diff options
-rw-r--r-- | net/wget/Makefile | 12 | ||||
-rw-r--r-- | net/wget/distinfo | 16 | ||||
-rw-r--r-- | net/wget/patches/patch-CVE-2017-13089 | 36 | ||||
-rw-r--r-- | net/wget/patches/patch-CVE-2017-13090 | 39 |
4 files changed, 8 insertions, 95 deletions
diff --git a/net/wget/Makefile b/net/wget/Makefile index 3c668312078..f37ce062721 100644 --- a/net/wget/Makefile +++ b/net/wget/Makefile @@ -1,15 +1,9 @@ -# $NetBSD: Makefile,v 1.137 2017/11/14 09:51:13 leot Exp $ +# $NetBSD: Makefile,v 1.138 2017/11/23 16:03:29 wiz Exp $ -DISTNAME= wget-1.19.1 -PKGREVISION= 3 +DISTNAME= wget-1.19.2 CATEGORIES= net MASTER_SITES= ${MASTER_SITE_GNU:=wget/} -EXTRACT_SUFX= .tar.xz - -PATCH_SITES= http://git.savannah.gnu.org/cgit/wget.git/patch/?id= -PATCH_DIST_STRIP= -p1 -# For CVE-2017-6508 -PATCHFILES= 4d729e322fae359a1aefaafec1144764a54e8ad4 +EXTRACT_SUFX= .tar.lz MAINTAINER= pkgsrc-users@NetBSD.org HOMEPAGE= http://www.gnu.org/software/wget/wget.html diff --git a/net/wget/distinfo b/net/wget/distinfo index 838fb948d7f..19963f3f83d 100644 --- a/net/wget/distinfo +++ b/net/wget/distinfo @@ -1,13 +1,7 @@ -$NetBSD: distinfo,v 1.55 2017/10/26 15:01:38 tez Exp $ +$NetBSD: distinfo,v 1.56 2017/11/23 16:03:29 wiz Exp $ -SHA1 (4d729e322fae359a1aefaafec1144764a54e8ad4) = 95acf2c162f0e413c40c5881940daafff2cca9bb -RMD160 (4d729e322fae359a1aefaafec1144764a54e8ad4) = 41f0ac16a00f0837045120d1b65fd0e86c5c8618 -SHA512 (4d729e322fae359a1aefaafec1144764a54e8ad4) = fd36c9225c567e9958f030449f40cb747c0a23b7023fd4eee4e982c867d96be1562377a2d9b80150d9dc714bdbdc2bd509a8a244c4969c731002bdf6434d9cf8 -Size (4d729e322fae359a1aefaafec1144764a54e8ad4) = 1051 bytes -SHA1 (wget-1.19.1.tar.xz) = cde25e99c144191644406793cbd1c69c102c6970 -RMD160 (wget-1.19.1.tar.xz) = 158d759b81c0893cc9c83e4beabb104f4987f6dd -SHA512 (wget-1.19.1.tar.xz) = 00864d225439bcb7c5af01d7ef19efa615427812d3320ab3f4c8f62c38191e837b1392397843f935d7dc5860a4d0ce89ee31f2730c4a729402f1f2bf3e5f64e5 -Size (wget-1.19.1.tar.xz) = 2111756 bytes -SHA1 (patch-CVE-2017-13089) = 4dc004441198b6ae1cb2fb07eb6db3d55a007d1a -SHA1 (patch-CVE-2017-13090) = ad77c0406bb0e08979067649f93f5fa07328a1ea +SHA1 (wget-1.19.2.tar.lz) = 262ddadec85b7836e2f724a4f3e47797a063f772 +RMD160 (wget-1.19.2.tar.lz) = a304bb50b388eaeeb23f4222d38fb45acc75bd5a +SHA512 (wget-1.19.2.tar.lz) = ed99ca6cc58a6a9001326d1081c4110ff9732a11b0b2c129ef4e9719aab029087276bfce9fb38c0d56c19054f5417b37d712098b2ec9e814e68a68f9a5b48cec +Size (wget-1.19.2.tar.lz) = 2152055 bytes SHA1 (patch-doc_wget.texi) = 6db25b3500ff4617b5ade34d9013b1f9876104f8 diff --git a/net/wget/patches/patch-CVE-2017-13089 b/net/wget/patches/patch-CVE-2017-13089 deleted file mode 100644 index e7a9185d34f..00000000000 --- a/net/wget/patches/patch-CVE-2017-13089 +++ /dev/null @@ -1,36 +0,0 @@ -$NetBSD: patch-CVE-2017-13089,v 1.1 2017/10/26 15:01:38 tez Exp $ - -From 3dbc2e06ad487862c2fcc64d4891ff8aeb254bad Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de> -Date: Fri, 20 Oct 2017 10:59:38 +0200 -Subject: [PATCH 1/2] Fix stack overflow in HTTP protocol handling - (CVE-2017-13089) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -* src/http.c (skip_short_body): Return error on negative chunk size - -Reported-by: Antti Levomäki, Christian Jalio, Joonas Pihlaja from Forcepoint -Reported-by: Juhani Eronen from Finnish National Cyber Security Centre ---- - src/http.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/http.c b/src/http.c -index 55367688..dc318231 100644 ---- src/http.c -+++ src/http.c -@@ -973,6 +973,9 @@ skip_short_body (int fd, wgint contlen, bool chunked) - remaining_chunk_size = strtol (line, &endl, 16); - xfree (line); - -+ if (remaining_chunk_size < 0) -+ return false; -+ - if (remaining_chunk_size == 0) - { - line = fd_read_line (fd); --- -2.15.0.rc1 - diff --git a/net/wget/patches/patch-CVE-2017-13090 b/net/wget/patches/patch-CVE-2017-13090 deleted file mode 100644 index 88e823238e6..00000000000 --- a/net/wget/patches/patch-CVE-2017-13090 +++ /dev/null @@ -1,39 +0,0 @@ -$NetBSD: patch-CVE-2017-13090,v 1.1 2017/10/26 15:01:38 tez Exp $ - -From 28925c37b72867c0819799c6f35caf9439080f83 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de> -Date: Fri, 20 Oct 2017 15:15:47 +0200 -Subject: [PATCH 2/2] Fix heap overflow in HTTP protocol handling - (CVE-2017-13090) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -* src/retr.c (fd_read_body): Stop processing on negative chunk size - -Reported-by: Antti Levomäki, Christian Jalio, Joonas Pihlaja from Forcepoint -Reported-by: Juhani Eronen from Finnish National Cyber Security Centre ---- - src/retr.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/retr.c b/src/retr.c -index a27d58af..723ac725 100644 ---- src/retr.c -+++ src/retr.c -@@ -378,6 +378,12 @@ fd_read_body (const char *downloaded_filename, int fd, FILE *out, wgint toread, - remaining_chunk_size = strtol (line, &endl, 16); - xfree (line); - -+ if (remaining_chunk_size < 0) -+ { -+ ret = -1; -+ break; -+ } -+ - if (remaining_chunk_size == 0) - { - ret = 0; --- -2.15.0.rc1 - |