Sun Oct 30 20:55:39 2016 UTC ()
add a patch for CVE-2016-7098 from upstream


(spz)
diff -r1.132 -r1.133 pkgsrc/net/wget/Makefile
diff -r1.51 -r1.52 pkgsrc/net/wget/distinfo
diff -r0 -r1.1 pkgsrc/net/wget/patches/patch-CVE-2016-7098
cvs diff -r1.132 -r1.133 pkgsrc/net/wget/Makefile (expand / switch to unified diff)

--- pkgsrc/net/wget/Makefile 2016/09/19 13:04:26 1.132
+++ pkgsrc/net/wget/Makefile 2016/10/30 20:55:39 1.133
@@ -1,17 +1,17 @@ @@ -1,17 +1,17 @@
1# $NetBSD: Makefile,v 1.132 2016/09/19 13:04:26 wiz Exp $ 1# $NetBSD: Makefile,v 1.133 2016/10/30 20:55:39 spz Exp $
2 2
3DISTNAME= wget-1.18 3DISTNAME= wget-1.18
4PKGREVISION= 2 4PKGREVISION= 3
5CATEGORIES= net 5CATEGORIES= net
6MASTER_SITES= ${MASTER_SITE_GNU:=wget/} 6MASTER_SITES= ${MASTER_SITE_GNU:=wget/}
7EXTRACT_SUFX= .tar.xz 7EXTRACT_SUFX= .tar.xz
8 8
9MAINTAINER= pkgsrc-users@NetBSD.org 9MAINTAINER= pkgsrc-users@NetBSD.org
10HOMEPAGE= http://www.gnu.org/software/wget/wget.html 10HOMEPAGE= http://www.gnu.org/software/wget/wget.html
11COMMENT= Retrieve files from the 'net via HTTP and FTP 11COMMENT= Retrieve files from the 'net via HTTP and FTP
12LICENSE= gnu-gpl-v3 12LICENSE= gnu-gpl-v3
13 13
14USE_TOOLS+= perl pod2man pkg-config 14USE_TOOLS+= perl pod2man pkg-config
15 15
16GNU_CONFIGURE= YES 16GNU_CONFIGURE= YES
17USE_OLD_DES_API= YES 17USE_OLD_DES_API= YES
cvs diff -r1.51 -r1.52 pkgsrc/net/wget/distinfo (expand / switch to unified diff)

--- pkgsrc/net/wget/distinfo 2016/06/11 18:33:22 1.51
+++ pkgsrc/net/wget/distinfo 2016/10/30 20:55:39 1.52
@@ -1,8 +1,9 @@ @@ -1,8 +1,9 @@
1$NetBSD: distinfo,v 1.51 2016/06/11 18:33:22 wiz Exp $ 1$NetBSD: distinfo,v 1.52 2016/10/30 20:55:39 spz Exp $
2 2
3SHA1 (wget-1.18.tar.xz) = 02d451e658f600ee519c42cbf4d3bfe4e49b6c4f 3SHA1 (wget-1.18.tar.xz) = 02d451e658f600ee519c42cbf4d3bfe4e49b6c4f
4RMD160 (wget-1.18.tar.xz) = 4fdf9c523b434050eeccfbd14b98c90c591d7ce4 4RMD160 (wget-1.18.tar.xz) = 4fdf9c523b434050eeccfbd14b98c90c591d7ce4
5SHA512 (wget-1.18.tar.xz) = a3f6fe2f44a8d797659d55cffaf81eb82b770c96222a0ee29bc4931b13846f8d8b9a07806f2197723c873a1248922d59cca5a81869661d9c6c3107447c184338 5SHA512 (wget-1.18.tar.xz) = a3f6fe2f44a8d797659d55cffaf81eb82b770c96222a0ee29bc4931b13846f8d8b9a07806f2197723c873a1248922d59cca5a81869661d9c6c3107447c184338
6Size (wget-1.18.tar.xz) = 1922376 bytes 6Size (wget-1.18.tar.xz) = 1922376 bytes
 7SHA1 (patch-CVE-2016-7098) = fa6c96a24590c191440ae91f76e5c10e8db84d4b
7SHA1 (patch-configure) = 4d65f3e3c4d60174442aa1b75b64b7511bbc6497 8SHA1 (patch-configure) = 4d65f3e3c4d60174442aa1b75b64b7511bbc6497
8SHA1 (patch-doc_wget.texi) = 6db25b3500ff4617b5ade34d9013b1f9876104f8 9SHA1 (patch-doc_wget.texi) = 6db25b3500ff4617b5ade34d9013b1f9876104f8
File Added: pkgsrc/net/wget/patches/Attic/patch-CVE-2016-7098
patch for CVE-2016-7098 from
http://git.savannah.gnu.org/cgit/wget.git/commit/?id=9ffb64ba6a8121909b01e984deddce8d096c498d
http://git.savannah.gnu.org/cgit/wget.git/commit/?id=690c47e3b18c099843cdf557a0425d701fca4957
(only the compilable parts)

--- src/http.c.orig	2016-06-09 16:10:14.000000000 +0000
+++ src/http.c	2016-10-27 20:02:46.000000000 +0000
@@ -39,6 +39,7 @@ as that of the covered work.  */
 #include <errno.h>
 #include <time.h>
 #include <locale.h>
+#include <fcntl.h>
 
 #include "hash.h"
 #include "http.h"
@@ -1564,6 +1565,7 @@ struct http_stat
 #ifdef HAVE_METALINK
   metalink_t *metalink;
 #endif
+  bool temporary;               /* downloading a temporary file */
 };
 
 static void
@@ -2254,6 +2256,15 @@ check_file_output (struct url *u, struct
       xfree (local_file);
     }
 
+  hs->temporary = opt.delete_after || opt.spider || !acceptable (hs->local_file);
+  if (hs->temporary)
+    {
+      char *tmp = NULL;
+      asprintf (&tmp, "%s.tmp", hs->local_file);
+      xfree (hs->local_file);
+      hs->local_file = tmp;
+    }
+
   /* TODO: perform this check only once. */
   if (!hs->existence_checked && file_exists_p (hs->local_file))
     {
@@ -2467,7 +2478,15 @@ open_output_stream (struct http_stat *hs
           open_id = 22;
           *fp = fopen (hs->local_file, "wb", FOPEN_OPT_ARGS);
 #else /* def __VMS */
-          *fp = fopen (hs->local_file, "wb");
+          if (hs->temporary)
+            {
+              *fp = fdopen (open (hs->local_file, O_BINARY | O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR), "wb");
+            }
+          else
+            {
+              *fp = fopen (hs->local_file, "wb");
+            }
+
 #endif /* def __VMS [else] */
         }
       else