pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/net/wget add a patch for CVE-2016-7098 from upstream
details: https://anonhg.NetBSD.org/pkgsrc/rev/1af8c8a736ff
branches: trunk
changeset: 354464:1af8c8a736ff
user: spz <spz%pkgsrc.org@localhost>
date: Sun Oct 30 20:55:39 2016 +0000
description:
add a patch for CVE-2016-7098 from upstream
diffstat:
net/wget/Makefile | 4 +-
net/wget/distinfo | 3 +-
net/wget/patches/patch-CVE-2016-7098 | 56 ++++++++++++++++++++++++++++++++++++
3 files changed, 60 insertions(+), 3 deletions(-)
diffs (87 lines):
diff -r 5474ae434f94 -r 1af8c8a736ff net/wget/Makefile
--- a/net/wget/Makefile Sun Oct 30 20:49:57 2016 +0000
+++ b/net/wget/Makefile Sun Oct 30 20:55:39 2016 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.132 2016/09/19 13:04:26 wiz Exp $
+# $NetBSD: Makefile,v 1.133 2016/10/30 20:55:39 spz Exp $
DISTNAME= wget-1.18
-PKGREVISION= 2
+PKGREVISION= 3
CATEGORIES= net
MASTER_SITES= ${MASTER_SITE_GNU:=wget/}
EXTRACT_SUFX= .tar.xz
diff -r 5474ae434f94 -r 1af8c8a736ff net/wget/distinfo
--- a/net/wget/distinfo Sun Oct 30 20:49:57 2016 +0000
+++ b/net/wget/distinfo Sun Oct 30 20:55:39 2016 +0000
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.51 2016/06/11 18:33:22 wiz Exp $
+$NetBSD: distinfo,v 1.52 2016/10/30 20:55:39 spz Exp $
SHA1 (wget-1.18.tar.xz) = 02d451e658f600ee519c42cbf4d3bfe4e49b6c4f
RMD160 (wget-1.18.tar.xz) = 4fdf9c523b434050eeccfbd14b98c90c591d7ce4
SHA512 (wget-1.18.tar.xz) = a3f6fe2f44a8d797659d55cffaf81eb82b770c96222a0ee29bc4931b13846f8d8b9a07806f2197723c873a1248922d59cca5a81869661d9c6c3107447c184338
Size (wget-1.18.tar.xz) = 1922376 bytes
+SHA1 (patch-CVE-2016-7098) = fa6c96a24590c191440ae91f76e5c10e8db84d4b
SHA1 (patch-configure) = 4d65f3e3c4d60174442aa1b75b64b7511bbc6497
SHA1 (patch-doc_wget.texi) = 6db25b3500ff4617b5ade34d9013b1f9876104f8
diff -r 5474ae434f94 -r 1af8c8a736ff net/wget/patches/patch-CVE-2016-7098
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/net/wget/patches/patch-CVE-2016-7098 Sun Oct 30 20:55:39 2016 +0000
@@ -0,0 +1,56 @@
+patch for CVE-2016-7098 from
+http://git.savannah.gnu.org/cgit/wget.git/commit/?id=9ffb64ba6a8121909b01e984deddce8d096c498d
+http://git.savannah.gnu.org/cgit/wget.git/commit/?id=690c47e3b18c099843cdf557a0425d701fca4957
+(only the compilable parts)
+
+--- src/http.c.orig 2016-06-09 16:10:14.000000000 +0000
++++ src/http.c 2016-10-27 20:02:46.000000000 +0000
+@@ -39,6 +39,7 @@ as that of the covered work. */
+ #include <errno.h>
+ #include <time.h>
+ #include <locale.h>
++#include <fcntl.h>
+
+ #include "hash.h"
+ #include "http.h"
+@@ -1564,6 +1565,7 @@ struct http_stat
+ #ifdef HAVE_METALINK
+ metalink_t *metalink;
+ #endif
++ bool temporary; /* downloading a temporary file */
+ };
+
+ static void
+@@ -2254,6 +2256,15 @@ check_file_output (struct url *u, struct
+ xfree (local_file);
+ }
+
++ hs->temporary = opt.delete_after || opt.spider || !acceptable (hs->local_file);
++ if (hs->temporary)
++ {
++ char *tmp = NULL;
++ asprintf (&tmp, "%s.tmp", hs->local_file);
++ xfree (hs->local_file);
++ hs->local_file = tmp;
++ }
++
+ /* TODO: perform this check only once. */
+ if (!hs->existence_checked && file_exists_p (hs->local_file))
+ {
+@@ -2467,7 +2478,15 @@ open_output_stream (struct http_stat *hs
+ open_id = 22;
+ *fp = fopen (hs->local_file, "wb", FOPEN_OPT_ARGS);
+ #else /* def __VMS */
+- *fp = fopen (hs->local_file, "wb");
++ if (hs->temporary)
++ {
++ *fp = fdopen (open (hs->local_file, O_BINARY | O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR), "wb");
++ }
++ else
++ {
++ *fp = fopen (hs->local_file, "wb");
++ }
++
+ #endif /* def __VMS [else] */
+ }
+ else
Home |
Main Index |
Thread Index |
Old Index