OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 23-Jan-2003 15:47:25
Branch: OPENPKG_1_STABLE Handle: 2003012314472400
Modified files: (Branch: OPENPKG_1_STABLE)
openpkg-src/wget wget.patch wget.spec
Log:
MFC: upgrade security patch (see OpenPKG-SA-2003.007-wget)
Summary:
Revision Changes Path
1.1.2.1 +52 -59 openpkg-src/wget/wget.patch
1.28.2.2 +2 -2 openpkg-src/wget/wget.spec
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/wget/wget.patch
============================================================================
$ cvs diff -u -r1.1 -r1.1.2.1 wget.patch
--- openpkg-src/wget/wget.patch 16 Dec 2002 12:39:36 -0000 1.1
+++ openpkg-src/wget/wget.patch 23 Jan 2003 14:47:24 -0000 1.1.2.1
@@ -1,89 +1,82 @@
-diff -urN wget-1.8.2/src/fnmatch.c wget-1.8.2_save/src/fnmatch.c
---- wget-1.8.2/src/fnmatch.c Sat May 18 05:05:15 2002
-+++ wget-1.8.2_save/src/fnmatch.c Fri Oct 4 14:53:40 2002
-@@ -198,6 +198,17 @@
- return (FNM_NOMATCH);
- }
+--- src/fnmatch.c.orig 2002/05/18 03:05:15 1.2.2.1
++++ src/fnmatch.c 2003/01/11 19:53:31 1.2.2.2
+@@ -35,6 +35,11 @@
+
+ #include <errno.h>
+ #include "wget.h"
++#ifdef HAVE_STRING_H
++# include <string.h>
++#else
++# include <strings.h>
++#endif /* HAVE_STRING_H */
+ #include "fnmatch.h"
+
+ /* Match STRING against the filename pattern PATTERN, returning zero
+@@ -196,6 +201,19 @@
+ return (0);
+ return (FNM_NOMATCH);
++}
++
+/* Return non-zero if S has a leading '/' or contains '../' */
+int
-+has_invalid_name (const char *s)
++has_insecure_name_p (const char *s)
+{
-+ if (*s == '/')
-+ return 1;
-+ if (strstr(s, "../") != 0)
-+ return 1;
-+ return 0;
-+}
++ if (*s == '/')
++ return 1;
++
++ if (strstr(s, "../") != 0)
++ return 1;
+
++ return 0;
+ }
+
/* Return non-zero if S contains globbing wildcards (`*', `?', `[' or
- `]'). */
- int
-diff -urN wget-1.8.2/src/ftp.c wget-1.8.2_save/src/ftp.c
---- wget-1.8.2/src/ftp.c Sat May 18 05:05:16 2002
-+++ wget-1.8.2_save/src/ftp.c Fri Oct 4 15:07:22 2002
-@@ -1551,6 +1551,8 @@
+--- src/ftp.c.orig 2002/05/18 03:05:16 1.52.2.1
++++ src/ftp.c 2003/01/11 19:53:31 1.52.2.2
+@@ -1549,7 +1549,7 @@
+ static uerr_t
+ ftp_retrieve_glob (struct url *u, ccon *con, int action)
{
- struct fileinfo *orig, *start;
+- struct fileinfo *orig, *start;
++ struct fileinfo *f, *orig, *start;
uerr_t res;
-+ struct fileinfo *f;
-+
con->cmd |= LEAVE_PENDING;
-
-@@ -1562,8 +1564,7 @@
+@@ -1562,8 +1562,7 @@
opt.accepts and opt.rejects. */
if (opt.accepts || opt.rejects)
{
- struct fileinfo *f = orig;
-
-+ f = orig;
++ f = orig;
while (f)
{
if (f->type != FT_DIRECTORY && !acceptable (f->name))
-@@ -1575,6 +1576,18 @@
+@@ -1575,13 +1574,25 @@
f = f->next;
}
}
+ /* Remove all files with possible harmful names */
+ f = orig;
+ while (f)
-+ {
-+ if (has_invalid_name(f->name))
-+ {
++ {
++ if (has_insecure_name_p(f->name))
++ {
+ logprintf (LOG_VERBOSE, _("Rejecting `%s'.\n"), f->name);
+ f = delelement (f, &start);
-+ }
-+ else
-+ f = f->next;
-+ }
++ }
++ else
++ f = f->next;
++ }
/* Now weed out the files that do not match our globbing pattern.
If we are dealing with a globbing pattern, that is. */
if (*u->file && (action == GLOBALL || action == GETONE))
---- wget-1.8.2/src/url.c.fpons 2002-09-04 16:16:52.000000000 +0200
-+++ wget-1.8.2/src/url.c 2002-09-04 16:32:14.000000000 +0200
-@@ -499,14 +499,18 @@
- int
- url_skip_uname (const char *url)
- {
-- const char *p;
-+ const char *p, *pp;
-
-- /* Look for '@' that comes before '/' or '?'. */
-- p = (const char *)strpbrk (url, "/?@");
-- if (!p || *p != '@')
-- return 0;
-+ /* Look for last '@' that comes before '/' or '?'. */
-+ pp = url;
-+ while ((p = (const char *)strpbrk (pp, "/?@")) != NULL) {
-+ if (*p != '@')
-+ break;
-+ /* Found '@' character so go on with possible next '@'. */
-+ pp = p + 1;
-+ }
-
-- return p - url + 1;
-+ return pp != url ? pp - url: 0;
- }
+ {
+ int matchres = 0;
+- struct fileinfo *f = start;
- static int
++ f = start;
+ while (f)
+ {
+ matchres = fnmatch (u->file, f->name, 0);
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/wget/wget.spec
============================================================================
$ cvs diff -u -r1.28.2.1 -r1.28.2.2 wget.spec
--- openpkg-src/wget/wget.spec 18 Jan 2003 14:15:37 -0000 1.28.2.1
+++ openpkg-src/wget/wget.spec 23 Jan 2003 14:47:24 -0000 1.28.2.2
@@ -33,7 +33,7 @@
Group: Web
License: GPL
Version: 1.8.2
-Release: 1.20021216
+Release: 1.20030123
# list of sources
Source0: ftp://ftp.gnu.org/gnu/wget/wget-%{version}.tar.gz
@@ -55,7 +55,7 @@
%prep
%setup -q
- %patch -p1
+ %patch -p0
%build
CC="%{l_cc}" \
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
