add a patch for CVE-2016-7098 from upstreamdiff -r1.132 -r1.133 pkgsrc/net/wget/Makefile
(spz)
@@ -1,35 +1,35 @@ | @@ -1,35 +1,35 @@ | |||
1 | # $NetBSD: Makefile,v 1.132 2016/09/19 13:04:26 wiz Exp $ | 1 | # $NetBSD: Makefile,v 1.133 2016/10/30 20:55:39 spz Exp $ | |
2 | 2 | |||
3 | DISTNAME= wget-1.18 | 3 | DISTNAME= wget-1.18 | |
4 | PKGREVISION= 2 | 4 | PKGREVISION= 3 | |
5 | CATEGORIES= net | 5 | CATEGORIES= net | |
6 | MASTER_SITES= ${MASTER_SITE_GNU:=wget/} | 6 | MASTER_SITES= ${MASTER_SITE_GNU:=wget/} | |
7 | EXTRACT_SUFX= .tar.xz | 7 | EXTRACT_SUFX= .tar.xz | |
8 | 8 | |||
9 | MAINTAINER= pkgsrc-users@NetBSD.org | 9 | MAINTAINER= pkgsrc-users@NetBSD.org | |
10 | HOMEPAGE= http://www.gnu.org/software/wget/wget.html | 10 | HOMEPAGE= http://www.gnu.org/software/wget/wget.html | |
11 | COMMENT= Retrieve files from the 'net via HTTP and FTP | 11 | COMMENT= Retrieve files from the 'net via HTTP and FTP | |
12 | LICENSE= gnu-gpl-v3 | 12 | LICENSE= gnu-gpl-v3 | |
13 | 13 | |||
14 | USE_TOOLS+= perl pod2man pkg-config | 14 | USE_TOOLS+= perl pod2man pkg-config | |
15 | 15 | |||
16 | GNU_CONFIGURE= YES | 16 | GNU_CONFIGURE= YES | |
17 | USE_OLD_DES_API= YES | 17 | USE_OLD_DES_API= YES | |
18 | USE_PKGLOCALEDIR= YES | 18 | USE_PKGLOCALEDIR= YES | |
19 | USE_TOOLS+= msgfmt | 19 | USE_TOOLS+= msgfmt | |
20 | 20 | |||
21 | CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR} | 21 | CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR} | |
22 | 22 | |||
23 | REPLACE_PERL+= doc/texi2pod.pl | 23 | REPLACE_PERL+= doc/texi2pod.pl | |
24 | 24 | |||
25 | EGDIR= ${PREFIX}/share/examples/wget | 25 | EGDIR= ${PREFIX}/share/examples/wget | |
26 | CONF_FILES= ${EGDIR}/wgetrc ${PKG_SYSCONFDIR}/wgetrc | 26 | CONF_FILES= ${EGDIR}/wgetrc ${PKG_SYSCONFDIR}/wgetrc | |
27 | INFO_FILES= YES | 27 | INFO_FILES= YES | |
28 | 28 | |||
29 | INSTALL_MAKE_FLAGS= ${MAKE_FLAGS} sysconfdir=${EGDIR} | 29 | INSTALL_MAKE_FLAGS= ${MAKE_FLAGS} sysconfdir=${EGDIR} | |
30 | 30 | |||
31 | .include "options.mk" | 31 | .include "options.mk" | |
32 | 32 | |||
33 | .include "../../devel/zlib/buildlink3.mk" | 33 | .include "../../devel/zlib/buildlink3.mk" | |
34 | .include "../../devel/gettext-lib/buildlink3.mk" | 34 | .include "../../devel/gettext-lib/buildlink3.mk" | |
35 | .include "../../mk/bsd.pkg.mk" | 35 | .include "../../mk/bsd.pkg.mk" |
@@ -1,8 +1,9 @@ | @@ -1,8 +1,9 @@ | |||
1 | $NetBSD: distinfo,v 1.51 2016/06/11 18:33:22 wiz Exp $ | 1 | $NetBSD: distinfo,v 1.52 2016/10/30 20:55:39 spz Exp $ | |
2 | 2 | |||
3 | SHA1 (wget-1.18.tar.xz) = 02d451e658f600ee519c42cbf4d3bfe4e49b6c4f | 3 | SHA1 (wget-1.18.tar.xz) = 02d451e658f600ee519c42cbf4d3bfe4e49b6c4f | |
4 | RMD160 (wget-1.18.tar.xz) = 4fdf9c523b434050eeccfbd14b98c90c591d7ce4 | 4 | RMD160 (wget-1.18.tar.xz) = 4fdf9c523b434050eeccfbd14b98c90c591d7ce4 | |
5 | SHA512 (wget-1.18.tar.xz) = a3f6fe2f44a8d797659d55cffaf81eb82b770c96222a0ee29bc4931b13846f8d8b9a07806f2197723c873a1248922d59cca5a81869661d9c6c3107447c184338 | 5 | SHA512 (wget-1.18.tar.xz) = a3f6fe2f44a8d797659d55cffaf81eb82b770c96222a0ee29bc4931b13846f8d8b9a07806f2197723c873a1248922d59cca5a81869661d9c6c3107447c184338 | |
6 | Size (wget-1.18.tar.xz) = 1922376 bytes | 6 | Size (wget-1.18.tar.xz) = 1922376 bytes | |
7 | SHA1 (patch-CVE-2016-7098) = fa6c96a24590c191440ae91f76e5c10e8db84d4b | |||
7 | SHA1 (patch-configure) = 4d65f3e3c4d60174442aa1b75b64b7511bbc6497 | 8 | SHA1 (patch-configure) = 4d65f3e3c4d60174442aa1b75b64b7511bbc6497 | |
8 | SHA1 (patch-doc_wget.texi) = 6db25b3500ff4617b5ade34d9013b1f9876104f8 | 9 | SHA1 (patch-doc_wget.texi) = 6db25b3500ff4617b5ade34d9013b1f9876104f8 |
patch for CVE-2016-7098 from
http://git.savannah.gnu.org/cgit/wget.git/commit/?id=9ffb64ba6a8121909b01e984deddce8d096c498d
http://git.savannah.gnu.org/cgit/wget.git/commit/?id=690c47e3b18c099843cdf557a0425d701fca4957
(only the compilable parts)
--- src/http.c.orig 2016-06-09 16:10:14.000000000 +0000
+++ src/http.c 2016-10-27 20:02:46.000000000 +0000
@@ -39,6 +39,7 @@ as that of the covered work. */
#include <errno.h>
#include <time.h>
#include <locale.h>
+#include <fcntl.h>
#include "hash.h"
#include "http.h"
@@ -1564,6 +1565,7 @@ struct http_stat
#ifdef HAVE_METALINK
metalink_t *metalink;
#endif
+ bool temporary; /* downloading a temporary file */
};
static void
@@ -2254,6 +2256,15 @@ check_file_output (struct url *u, struct
xfree (local_file);
}
+ hs->temporary = opt.delete_after || opt.spider || !acceptable (hs->local_file);
+ if (hs->temporary)
+ {
+ char *tmp = NULL;
+ asprintf (&tmp, "%s.tmp", hs->local_file);
+ xfree (hs->local_file);
+ hs->local_file = tmp;
+ }
+
/* TODO: perform this check only once. */
if (!hs->existence_checked && file_exists_p (hs->local_file))
{
@@ -2467,7 +2478,15 @@ open_output_stream (struct http_stat *hs
open_id = 22;
*fp = fopen (hs->local_file, "wb", FOPEN_OPT_ARGS);
#else /* def __VMS */
- *fp = fopen (hs->local_file, "wb");
+ if (hs->temporary)
+ {
+ *fp = fdopen (open (hs->local_file, O_BINARY | O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR), "wb");
+ }
+ else
+ {
+ *fp = fopen (hs->local_file, "wb");
+ }
+
#endif /* def __VMS [else] */
}
else