commit: d00c2c8bd673909c1546d04c1fd122fadd2f00e3 Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Thu Jun 9 00:24:08 2022 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Thu Jun 9 01:20:25 2022 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d00c2c8b
net-misc/wget: backport HSTS fix (32-bit) Closes: https://bugs.gentoo.org/850676 Signed-off-by: Sam James <sam <AT> gentoo.org> net-misc/wget/files/wget-1.21.3-hsts-type.patch | 211 ++++++++++++++++++++++++ net-misc/wget/wget-1.21.3-r1.ebuild | 114 +++++++++++++ 2 files changed, 325 insertions(+) diff --git a/net-misc/wget/files/wget-1.21.3-hsts-type.patch b/net-misc/wget/files/wget-1.21.3-hsts-type.patch new file mode 100644 index 000000000000..bac1330ddc79 --- /dev/null +++ b/net-misc/wget/files/wget-1.21.3-hsts-type.patch @@ -0,0 +1,211 @@ +https://bugs.gentoo.org/850676 +https://git.savannah.gnu.org/cgit/wget.git/commit/?id=cb114fbbf73eb687d28b01341c8d4266ffa96c9d + +From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.rueh...@gmx.de> +Date: Sun, 20 Mar 2022 12:18:20 +0100 +Subject: Fix HSTS portability by using int64_t instead of time_t. + +* src/hsts.c: Use int64_t instead of time_t. +* src/http.c: Use int64_t for parsing Strict-Transport-Security. +--- a/src/hsts.c ++++ b/src/hsts.c +@@ -61,8 +61,8 @@ struct hsts_kh { + }; + + struct hsts_kh_info { +- time_t created; +- time_t max_age; ++ int64_t created; ++ int64_t max_age; + bool include_subdomains; + }; + +@@ -166,7 +166,7 @@ end: + static bool + hsts_new_entry_internal (hsts_store_t store, + const char *host, int port, +- time_t created, time_t max_age, ++ int64_t created, int64_t max_age, + bool include_subdomains, + bool check_validity, + bool check_expired, +@@ -216,21 +216,21 @@ bail: + static bool + hsts_add_entry (hsts_store_t store, + const char *host, int port, +- time_t max_age, bool include_subdomains) ++ int64_t max_age, bool include_subdomains) + { +- time_t t = time (NULL); ++ int64_t t = (int64_t) time (NULL); + + /* It might happen time() returned -1 */ +- return (t == (time_t)(-1) ? ++ return (t == -1) ? + false : +- hsts_new_entry_internal (store, host, port, t, max_age, include_subdomains, false, true, false)); ++ hsts_new_entry_internal (store, host, port, t, max_age, include_subdomains, false, true, false); + } + + /* Creates a new entry, unless an identical one already exists. */ + static bool + hsts_new_entry (hsts_store_t store, + const char *host, int port, +- time_t created, time_t max_age, ++ int64_t created, int64_t max_age, + bool include_subdomains) + { + return hsts_new_entry_internal (store, host, port, created, max_age, include_subdomains, true, true, true); +@@ -245,7 +245,7 @@ hsts_remove_entry (hsts_store_t store, struct hsts_kh *kh) + static bool + hsts_store_merge (hsts_store_t store, + const char *host, int port, +- time_t created, time_t max_age, ++ int64_t created, int64_t max_age, + bool include_subdomains) + { + enum hsts_kh_match match_type = NO_MATCH; +@@ -276,11 +276,11 @@ hsts_read_database (hsts_store_t store, FILE *fp, bool merge_with_existing_entri + size_t len = 0; + int items_read; + bool result = false; +- bool (*func)(hsts_store_t, const char *, int, time_t, time_t, bool); ++ bool (*func)(hsts_store_t, const char *, int, int64_t, int64_t, bool); + + char host[256]; + int port; +- time_t created, max_age; ++ int64_t created, max_age; + int include_subdomains; + + func = (merge_with_existing_entries ? hsts_store_merge : hsts_new_entry); +@@ -326,10 +326,9 @@ hsts_store_dump (hsts_store_t store, FILE *fp) + struct hsts_kh *kh = (struct hsts_kh *) it.key; + struct hsts_kh_info *khi = (struct hsts_kh_info *) it.value; + +- if (fprintf (fp, "%s\t%d\t%d\t%lu\t%lu\n", ++ if (fprintf (fp, "%s\t%d\t%d\t%" PRId64 "\t%" PRId64 "\n", + kh->host, kh->explicit_port, khi->include_subdomains, +- (unsigned long) khi->created, +- (unsigned long) khi->max_age) < 0) ++ khi->created, khi->max_age) < 0) + { + logprintf (LOG_ALWAYS, "Could not write the HSTS database correctly.\n"); + break; +@@ -439,7 +438,7 @@ hsts_match (hsts_store_t store, struct url *u) + bool + hsts_store_entry (hsts_store_t store, + enum url_scheme scheme, const char *host, int port, +- time_t max_age, bool include_subdomains) ++ int64_t max_age, bool include_subdomains) + { + bool result = false; + enum hsts_kh_match match = NO_MATCH; +@@ -464,9 +463,9 @@ hsts_store_entry (hsts_store_t store, + * 'created' field too. The RFC also states that we have to + * update the entry each time we see HSTS header. + * See also Section 11.2. */ +- time_t t = time (NULL); ++ int64_t t = (int64_t) time (NULL); + +- if (t != (time_t)(-1) && t != entry->created) ++ if (t != -1 && t != entry->created) + { + entry->created = t; + entry->max_age = max_age; +@@ -792,7 +791,7 @@ test_hsts_read_database (void) + hsts_store_t table; + char *file = NULL; + FILE *fp = NULL; +- time_t created = time(NULL) - 10; ++ int64_t created = time(NULL) - 10; + + if (opt.homedir) + { +@@ -801,9 +800,9 @@ test_hsts_read_database (void) + if (fp) + { + fputs ("# dummy comment\n", fp); +- fprintf (fp, "foo.example.com\t0\t1\t%lu\t123\n",(unsigned long) created); +- fprintf (fp, "bar.example.com\t0\t0\t%lu\t456\n", (unsigned long) created); +- fprintf (fp, "test.example.com\t8080\t0\t%lu\t789\n", (unsigned long) created); ++ fprintf (fp, "foo.example.com\t0\t1\t%" PRId64 "\t123\n", created); ++ fprintf (fp, "bar.example.com\t0\t0\t%" PRId64 "\t456\n", created); ++ fprintf (fp, "test.example.com\t8080\t0\t%" PRId64 "\t789\n", created); + fclose (fp); + + table = hsts_store_open (file); +--- a/src/hsts.h ++++ b/src/hsts.h +@@ -46,7 +46,7 @@ bool hsts_store_has_changed (hsts_store_t); + + bool hsts_store_entry (hsts_store_t, + enum url_scheme, const char *, int, +- time_t, bool); ++ int64_t, bool); + bool hsts_match (hsts_store_t, struct url *); + + #endif /* HAVE_HSTS */ +--- a/src/http.c ++++ b/src/http.c +@@ -1300,7 +1300,7 @@ parse_content_disposition (const char *hdr, char **filename) + + #ifdef HAVE_HSTS + static bool +-parse_strict_transport_security (const char *header, time_t *max_age, bool *include_subdomains) ++parse_strict_transport_security (const char *header, int64_t *max_age, bool *include_subdomains) + { + param_token name, value; + const char *c_max_age = NULL; +@@ -1330,7 +1330,7 @@ parse_strict_transport_security (const char *header, time_t *max_age, bool *incl + * Also, time_t is normally defined as a long, so this should not break. + */ + if (max_age) +- *max_age = (time_t) strtol (c_max_age, NULL, 10); ++ *max_age = (int64_t) strtoll (c_max_age, NULL, 10); + if (include_subdomains) + *include_subdomains = is; + +@@ -3184,9 +3184,6 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs, + #else + extern hsts_store_t hsts_store; + #endif +- const char *hsts_params; +- time_t max_age; +- bool include_subdomains; + #endif + + int sock = -1; +@@ -3674,21 +3671,24 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs, + #ifdef HAVE_HSTS + if (opt.hsts && hsts_store) + { +- hsts_params = resp_header_strdup (resp, "Strict-Transport-Security"); ++ int64_t max_age; ++ const char *hsts_params = resp_header_strdup (resp, "Strict-Transport-Security"); ++ bool include_subdomains; ++ + if (parse_strict_transport_security (hsts_params, &max_age, &include_subdomains)) + { + /* process strict transport security */ + if (hsts_store_entry (hsts_store, u->scheme, u->host, u->port, max_age, include_subdomains)) +- DEBUGP(("Added new HSTS host: %s:%u (max-age: %lu, includeSubdomains: %s)\n", ++ DEBUGP(("Added new HSTS host: %s:%" PRIu32 " (max-age: %" PRId64 ", includeSubdomains: %s)\n", + u->host, +- (unsigned) u->port, +- (unsigned long) max_age, ++ (uint32_t) u->port, ++ max_age, + (include_subdomains ? "true" : "false"))); + else +- DEBUGP(("Updated HSTS host: %s:%u (max-age: %lu, includeSubdomains: %s)\n", ++ DEBUGP(("Updated HSTS host: %s:%" PRIu32 " (max-age: %" PRId64 ", includeSubdomains: %s)\n", + u->host, +- (unsigned) u->port, +- (unsigned long) max_age, ++ (uint32_t) u->port, ++ max_age, + (include_subdomains ? "true" : "false"))); + } + xfree (hsts_params); +cgit v1.1 diff --git a/net-misc/wget/wget-1.21.3-r1.ebuild b/net-misc/wget/wget-1.21.3-r1.ebuild new file mode 100644 index 000000000000..922b3579b4f0 --- /dev/null +++ b/net-misc/wget/wget-1.21.3-r1.ebuild @@ -0,0 +1,114 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +PYTHON_COMPAT=( python3_{8..10} ) +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/wget.asc +inherit flag-o-matic python-any-r1 toolchain-funcs verify-sig + +DESCRIPTION="Network utility to retrieve files from the WWW" +HOMEPAGE="https://www.gnu.org/software/wget/"; +SRC_URI="mirror://gnu/wget/${P}.tar.gz" +SRC_URI+=" verify-sig? ( mirror://gnu/wget/${P}.tar.gz.sig )" + +LICENSE="GPL-3" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +IUSE="cookie-check debug gnutls idn ipv6 metalink nls ntlm pcre +ssl static test uuid zlib" +REQUIRED_USE="ntlm? ( !gnutls ssl ) gnutls? ( ssl )" +RESTRICT="!test? ( test )" + +# * Force a newer libidn2 to avoid libunistring deps. #bug #612498 +# * Metalink can use gpgme automagically (so let's always depend on it) +# for signed metalink resources. +LIB_DEPEND=" + cookie-check? ( net-libs/libpsl ) + idn? ( >=net-dns/libidn2-0.14:=[static-libs(+)] ) + metalink? ( + app-crypt/gpgme + media-libs/libmetalink + ) + pcre? ( dev-libs/libpcre2[static-libs(+)] ) + ssl? ( + gnutls? ( net-libs/gnutls:=[static-libs(+)] ) + !gnutls? ( dev-libs/openssl:=[static-libs(+)] ) + ) + uuid? ( sys-apps/util-linux[static-libs(+)] ) + zlib? ( sys-libs/zlib[static-libs(+)] ) +" +RDEPEND="!static? ( ${LIB_DEPEND//\[static-libs(+)]} )" +DEPEND=" + ${RDEPEND} + static? ( ${LIB_DEPEND} ) +" +BDEPEND=" + app-arch/xz-utils + dev-lang/perl + sys-apps/texinfo + virtual/pkgconfig + nls? ( sys-devel/gettext ) + test? ( + ${PYTHON_DEPS} + dev-perl/HTTP-Daemon + dev-perl/HTTP-Message + dev-perl/IO-Socket-SSL + ) + verify-sig? ( sec-keys/openpgp-keys-wget ) +" + +DOCS=( AUTHORS MAILING-LIST NEWS README ) + +PATCHES=( + "${FILESDIR}"/${P}-hsts-type.patch +) + +pkg_setup() { + use test && python-any-r1_pkg_setup +} + +src_prepare() { + default + sed -i -e "s:/usr/local/etc:${EPREFIX}/etc:g" doc/{sample.wgetrc,wget.texi} || die +} + +src_configure() { + # fix compilation on Solaris, we need filio.h for FIONBIO as used in + # the included gnutls -- force ioctl.h to include this header + [[ ${CHOST} == *-solaris* ]] && append-cppflags -DBSD_COMP=1 + + if use static ; then + append-ldflags -static + tc-export PKG_CONFIG + PKG_CONFIG+=" --static" + fi + + # There is no flag that controls this. libunistring-prefix only + # controls the search path (which is why we turn it off below). + # Further, libunistring is only needed w/older libidn2 installs, + # and since we force the latest, we can force off libunistring. # bug #612498 + local myeconfargs=( + ac_cv_libunistring=no + --disable-assert + --disable-pcre + --disable-rpath + --without-included-libunistring + --without-libunistring-prefix + $(use_enable debug) + $(use_enable idn iri) + $(use_enable ipv6) + $(use_enable nls) + $(use_enable ntlm) + $(use_enable pcre pcre2) + $(use_enable ssl digest) + $(use_enable ssl opie) + $(use_with cookie-check libpsl) + $(use_enable idn iri) + $(use_with metalink) + $(use_with ssl ssl $(usex gnutls gnutls openssl)) + $(use_with uuid libuuid) + $(use_with zlib) + ) + + econf "${myeconfargs[@]}" +}
