
+ file_name = url_file_name (opt.trustservernames ? u : original_url);
if (opt.timestamping
&& !opt.content_disposition
&& file_exists_p (file_name))
@@ -2852,9 +2854,9 @@
/* Remember that we downloaded the file for later ".orig" code. */
if (*dt & ADDED_HTML_EXTENSION)
- downloaded_file(FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, hstat.local_file);
+ downloaded_file (FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, hstat.local_file);
else
- downloaded_file(FILE_DOWNLOADED_NORMALLY, hstat.local_file);
+ downloaded_file (FILE_DOWNLOADED_NORMALLY, hstat.local_file);
ret = RETROK;
goto exit;
@@ -2885,9 +2887,9 @@
/* Remember that we downloaded the file for later ".orig" code. */
if (*dt & ADDED_HTML_EXTENSION)
- downloaded_file(FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, hstat.local_file);
+ downloaded_file (FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, hstat.local_file);
else
- downloaded_file(FILE_DOWNLOADED_NORMALLY, hstat.local_file);
+ downloaded_file (FILE_DOWNLOADED_NORMALLY, hstat.local_file);
ret = RETROK;
goto exit;
$NetBSD: patch-ac,v 1.11.2.2 2010/11/23 21:14:45 spz Exp $
Back port of patch for CVE-2010-2252 for to version 1.12 of "wget" taken
from Debian:
http://packages.debian.org/sid/wget
http://ftp.de.debian.org/debian/pool/main/w/wget/wget_1.12-2.1.debian.tar.gz
--- src/init.c.orig 2009-09-22 04:02:41.000000000 +0100
+++ src/init.c 2010-11-22 18:53:25.000000000 +0000
@@ -243,6 +243,7 @@
{ "timeout", NULL, cmd_spec_timeout },
{ "timestamping", &opt.timestamping, cmd_boolean },
{ "tries", &opt.ntry, cmd_number_inf },
+ { "trustservernames", &opt.trustservernames, cmd_boolean },
{ "useproxy", &opt.use_proxy, cmd_boolean },
{ "user", &opt.user, cmd_string },
{ "useragent", NULL, cmd_spec_useragent },
$NetBSD: patch-ab,v 1.9.2.2 2010/11/23 21:14:45 spz Exp $
Back port of patch for CVE-2010-2252 for to version 1.12 of "wget" taken
from Debian:
http://packages.debian.org/sid/wget
http://ftp.de.debian.org/debian/pool/main/w/wget/wget_1.12-2.1.debian.tar.gz
--- src/http.h.orig 2009-09-04 17:31:54.000000000 +0100
+++ src/http.h 2010-11-22 18:53:25.000000000 +0000
@@ -33,8 +33,8 @@
struct url;
-uerr_t http_loop (struct url *, char **, char **, const char *, int *,
- struct url *, struct iri *);
+uerr_t http_loop (struct url *, struct url *, char **, char **, const char *,
+ int *, struct url *, struct iri *);
void save_cookies (void);
void http_cleanup (void);
time_t http_atotm (const char *);
$NetBSD: patch-ad,v 1.10.2.2 2010/11/23 21:14:45 spz Exp $
Back port of patch for CVE-2010-2252 for to version 1.12 of "wget" taken
from Debian:
http://packages.debian.org/sid/wget
http://ftp.de.debian.org/debian/pool/main/w/wget/wget_1.12-2.1.debian.tar.gz
--- src/main.c.orig 2009-09-22 04:03:11.000000000 +0100
+++ src/main.c 2010-11-22 18:53:25.000000000 +0000
@@ -266,6 +266,7 @@
{ "timeout", 'T', OPT_VALUE, "timeout", -1 },
{ "timestamping", 'N', OPT_BOOLEAN, "timestamping", -1 },
{ "tries", 't', OPT_VALUE, "tries", -1 },
+ { "trust-server-names", 0, OPT_BOOLEAN, "trustservernames", -1 },
{ "user", 0, OPT_VALUE, "user", -1 },
{ "user-agent", 'U', OPT_VALUE, "useragent", -1 },
{ "verbose", 'v', OPT_BOOLEAN, "verbose", -1 },
@@ -675,6 +676,8 @@
N_("\
-I, --include-directories=LIST list of allowed directories.\n"),
N_("\
+ --trust-server-names use the name specified by the redirection url last component.\n"),
+ N_("\
-X, --exclude-directories=LIST list of excluded directories.\n"),
N_("\
-np, --no-parent don't ascend to the parent directory.\n"),
$NetBSD: patch-ae,v 1.8.2.2 2010/11/23 21:14:45 spz Exp $
Back port of patch for CVE-2010-2252 for to version 1.12 of "wget" taken
from Debian:
http://packages.debian.org/sid/wget
http://ftp.de.debian.org/debian/pool/main/w/wget/wget_1.12-2.1.debian.tar.gz
--- src/options.h.orig 2009-09-22 04:03:47.000000000 +0100
+++ src/options.h 2010-11-22 18:53:25.000000000 +0000
@@ -242,6 +242,7 @@
char *encoding_remote;
char *locale;
+ bool trustservernames;
#ifdef __VMS
int ftp_stmlf; /* Force Stream_LF format for binary FTP. */
#endif /* def __VMS */
$NetBSD: patch-af,v 1.6.2.2 2010/11/23 21:14:45 spz Exp $
Back port of patch for CVE-2010-2252 for to version 1.12 of "wget" taken
from Debian:
http://packages.debian.org/sid/wget
http://ftp.de.debian.org/debian/pool/main/w/wget/wget_1.12-2.1.debian.tar.gz
--- src/retr.c.orig 2009-09-04 17:31:54.000000000 +0100
+++ src/retr.c 2010-11-22 18:53:25.000000000 +0000
@@ -689,7 +689,8 @@
#endif
|| (proxy_url && proxy_url->scheme == SCHEME_HTTP))
{
- result = http_loop (u, &mynewloc, &local_file, refurl, dt, proxy_url, iri);
+ result = http_loop (u, orig_parsed, &mynewloc, &local_file, refurl, dt,
+ proxy_url, iri);
}
else if (u->scheme == SCHEME_FTP)
{