diff options
| author | Sergey Lukin <sergej.lukin@gmail.com> | 2017-04-05 05:16:36 +0000 |
|---|---|---|
| committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2017-04-05 10:29:04 +0000 |
| commit | 1a5ce94c4aa8247104f2ec105fab532c9a6fbeb4 (patch) | |
| tree | 0aa37af3536df3bf7159f14a13c96ef4637075a1 /main/wget | |
| parent | 885ded4dc2c443184a9f7147bedcd32e093d8122 (diff) | |
| download | aports-1a5ce94c4aa8247104f2ec105fab532c9a6fbeb4.tar.bz2 aports-1a5ce94c4aa8247104f2ec105fab532c9a6fbeb4.tar.xz | |
main/wget: security fixes #7087
CVE-2017-6508: CRLF injection in the url_parse function in url.c
Diffstat (limited to 'main/wget')
| -rw-r--r-- | main/wget/APKBUILD | 15 | ||||
| -rw-r--r-- | main/wget/CVE-2017-6508.patch | 25 |
2 files changed, 37 insertions, 3 deletions
diff --git a/main/wget/APKBUILD b/main/wget/APKBUILD index 5c0db13045..99997bb122 100644 --- a/main/wget/APKBUILD +++ b/main/wget/APKBUILD @@ -1,8 +1,9 @@ +# Contributor: Sergei Lukin <sergej.lukin@gmail.com> # Contributor: Carlo Landmeter <clandmeter@gmail.com> # Maintainer: Carlo Landmeter <clandmeter@gmail.com> pkgname=wget pkgver=1.19.1 -pkgrel=0 +pkgrel=1 pkgdesc="A network utility to retrieve files from the Web" url="http://www.gnu.org/software/wget/wget.html" arch="all" @@ -11,7 +12,14 @@ depends="" makedepends="libressl-dev perl" subpackages="$pkgname-doc" install="" -source="ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz" +source="ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz + CVE-2017-6508.patch + " + +# secfixes: +# 1.19.1-r1: +# - CVE-2017-6508 + builddir="$srcdir/$pkgname-$pkgver" build() { @@ -36,4 +44,5 @@ package() { rm -rf "$pkgdir"/usr/lib } -sha512sums="d212ce1387b8e4269c6010bd4c2b4822c14e290d2af6442f3eebe05df27433434600e8e0bdf89a3cb1b5eff1a58eca193bddeac44c1691efe44eb245c5ee7f04 wget-1.19.1.tar.gz" +sha512sums="d212ce1387b8e4269c6010bd4c2b4822c14e290d2af6442f3eebe05df27433434600e8e0bdf89a3cb1b5eff1a58eca193bddeac44c1691efe44eb245c5ee7f04 wget-1.19.1.tar.gz +666b94bcba6a257be01f0d18897c13afe7dcc4eb156e7d6b386de06fdcbdd0da31a2cc7a8ffaa5108dff67872f610b9df30d0df9e8132283255ec6c608fff904 CVE-2017-6508.patch" diff --git a/main/wget/CVE-2017-6508.patch b/main/wget/CVE-2017-6508.patch new file mode 100644 index 0000000000..b685d8dab4 --- /dev/null +++ b/main/wget/CVE-2017-6508.patch @@ -0,0 +1,25 @@ +Patch source: +http://git.savannah.gnu.org/cgit/wget.git/diff/?id=4d729e322fae359a1aefaafec1144764a54e8ad4 + +diff --git a/src/url.c b/src/url.c +index 8f8ff0b..7d36b27 100644 +--- a/src/url.c ++++ b/src/url.c +@@ -925,6 +925,17 @@ url_parse (const char *url, int *error, struct iri *iri, bool percent_encode) + url_unescape (u->host); + host_modified = true; + ++ /* check for invalid control characters in host name */ ++ for (p = u->host; *p; p++) ++ { ++ if (c_iscntrl(*p)) ++ { ++ url_free(u); ++ error_code = PE_INVALID_HOST_NAME; ++ goto error; ++ } ++ } ++ + /* Apply IDNA regardless of iri->utf8_encode status */ + if (opt.enable_iri && iri) + { |