Add Debian's "wget" 1.12 backport of the fix for CVE-2010-2252.

author: tron <tron@pkgsrc.org> 2010-11-23 08:22:46 +0000
committer: tron <tron@pkgsrc.org> 2010-11-23 08:22:46 +0000
commit: 6d804e24add073669cca87b577164b7a21def2e5 (patch)
tree: ebd6d59e523a4796c7499bf8cf76399180634872 /net/wget
parent: cb98b58e118ab02339a042459df4814802e896ae (diff)
download: pkgsrc-6d804e24add073669cca87b577164b7a21def2e5.tar.gz
8 files changed, 178 insertions, 2 deletions
diff --git a/net/wget/Makefile b/net/wget/Makefile
index ec0ae0ca94d..4c293792574 100644
--- a/net/wget/Makefile
+++ b/net/wget/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.101 2009/10/31 02:29:14 wiz Exp $
+# $NetBSD: Makefile,v 1.102 2010/11/23 08:22:46 tron Exp $
 
 DISTNAME=	wget-1.12
+PKGREVISION=	1
 CATEGORIES=	net
 MASTER_SITES=	${MASTER_SITE_GNU:=wget/}
 
diff --git a/net/wget/distinfo b/net/wget/distinfo
index e2888dee1fd..25ee0dc3967 100644
--- a/net/wget/distinfo
+++ b/net/wget/distinfo
@@ -1,5 +1,11 @@
-$NetBSD: distinfo,v 1.35 2009/10/31 02:29:14 wiz Exp $
+$NetBSD: distinfo,v 1.36 2010/11/23 08:22:46 tron Exp $
 
 SHA1 (wget-1.12.tar.gz) = 50d4ed2441e67db7aa5061d8a4dde41ee0e94248
 RMD160 (wget-1.12.tar.gz) = 232d0aa6fb36731c162d2b7374aa9ab59e671b7d
 Size (wget-1.12.tar.gz) = 2464747 bytes
+SHA1 (patch-aa) = f3f3c4f5aac5aac9c93dcc9f9a5d4e8e438192fd
+SHA1 (patch-ab) = 0c9a4ace8bd119718013efd175d00232b655cb0d
+SHA1 (patch-ac) = 4a1f6c08a15d76610cd1aa5e50c165e1c43017ac
+SHA1 (patch-ad) = f1c32ea0921c455fc48ec153032221e156c785a1
+SHA1 (patch-ae) = 9a17a2ecf2e73c8d678bbe3e507002a64258ce40
+SHA1 (patch-af) = eaccff4347cec71d1951624a05f36975996fb4db
diff --git a/net/wget/patches/patch-aa b/net/wget/patches/patch-aa
new file mode 100644
index 00000000000..e036e201973
--- /dev/null
+++ b/net/wget/patches/patch-aa
@@ -0,0 +1,65 @@
+$NetBSD: patch-aa,v 1.11 2010/11/23 08:22:47 tron Exp $
+
+Back port of patch for CVE-2010-2252 for to version 1.12 of "wget" taken
+from Debian:
+
+http://packages.debian.org/sid/wget
+http://ftp.de.debian.org/debian/pool/main/w/wget/wget_1.12-2.1.debian.tar.gz
+
+--- src/http.c.orig	2009-09-22 04:02:18.000000000 +0100
++++ src/http.c	2010-11-22 18:53:25.000000000 +0000
+@@ -2410,8 +2410,9 @@
+ /* The genuine HTTP loop!  This is the part where the retrieval is
+    retried, and retried, and retried, and...  */
+ uerr_t
+-http_loop (struct url *u, char **newloc, char **local_file, const char *referer,
+-           int *dt, struct url *proxy, struct iri *iri)
++http_loop (struct url *u, struct url *original_url, char **newloc,
++           char **local_file, const char *referer, int *dt, struct url *proxy,
++           struct iri *iri)
+ {
+   int count;
+   bool got_head = false;         /* used for time-stamping and filename detection */
+@@ -2457,7 +2458,8 @@
+     }
+   else if (!opt.content_disposition)
+     {
+-      hstat.local_file = url_file_name (u);
++      hstat.local_file =
++        url_file_name (opt.trustservernames ? u : original_url);
+       got_name = true;
+     }
+ 
+@@ -2497,7 +2499,7 @@
+ 
+   /* Send preliminary HEAD request if -N is given and we have an existing
+    * destination file. */
+-  file_name = url_file_name (u);
++  file_name = url_file_name (opt.trustservernames ? u : original_url);
+   if (opt.timestamping
+       && !opt.content_disposition
+       && file_exists_p (file_name))
+@@ -2852,9 +2854,9 @@
+ 
+           /* Remember that we downloaded the file for later ".orig" code. */
+           if (*dt & ADDED_HTML_EXTENSION)
+-            downloaded_file(FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, hstat.local_file);
++            downloaded_file (FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, hstat.local_file);
+           else
+-            downloaded_file(FILE_DOWNLOADED_NORMALLY, hstat.local_file);
++            downloaded_file (FILE_DOWNLOADED_NORMALLY, hstat.local_file);
+ 
+           ret = RETROK;
+           goto exit;
+@@ -2885,9 +2887,9 @@
+ 
+               /* Remember that we downloaded the file for later ".orig" code. */
+               if (*dt & ADDED_HTML_EXTENSION)
+-                downloaded_file(FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, hstat.local_file);
++                downloaded_file (FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, hstat.local_file);
+               else
+-                downloaded_file(FILE_DOWNLOADED_NORMALLY, hstat.local_file);
++                downloaded_file (FILE_DOWNLOADED_NORMALLY, hstat.local_file);
+ 
+               ret = RETROK;
+               goto exit;
diff --git a/net/wget/patches/patch-ab b/net/wget/patches/patch-ab
new file mode 100644
index 00000000000..9e7aa959d28
--- /dev/null
+++ b/net/wget/patches/patch-ab
@@ -0,0 +1,21 @@
+$NetBSD: patch-ab,v 1.9 2010/11/23 08:22:47 tron Exp $
+
+Back port of patch for CVE-2010-2252 for to version 1.12 of "wget" taken
+from Debian:
+
+http://packages.debian.org/sid/wget
+http://ftp.de.debian.org/debian/pool/main/w/wget/wget_1.12-2.1.debian.tar.gz
+
+--- src/http.h.orig	2009-09-04 17:31:54.000000000 +0100
++++ src/http.h	2010-11-22 18:53:25.000000000 +0000
+@@ -33,8 +33,8 @@
+ 
+ struct url;
+ 
+-uerr_t http_loop (struct url *, char **, char **, const char *, int *,
+-		  struct url *, struct iri *);
++uerr_t http_loop (struct url *, struct url *, char **, char **, const char *,
++                  int *, struct url *, struct iri *);
+ void save_cookies (void);
+ void http_cleanup (void);
+ time_t http_atotm (const char *);
diff --git a/net/wget/patches/patch-ac b/net/wget/patches/patch-ac
new file mode 100644
index 00000000000..627e98e44ba
--- /dev/null
+++ b/net/wget/patches/patch-ac
@@ -0,0 +1,18 @@
+$NetBSD: patch-ac,v 1.11 2010/11/23 08:22:47 tron Exp $
+
+Back port of patch for CVE-2010-2252 for to version 1.12 of "wget" taken
+from Debian:
+
+http://packages.debian.org/sid/wget
+http://ftp.de.debian.org/debian/pool/main/w/wget/wget_1.12-2.1.debian.tar.gz
+
+--- src/init.c.orig	2009-09-22 04:02:41.000000000 +0100
++++ src/init.c	2010-11-22 18:53:25.000000000 +0000
+@@ -243,6 +243,7 @@
+   { "timeout",          NULL,                   cmd_spec_timeout },
+   { "timestamping",     &opt.timestamping,      cmd_boolean },
+   { "tries",            &opt.ntry,              cmd_number_inf },
++  { "trustservernames", &opt.trustservernames,  cmd_boolean },
+   { "useproxy",         &opt.use_proxy,         cmd_boolean },
+   { "user",             &opt.user,              cmd_string },
+   { "useragent",        NULL,                   cmd_spec_useragent },
diff --git a/net/wget/patches/patch-ad b/net/wget/patches/patch-ad
new file mode 100644
index 00000000000..645443ffbfc
--- /dev/null
+++ b/net/wget/patches/patch-ad
@@ -0,0 +1,27 @@
+$NetBSD: patch-ad,v 1.10 2010/11/23 08:22:47 tron Exp $
+
+Back port of patch for CVE-2010-2252 for to version 1.12 of "wget" taken
+from Debian:
+
+http://packages.debian.org/sid/wget
+http://ftp.de.debian.org/debian/pool/main/w/wget/wget_1.12-2.1.debian.tar.gz
+
+--- src/main.c.orig	2009-09-22 04:03:11.000000000 +0100
++++ src/main.c	2010-11-22 18:53:25.000000000 +0000
+@@ -266,6 +266,7 @@
+     { "timeout", 'T', OPT_VALUE, "timeout", -1 },
+     { "timestamping", 'N', OPT_BOOLEAN, "timestamping", -1 },
+     { "tries", 't', OPT_VALUE, "tries", -1 },
++    { "trust-server-names", 0, OPT_BOOLEAN, "trustservernames", -1 },
+     { "user", 0, OPT_VALUE, "user", -1 },
+     { "user-agent", 'U', OPT_VALUE, "useragent", -1 },
+     { "verbose", 'v', OPT_BOOLEAN, "verbose", -1 },
+@@ -675,6 +676,8 @@
+     N_("\
+   -I,  --include-directories=LIST  list of allowed directories.\n"),
+     N_("\
++  --trust-server-names  use the name specified by the redirection url last component.\n"),
++    N_("\
+   -X,  --exclude-directories=LIST  list of excluded directories.\n"),
+     N_("\
+   -np, --no-parent                 don't ascend to the parent directory.\n"),
diff --git a/net/wget/patches/patch-ae b/net/wget/patches/patch-ae
new file mode 100644
index 00000000000..05a6b04531b
--- /dev/null
+++ b/net/wget/patches/patch-ae
@@ -0,0 +1,18 @@
+$NetBSD: patch-ae,v 1.8 2010/11/23 08:22:47 tron Exp $
+
+Back port of patch for CVE-2010-2252 for to version 1.12 of "wget" taken
+from Debian:
+
+http://packages.debian.org/sid/wget
+http://ftp.de.debian.org/debian/pool/main/w/wget/wget_1.12-2.1.debian.tar.gz
+
+--- src/options.h.orig	2009-09-22 04:03:47.000000000 +0100
++++ src/options.h	2010-11-22 18:53:25.000000000 +0000
+@@ -242,6 +242,7 @@
+   char *encoding_remote;
+   char *locale;
+ 
++  bool trustservernames;
+ #ifdef __VMS
+   int ftp_stmlf;                /* Force Stream_LF format for binary FTP. */
+ #endif /* def __VMS */
diff --git a/net/wget/patches/patch-af b/net/wget/patches/patch-af
new file mode 100644
index 00000000000..d4179795123
--- /dev/null
+++ b/net/wget/patches/patch-af
@@ -0,0 +1,20 @@
+$NetBSD: patch-af,v 1.6 2010/11/23 08:22:47 tron Exp $
+
+Back port of patch for CVE-2010-2252 for to version 1.12 of "wget" taken
+from Debian:
+
+http://packages.debian.org/sid/wget
+http://ftp.de.debian.org/debian/pool/main/w/wget/wget_1.12-2.1.debian.tar.gz
+
+--- src/retr.c.orig	2009-09-04 17:31:54.000000000 +0100
++++ src/retr.c	2010-11-22 18:53:25.000000000 +0000
+@@ -689,7 +689,8 @@
+ #endif
+       || (proxy_url && proxy_url->scheme == SCHEME_HTTP))
+     {
+-      result = http_loop (u, &mynewloc, &local_file, refurl, dt, proxy_url, iri);
++      result = http_loop (u, orig_parsed, &mynewloc, &local_file, refurl, dt,
++                          proxy_url, iri);
+     }
+   else if (u->scheme == SCHEME_FTP)
+     {
author	tron <tron@pkgsrc.org>	2010-11-23 08:22:46 +0000
committer	tron <tron@pkgsrc.org>	2010-11-23 08:22:46 +0000
commit	6d804e24add073669cca87b577164b7a21def2e5 (patch)
tree	ebd6d59e523a4796c7499bf8cf76399180634872 /net/wget
parent	cb98b58e118ab02339a042459df4814802e896ae (diff)
download	pkgsrc-6d804e24add073669cca87b577164b7a21def2e5.tar.gz