CVS commit: [pkgsrc-2016Q3] pkgsrc/net/wget

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: [pkgsrc-2016Q3] pkgsrc/net/wget
From: "Benny Siegert" <bsiegert%netbsd.org@localhost>
Date: Thu, 3 Nov 2016 19:52:25 +0000

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Thu Nov  3 19:52:25 UTC 2016

Modified Files:
        pkgsrc/net/wget [pkgsrc-2016Q3]: Makefile distinfo
Added Files:
        pkgsrc/net/wget/patches [pkgsrc-2016Q3]: patch-CVE-2016-7098

Log Message:
Pullup ticket #5148 - requested by spz
net/wget: security fix

Revisions pulled up:
- net/wget/Makefile                                             1.133
- net/wget/distinfo                                             1.52
- net/wget/patches/patch-CVE-2016-7098                          1.1

---
   Module Name: pkgsrc
   Committed By:        spz
   Date:                Sun Oct 30 20:55:39 UTC 2016

   Modified Files:
        pkgsrc/net/wget: Makefile distinfo
   Added Files:
        pkgsrc/net/wget/patches: patch-CVE-2016-7098

   Log Message:
   add a patch for CVE-2016-7098 from upstream


To generate a diff of this commit:
cvs rdiff -u -r1.132 -r1.132.2.1 pkgsrc/net/wget/Makefile
cvs rdiff -u -r1.51 -r1.51.4.1 pkgsrc/net/wget/distinfo
cvs rdiff -u -r0 -r1.1.2.2 pkgsrc/net/wget/patches/patch-CVE-2016-7098

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/wget/Makefile
diff -u pkgsrc/net/wget/Makefile:1.132 pkgsrc/net/wget/Makefile:1.132.2.1
--- pkgsrc/net/wget/Makefile:1.132      Mon Sep 19 13:04:26 2016
+++ pkgsrc/net/wget/Makefile    Thu Nov  3 19:52:25 2016
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.132 2016/09/19 13:04:26 wiz Exp $
+# $NetBSD: Makefile,v 1.132.2.1 2016/11/03 19:52:25 bsiegert Exp $
 
 DISTNAME=      wget-1.18
-PKGREVISION=   2
+PKGREVISION=   3
 CATEGORIES=    net
 MASTER_SITES=  ${MASTER_SITE_GNU:=wget/}
 EXTRACT_SUFX=  .tar.xz

Index: pkgsrc/net/wget/distinfo
diff -u pkgsrc/net/wget/distinfo:1.51 pkgsrc/net/wget/distinfo:1.51.4.1
--- pkgsrc/net/wget/distinfo:1.51       Sat Jun 11 18:33:22 2016
+++ pkgsrc/net/wget/distinfo    Thu Nov  3 19:52:25 2016
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.51 2016/06/11 18:33:22 wiz Exp $
+$NetBSD: distinfo,v 1.51.4.1 2016/11/03 19:52:25 bsiegert Exp $
 
 SHA1 (wget-1.18.tar.xz) = 02d451e658f600ee519c42cbf4d3bfe4e49b6c4f
 RMD160 (wget-1.18.tar.xz) = 4fdf9c523b434050eeccfbd14b98c90c591d7ce4
 SHA512 (wget-1.18.tar.xz) = a3f6fe2f44a8d797659d55cffaf81eb82b770c96222a0ee29bc4931b13846f8d8b9a07806f2197723c873a1248922d59cca5a81869661d9c6c3107447c184338
 Size (wget-1.18.tar.xz) = 1922376 bytes
+SHA1 (patch-CVE-2016-7098) = fa6c96a24590c191440ae91f76e5c10e8db84d4b
 SHA1 (patch-configure) = 4d65f3e3c4d60174442aa1b75b64b7511bbc6497
 SHA1 (patch-doc_wget.texi) = 6db25b3500ff4617b5ade34d9013b1f9876104f8

Added files:

Index: pkgsrc/net/wget/patches/patch-CVE-2016-7098
diff -u /dev/null pkgsrc/net/wget/patches/patch-CVE-2016-7098:1.1.2.2
--- /dev/null   Thu Nov  3 19:52:25 2016
+++ pkgsrc/net/wget/patches/patch-CVE-2016-7098 Thu Nov  3 19:52:25 2016
@@ -0,0 +1,56 @@
+patch for CVE-2016-7098 from
+http://git.savannah.gnu.org/cgit/wget.git/commit/?id=9ffb64ba6a8121909b01e984deddce8d096c498d
+http://git.savannah.gnu.org/cgit/wget.git/commit/?id=690c47e3b18c099843cdf557a0425d701fca4957
+(only the compilable parts)
+
+--- src/http.c.orig    2016-06-09 16:10:14.000000000 +0000
++++ src/http.c 2016-10-27 20:02:46.000000000 +0000
+@@ -39,6 +39,7 @@ as that of the covered work.  */
+ #include <errno.h>
+ #include <time.h>
+ #include <locale.h>
++#include <fcntl.h>
+ 
+ #include "hash.h"
+ #include "http.h"
+@@ -1564,6 +1565,7 @@ struct http_stat
+ #ifdef HAVE_METALINK
+   metalink_t *metalink;
+ #endif
++  bool temporary;               /* downloading a temporary file */
+ };
+ 
+ static void
+@@ -2254,6 +2256,15 @@ check_file_output (struct url *u, struct
+       xfree (local_file);
+     }
+ 
++  hs->temporary = opt.delete_after || opt.spider || !acceptable (hs->local_file);
++  if (hs->temporary)
++    {
++      char *tmp = NULL;
++      asprintf (&tmp, "%s.tmp", hs->local_file);
++      xfree (hs->local_file);
++      hs->local_file = tmp;
++    }
++
+   /* TODO: perform this check only once. */
+   if (!hs->existence_checked && file_exists_p (hs->local_file))
+     {
+@@ -2467,7 +2478,15 @@ open_output_stream (struct http_stat *hs
+           open_id = 22;
+           *fp = fopen (hs->local_file, "wb", FOPEN_OPT_ARGS);
+ #else /* def __VMS */
+-          *fp = fopen (hs->local_file, "wb");
++          if (hs->temporary)
++            {
++              *fp = fdopen (open (hs->local_file, O_BINARY | O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR), "wb");
++            }
++          else
++            {
++              *fp = fopen (hs->local_file, "wb");
++            }
++
+ #endif /* def __VMS [else] */
+         }
+       else

Prev by Date: CVS commit: [pkgsrc-2016Q3] pkgsrc/security/libcrack
Next by Date: CVS commit: [pkgsrc-2016Q3] pkgsrc/net/bind910
Previous by Thread: CVS commit: [pkgsrc-2016Q3] pkgsrc/security/libcrack
Next by Thread: CVS commit: [pkgsrc-2016Q3] pkgsrc/net/bind910
Indexes:

Home | Main Index | Thread Index | Old Index