Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package wget for openSUSE:Factory checked in
at 2024-06-18 22:50:57
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/wget (Old)
and /work/SRC/openSUSE:Factory/.wget.new.19518 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "wget"
Tue Jun 18 22:50:57 2024 rev:71 rq:1181529 version:1.24.5
Changes:
--------
--- /work/SRC/openSUSE:Factory/wget/wget.changes 2024-03-13
22:16:49.760410715 +0100
+++ /work/SRC/openSUSE:Factory/.wget.new.19518/wget.changes 2024-06-18
22:51:00.776907705 +0200
@@ -1,0 +2,8 @@
+Tue Jun 18 07:54:22 UTC 2024 - Valentin Lefebvre <valentin.lefeb...@suse.com>
+
+- Fix mishandled semicolons in the userinfo subcomponent could lead to an
+ insecure behavior in which data that was supposed to be in the userinfo
+ subcomponent is misinterpreted to be part of the host subcomponent.
+ [bsc#1226419, CVE-2024-38428, properly-re-implement-userinfo-parsing.patch]
+
+-------------------------------------------------------------------
New:
----
properly-re-implement-userinfo-parsing.patch
BETA DEBUG BEGIN:
New: subcomponent is misinterpreted to be part of the host subcomponent.
[bsc#1226419, CVE-2024-38428, properly-re-implement-userinfo-parsing.patch]
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ wget.spec ++++++
--- /var/tmp/diff_new_pack.pcfjwz/_old 2024-06-18 22:51:02.500971271 +0200
+++ /var/tmp/diff_new_pack.pcfjwz/_new 2024-06-18 22:51:02.500971271 +0200
@@ -1,7 +1,7 @@
#
# spec file for package wget
#
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2024 Andreas Stieger <andreas.stie...@gmx.de>
#
# All modifications and additions to the file contributed by third parties
@@ -35,6 +35,7 @@
Patch8: wget-errno-clobber.patch
Patch9: remove-env-from-shebang.patch
Patch10: wget-do-not-propagate-credentials.patch
+Patch11: properly-re-implement-userinfo-parsing.patch
BuildRequires: gpgme-devel >= 0.4.2
BuildRequires: libcares-devel
BuildRequires: libidn2-devel
++++++ properly-re-implement-userinfo-parsing.patch ++++++
>From ed0c7c7e0e8f7298352646b2fd6e06a11e242ace Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.rueh...@gmx.de>
Date: Sun, 2 Jun 2024 12:40:16 +0200
Subject: Properly re-implement userinfo parsing (rfc2396)
* src/url.c (url_skip_credentials): Properly re-implement userinfo parsing
(rfc2396)
The reason why the implementation is based on RFC 2396, an outdated standard,
is that the whole file is based on that RFC, and mixing standard here might be
dangerous.
---
src/url.c | 40 ++++++++++++++++++++++++++++++++++------
1 file changed, 34 insertions(+), 6 deletions(-)
diff --git a/src/url.c b/src/url.c
index 69e948b..07c3bc8 100644
--- a/src/url.c
+++ b/src/url.c
@@ -41,6 +41,7 @@ as that of the covered work. */
#include "url.h"
#include "host.h" /* for is_valid_ipv6_address */
#include "c-strcase.h"
+#include "c-ctype.h"
#ifdef HAVE_ICONV
# include <iconv.h>
@@ -526,12 +527,39 @@ scheme_leading_string (enum url_scheme scheme)
static const char *
url_skip_credentials (const char *url)
{
- /* Look for '@' that comes before terminators, such as '/', '?',
- '#', or ';'. */
- const char *p = (const char *)strpbrk (url, "@/?#;");
- if (!p || *p != '@')
- return url;
- return p + 1;
+ /*
+ * This whole file implements https://www.rfc-editor.org/rfc/rfc2396 .
+ * RFC 2396 is outdated since 2005 and needs a rewrite or a thorough
re-visit.
+ *
+ * The RFC says
+ * server = [ [ userinfo "@" ] hostport ]
+ * userinfo = *( unreserved | escaped | ";" | ":" | "&" | "=" | "+" |
"$" | "," )
+ * unreserved = alphanum | mark
+ * mark = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")"
+ */
+ static const char *allowed = "-_.!~*'();:&=+$,";
+
+ for (const char *p = url; *p; p++)
+ {
+ if (c_isalnum(*p))
+ continue;
+
+ if (strchr(allowed, *p))
+ continue;
+
+ if (*p == '%' && c_isxdigit(p[1]) && c_isxdigit(p[2]))
+ {
+ p += 2;
+ continue;
+ }
+
+ if (*p == '@')
+ return p + 1;
+
+ break;
+ }
+
+ return url;
}
/* Parse credentials contained in [BEG, END). The region is expected
--
cgit v1.1
