diff --git a/wget/.SRCINFO b/wget/.SRCINFO new file mode 100644 index 0000000000..56efe75f02 --- /dev/null +++ b/wget/.SRCINFO @@ -0,0 +1,38 @@ +pkgbase = wget + pkgdesc = Network utility to retrieve files from the Web + pkgver = 1.24.5 + pkgrel = 3 + url = https://www.gnu.org/software/wget/wget.html + arch = x86_64 + license = GPL3 + checkdepends = perl-http-daemon + checkdepends = perl-io-socket-ssl + checkdepends = python + depends = glibc + depends = zlib + depends = gnutls + depends = libidn2 + depends = libidn2.so + depends = util-linux-libs + depends = libuuid.so + depends = libpsl + depends = libpsl.so + depends = pcre2 + depends = nettle + depends = libnettle.so + optdepends = ca-certificates: HTTPS downloads + backup = etc/wgetrc + source = https://ftp.gnu.org/gnu/wget/wget-1.24.5.tar.lz + source = https://ftp.gnu.org/gnu/wget/wget-1.24.5.tar.lz.sig + source = CVE-2024-38428.patch + validpgpkeys = AC404C1C0BF735C63FF4D562263D6DF2E163E1EA + validpgpkeys = 7845120B07CBD8D6ECE5FF2B2A1743EDA91A35B6 + validpgpkeys = 1CB27DBC98614B2D5841646D08302DB6A2670428 + sha256sums = 57a107151e4ef94fdf94affecfac598963f372f13293ed9c74032105390b36ee + sha256sums = SKIP + sha256sums = 9da45c5d34163fe0c0cc8d75402b2d1e6a752b794e52187da5d9141b825db24f + b2sums = 8057e5992ddaf39b3daffbde99871ddec1328c6bbafbc6b9f1d3cd294bb928b2a80f813024d4cd664c396f84477f1d93d5a21c60c6fe2932f9196d29bb9aa896 + b2sums = SKIP + b2sums = fb0cf748b4f5aa34e0b43cc7c010e8f95324433fb3298365065708f8d092ab63c57f778fc1bfa17a121c651a6cd3296331992c5abe3958c368d523d11b3db067 + +pkgname = wget diff --git a/wget/.nvchecker.toml b/wget/.nvchecker.toml new file mode 100644 index 0000000000..8395182f39 --- /dev/null +++ b/wget/.nvchecker.toml @@ -0,0 +1,4 @@ +[wget] +source = "git" +git = "https://git.savannah.gnu.org/git/wget.git" +prefix = "v" diff --git a/wget/CVE-2024-38428.patch b/wget/CVE-2024-38428.patch new file mode 100644 index 0000000000..b27f1cba94 --- /dev/null +++ b/wget/CVE-2024-38428.patch @@ -0,0 +1,75 @@ +From ed0c7c7e0e8f7298352646b2fd6e06a11e242ace Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= +Date: Sun, 2 Jun 2024 12:40:16 +0200 +Subject: Properly re-implement userinfo parsing (rfc2396) + +* src/url.c (url_skip_credentials): Properly re-implement userinfo parsing (rfc2396) + +The reason why the implementation is based on RFC 2396, an outdated standard, +is that the whole file is based on that RFC, and mixing standard here might be +dangerous. +--- + src/url.c | 40 ++++++++++++++++++++++++++++++++++------ + 1 file changed, 34 insertions(+), 6 deletions(-) + +diff --git a/src/url.c b/src/url.c +index 69e948b..07c3bc8 100644 +--- a/src/url.c ++++ b/src/url.c +@@ -41,6 +41,7 @@ as that of the covered work. */ + #include "url.h" + #include "host.h" /* for is_valid_ipv6_address */ + #include "c-strcase.h" ++#include "c-ctype.h" + + #ifdef HAVE_ICONV + # include +@@ -526,12 +527,39 @@ scheme_leading_string (enum url_scheme scheme) + static const char * + url_skip_credentials (const char *url) + { +- /* Look for '@' that comes before terminators, such as '/', '?', +- '#', or ';'. */ +- const char *p = (const char *)strpbrk (url, "@/?#;"); +- if (!p || *p != '@') +- return url; +- return p + 1; ++ /* ++ * This whole file implements https://www.rfc-editor.org/rfc/rfc2396 . ++ * RFC 2396 is outdated since 2005 and needs a rewrite or a thorough re-visit. ++ * ++ * The RFC says ++ * server = [ [ userinfo "@" ] hostport ] ++ * userinfo = *( unreserved | escaped | ";" | ":" | "&" | "=" | "+" | "$" | "," ) ++ * unreserved = alphanum | mark ++ * mark = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")" ++ */ ++ static const char *allowed = "-_.!~*'();:&=+$,"; ++ ++ for (const char *p = url; *p; p++) ++ { ++ if (c_isalnum(*p)) ++ continue; ++ ++ if (strchr(allowed, *p)) ++ continue; ++ ++ if (*p == '%' && c_isxdigit(p[1]) && c_isxdigit(p[2])) ++ { ++ p += 2; ++ continue; ++ } ++ ++ if (*p == '@') ++ return p + 1; ++ ++ break; ++ } ++ ++ return url; + } + + /* Parse credentials contained in [BEG, END). The region is expected +-- +cgit v1.1 + diff --git a/wget/PKGBUILD b/wget/PKGBUILD index 4df01cc4c6..64643766df 100644 --- a/wget/PKGBUILD +++ b/wget/PKGBUILD @@ -5,7 +5,7 @@ pkgname=wget pkgver=1.24.5 -pkgrel=2 +pkgrel=3 pkgdesc='Network utility to retrieve files from the Web' url='https://www.gnu.org/software/wget/wget.html' arch=(x86_64 powerpc64le powerpc64 powerpc riscv64) @@ -15,11 +15,14 @@ depends=('glibc' 'zlib' 'gnutls' 'libidn2' 'libidn2.so' 'util-linux-libs' 'libuu checkdepends=('perl-http-daemon' 'perl-io-socket-ssl' 'python') optdepends=('ca-certificates: HTTPS downloads') backup=('etc/wgetrc') -source=(https://ftp.gnu.org/gnu/${pkgname}/${pkgname}-${pkgver}.tar.lz{,.sig}) +source=(https://ftp.gnu.org/gnu/${pkgname}/${pkgname}-${pkgver}.tar.lz{,.sig} + CVE-2024-38428.patch) sha256sums=('57a107151e4ef94fdf94affecfac598963f372f13293ed9c74032105390b36ee' - 'SKIP') + 'SKIP' + '9da45c5d34163fe0c0cc8d75402b2d1e6a752b794e52187da5d9141b825db24f') b2sums=('8057e5992ddaf39b3daffbde99871ddec1328c6bbafbc6b9f1d3cd294bb928b2a80f813024d4cd664c396f84477f1d93d5a21c60c6fe2932f9196d29bb9aa896' - 'SKIP') + 'SKIP' + 'fb0cf748b4f5aa34e0b43cc7c010e8f95324433fb3298365065708f8d092ab63c57f778fc1bfa17a121c651a6cd3296331992c5abe3958c368d523d11b3db067') validpgpkeys=( 'AC404C1C0BF735C63FF4D562263D6DF2E163E1EA' # Giuseppe Scrivano '7845120B07CBD8D6ECE5FF2B2A1743EDA91A35B6' # Darshit Shah @@ -28,6 +31,7 @@ validpgpkeys=( prepare() { cd ${pkgname}-${pkgver} + patch -Np1 -i ../CVE-2024-38428.patch cat >> doc/sample.wgetrc <