OpenPKG CVS Repository http://cvs.openpkg.org/ ____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 23-Jan-2003 15:47:25 Branch: OPENPKG_1_STABLE Handle: 2003012314472400 Modified files: (Branch: OPENPKG_1_STABLE) openpkg-src/wget wget.patch wget.spec Log: MFC: upgrade security patch (see OpenPKG-SA-2003.007-wget) Summary: Revision Changes Path 1.1.2.1 +52 -59 openpkg-src/wget/wget.patch 1.28.2.2 +2 -2 openpkg-src/wget/wget.spec ____________________________________________________________________________ patch -p0 <<'@@ .' Index: openpkg-src/wget/wget.patch ============================================================================ $ cvs diff -u -r1.1 -r1.1.2.1 wget.patch --- openpkg-src/wget/wget.patch 16 Dec 2002 12:39:36 -0000 1.1 +++ openpkg-src/wget/wget.patch 23 Jan 2003 14:47:24 -0000 1.1.2.1 @@ -1,89 +1,82 @@ -diff -urN wget-1.8.2/src/fnmatch.c wget-1.8.2_save/src/fnmatch.c ---- wget-1.8.2/src/fnmatch.c Sat May 18 05:05:15 2002 -+++ wget-1.8.2_save/src/fnmatch.c Fri Oct 4 14:53:40 2002 -@@ -198,6 +198,17 @@ - return (FNM_NOMATCH); - } +--- src/fnmatch.c.orig 2002/05/18 03:05:15 1.2.2.1 ++++ src/fnmatch.c 2003/01/11 19:53:31 1.2.2.2 +@@ -35,6 +35,11 @@ + + #include <errno.h> + #include "wget.h" ++#ifdef HAVE_STRING_H ++# include <string.h> ++#else ++# include <strings.h> ++#endif /* HAVE_STRING_H */ + #include "fnmatch.h" + + /* Match STRING against the filename pattern PATTERN, returning zero +@@ -196,6 +201,19 @@ + return (0); + return (FNM_NOMATCH); ++} ++ +/* Return non-zero if S has a leading '/' or contains '../' */ +int -+has_invalid_name (const char *s) ++has_insecure_name_p (const char *s) +{ -+ if (*s == '/') -+ return 1; -+ if (strstr(s, "../") != 0) -+ return 1; -+ return 0; -+} ++ if (*s == '/') ++ return 1; ++ ++ if (strstr(s, "../") != 0) ++ return 1; + ++ return 0; + } + /* Return non-zero if S contains globbing wildcards (`*', `?', `[' or - `]'). */ - int -diff -urN wget-1.8.2/src/ftp.c wget-1.8.2_save/src/ftp.c ---- wget-1.8.2/src/ftp.c Sat May 18 05:05:16 2002 -+++ wget-1.8.2_save/src/ftp.c Fri Oct 4 15:07:22 2002 -@@ -1551,6 +1551,8 @@ +--- src/ftp.c.orig 2002/05/18 03:05:16 1.52.2.1 ++++ src/ftp.c 2003/01/11 19:53:31 1.52.2.2 +@@ -1549,7 +1549,7 @@ + static uerr_t + ftp_retrieve_glob (struct url *u, ccon *con, int action) { - struct fileinfo *orig, *start; +- struct fileinfo *orig, *start; ++ struct fileinfo *f, *orig, *start; uerr_t res; -+ struct fileinfo *f; -+ con->cmd |= LEAVE_PENDING; - -@@ -1562,8 +1564,7 @@ +@@ -1562,8 +1562,7 @@ opt.accepts and opt.rejects. */ if (opt.accepts || opt.rejects) { - struct fileinfo *f = orig; - -+ f = orig; ++ f = orig; while (f) { if (f->type != FT_DIRECTORY && !acceptable (f->name)) -@@ -1575,6 +1576,18 @@ +@@ -1575,13 +1574,25 @@ f = f->next; } } + /* Remove all files with possible harmful names */ + f = orig; + while (f) -+ { -+ if (has_invalid_name(f->name)) -+ { ++ { ++ if (has_insecure_name_p(f->name)) ++ { + logprintf (LOG_VERBOSE, _("Rejecting `%s'.\n"), f->name); + f = delelement (f, &start); -+ } -+ else -+ f = f->next; -+ } ++ } ++ else ++ f = f->next; ++ } /* Now weed out the files that do not match our globbing pattern. If we are dealing with a globbing pattern, that is. */ if (*u->file && (action == GLOBALL || action == GETONE)) ---- wget-1.8.2/src/url.c.fpons 2002-09-04 16:16:52.000000000 +0200 -+++ wget-1.8.2/src/url.c 2002-09-04 16:32:14.000000000 +0200 -@@ -499,14 +499,18 @@ - int - url_skip_uname (const char *url) - { -- const char *p; -+ const char *p, *pp; - -- /* Look for '@' that comes before '/' or '?'. */ -- p = (const char *)strpbrk (url, "/?@"); -- if (!p || *p != '@') -- return 0; -+ /* Look for last '@' that comes before '/' or '?'. */ -+ pp = url; -+ while ((p = (const char *)strpbrk (pp, "/?@")) != NULL) { -+ if (*p != '@') -+ break; -+ /* Found '@' character so go on with possible next '@'. */ -+ pp = p + 1; -+ } - -- return p - url + 1; -+ return pp != url ? pp - url: 0; - } + { + int matchres = 0; +- struct fileinfo *f = start; - static int ++ f = start; + while (f) + { + matchres = fnmatch (u->file, f->name, 0); @@ . patch -p0 <<'@@ .' Index: openpkg-src/wget/wget.spec ============================================================================ $ cvs diff -u -r1.28.2.1 -r1.28.2.2 wget.spec --- openpkg-src/wget/wget.spec 18 Jan 2003 14:15:37 -0000 1.28.2.1 +++ openpkg-src/wget/wget.spec 23 Jan 2003 14:47:24 -0000 1.28.2.2 @@ -33,7 +33,7 @@ Group: Web License: GPL Version: 1.8.2 -Release: 1.20021216 +Release: 1.20030123 # list of sources Source0: ftp://ftp.gnu.org/gnu/wget/wget-%{version}.tar.gz @@ -55,7 +55,7 @@ %prep %setup -q - %patch -p1 + %patch -p0 %build CC="%{l_cc}" \ @@ . ______________________________________________________________________ The OpenPKG Project www.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]