~ruther/guix-local

6b88912eb6c414467234678c347990181dbf848b — Marius Bakke 8 years ago 2e205c6
gnu: wget: Update to 1.19.2 [fixes CVE-2017-13089 and CVE-2017-13090].

* gnu/packages/wget.scm (wget): Update to 1.19.2.
[source](uri): Change to '.lz' tarball.
[source](patches): Remove.
[native-inputs]: Add LZIP.
* gnu/packages/patches/wget-CVE-2017-6508.patch,
gnu/packages/patches/wget-fix-504-test-timeout.patch,
gnu/packages/patches/wget-perl-5.26.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
5 files changed, 6 insertions(+), 311 deletions(-)

M gnu/local.mk
D gnu/packages/patches/wget-CVE-2017-6508.patch
D gnu/packages/patches/wget-fix-504-test-timeout.patch
D gnu/packages/patches/wget-perl-5.26.patch
M gnu/packages/wget.scm
M gnu/local.mk => gnu/local.mk +0 -3
@@ 1100,9 1100,6 @@ dist_patch_DATA =						\
  %D%/packages/patches/vte-CVE-2012-2738-pt1.patch			\
  %D%/packages/patches/vte-CVE-2012-2738-pt2.patch			\
  %D%/packages/patches/weechat-python.patch			\
  %D%/packages/patches/wget-CVE-2017-6508.patch			\
  %D%/packages/patches/wget-fix-504-test-timeout.patch			\
  %D%/packages/patches/wget-perl-5.26.patch			\
  %D%/packages/patches/wicd-bitrate-none-fix.patch		\
  %D%/packages/patches/wicd-get-selected-profile-fix.patch	\
  %D%/packages/patches/wicd-urwid-1.3.patch			\

D gnu/packages/patches/wget-CVE-2017-6508.patch => gnu/packages/patches/wget-CVE-2017-6508.patch +0 -45
@@ 1,45 0,0 @@
Fix CVE-2017-6508:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6508

Patch copied from upstream source repository:

https://git.savannah.gnu.org/cgit/wget.git/commit/?id=4d729e322fae359a1aefaafec1144764a54e8ad4

From 4d729e322fae359a1aefaafec1144764a54e8ad4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Mon, 6 Mar 2017 10:04:22 +0100
Subject: [PATCH] Fix CRLF injection in Wget host part

* src/url.c (url_parse): Reject control characters in host part of URL

Reported-by: Orange Tsai
---
 src/url.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/url.c b/src/url.c
index 8f8ff0b8..7d36b27d 100644
--- a/src/url.c
+++ b/src/url.c
@@ -925,6 +925,17 @@ url_parse (const char *url, int *error, struct iri *iri, bool percent_encode)
       url_unescape (u->host);
       host_modified = true;
 
+      /* check for invalid control characters in host name */
+      for (p = u->host; *p; p++)
+        {
+          if (c_iscntrl(*p))
+            {
+              url_free(u);
+              error_code = PE_INVALID_HOST_NAME;
+              goto error;
+            }
+        }
+
       /* Apply IDNA regardless of iri->utf8_encode status */
       if (opt.enable_iri && iri)
         {
-- 
2.12.0


D gnu/packages/patches/wget-fix-504-test-timeout.patch => gnu/packages/patches/wget-fix-504-test-timeout.patch +0 -160
@@ 1,160 0,0 @@
This patch is from upstream. If a machine is too slow it can cause
test-504.py to fail.
http://git.savannah.gnu.org/cgit/wget.git/patch/?id=ac4fed32204e9ec1874e7cb5ecc55f1b35c1c8de

From ac4fed32204e9ec1874e7cb5ecc55f1b35c1c8de Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Tue, 14 Feb 2017 16:20:26 +0100
Subject: Fix 504 status handling

* src/http.c (gethttp): Move 504 handling to correct place.
  (http_loop): Fix memeory leak.
* testenv/server/http/http_server.py: Add Content-Length header on non-2xx
  status codes with a body

Reported-by: Adam Sampson
---
 src/http.c                         | 30 +++++++++++-------------------
 testenv/server/http/http_server.py |  9 +++++----
 2 files changed, 16 insertions(+), 23 deletions(-)

diff --git a/src/http.c b/src/http.c
index 898e184..d2c5c77 100644
--- a/src/http.c
+++ b/src/http.c
@@ -3476,7 +3476,7 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
 
 #ifdef HAVE_METALINK
   /* We need to check for the Metalink data in the very first response
-     we get from the server (before redirectionrs, authorization, etc.).  */
+     we get from the server (before redirections, authorization, etc.).  */
   if (metalink)
     {
       hs->metalink = metalink_from_http (resp, hs, u);
@@ -3496,7 +3496,7 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
       uerr_t auth_err = RETROK;
       bool retry;
       /* Normally we are not interested in the response body.
-         But if we are writing a WARC file we are: we like to keep everyting.  */
+         But if we are writing a WARC file we are: we like to keep everything.  */
       if (warc_enabled)
         {
           int _err;
@@ -3556,20 +3556,6 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
         pconn.authorized = true;
     }
 
-  if (statcode == HTTP_STATUS_GATEWAY_TIMEOUT)
-    {
-      hs->len = 0;
-      hs->res = 0;
-      hs->restval = 0;
-
-      CLOSE_FINISH (sock);
-      xfree (hs->message);
-
-      retval = GATEWAYTIMEOUT;
-      goto cleanup;
-    }
-
-
   {
     uerr_t ret = check_file_output (u, hs, resp, hdrval, sizeof hdrval);
     if (ret != RETROK)
@@ -3910,8 +3896,8 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
               retval = _err;
               goto cleanup;
             }
-          else
-            CLOSE_FINISH (sock);
+
+          CLOSE_FINISH (sock);
         }
       else
         {
@@ -3934,7 +3920,11 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
             CLOSE_INVALIDATE (sock);
         }
 
-      retval = RETRFINISHED;
+      if (statcode == HTTP_STATUS_GATEWAY_TIMEOUT)
+        retval = GATEWAYTIMEOUT;
+      else
+        retval = RETRFINISHED;
+
       goto cleanup;
     }
 
@@ -4208,6 +4198,8 @@ http_loop (const struct url *u, struct url *original_url, char **newloc,
              bring them to "while" statement at the end, to judge
              whether the number of tries was exceeded.  */
           printwhat (count, opt.ntry);
+          xfree (hstat.message);
+          xfree (hstat.error);
           continue;
         case FWRITEERR: case FOPENERR:
           /* Another fatal error.  */
diff --git a/testenv/server/http/http_server.py b/testenv/server/http/http_server.py
index e96f6e8..b222df0 100644
--- a/testenv/server/http/http_server.py
+++ b/testenv/server/http/http_server.py
@@ -204,7 +204,6 @@ class _Handler(BaseHTTPRequestHandler):
 
     def Response(self, resp_obj):
         self.send_response(resp_obj.response_code)
-        self.finish_headers()
         if resp_obj.response_code == 304:
             raise NoBodyServerError("Conditional get falling to head")
         raise ServerError("Custom Response code sent.")
@@ -329,7 +328,6 @@ class _Handler(BaseHTTPRequestHandler):
         except AuthError as se:
             self.send_response(401, "Authorization Required")
             self.send_challenge(auth_rule.auth_type, auth_rule.auth_parm)
-            self.finish_headers()
             raise se
 
     def handle_auth(self, auth_rule):
@@ -362,7 +360,6 @@ class _Handler(BaseHTTPRequestHandler):
             if header_recd is None or header_recd != exp_headers[header_line]:
                 self.send_error(400, "Expected Header %s not found" %
                                 header_line)
-                self.finish_headers()
                 raise ServerError("Header " + header_line + " not found")
 
     def RejectHeader(self, header_obj):
@@ -372,7 +369,6 @@ class _Handler(BaseHTTPRequestHandler):
             if header_recd and header_recd == rej_headers[header_line]:
                 self.send_error(400, 'Blacklisted Header %s received' %
                                 header_line)
-                self.finish_headers()
                 raise ServerError("Header " + header_line + ' received')
 
     def __log_request(self, method):
@@ -400,6 +396,7 @@ class _Handler(BaseHTTPRequestHandler):
 
             content = self.server.fileSys.get(path)
             content_length = len(content)
+
             for rule_name in self.rules:
                 try:
                     assert hasattr(self, rule_name)
@@ -410,12 +407,16 @@ class _Handler(BaseHTTPRequestHandler):
                     return(None, None)
                 except AuthError as ae:
                     print(ae.__str__())
+                    self.finish_headers()
                     return(None, None)
                 except NoBodyServerError as nbse:
                     print(nbse.__str__())
+                    self.finish_headers()
                     return(None, None)
                 except ServerError as se:
                     print(se.__str__())
+                    self.add_header("Content-Length", content_length)
+                    self.finish_headers()
                     return(content, None)
 
             try:
-- 
cgit v1.0-41-gc330


D gnu/packages/patches/wget-perl-5.26.patch => gnu/packages/patches/wget-perl-5.26.patch +0 -96
@@ 1,96 0,0 @@
This upstream commit adjusts tests for Perl 5.26.

commit 7ffe93cabb181f39ad5091c31ab9f61bd940a55f
Author: Anton Yuzhaninov <citrin+github@citrin.ru>
Date:   Wed Apr 5 19:06:42 2017 +0300

    Fix perl warnings in tests
    
    * tests/FTPServer.pm: Escape '{' in RE to fix warnings
    * tests/FTPTest.pm: Likewise
    * tests/HTTPServer.pm: Likewise
    * tests/HTTPTest.pm: Likewise
    * tests/Test-proxied-https-auth-keepalive.px: Likewise
    * tests/Test-proxied-https-auth.px: Likewise
    Escape '{' in RE to fix warnings:
    Unescaped left brace in regex is deprecated, passed through in regex;
    marked by <-- HERE in m/{{ <-- HERE port}}/

diff --git a/tests/FTPServer.pm b/tests/FTPServer.pm
index a5185d66..cac80942 100644
--- a/tests/FTPServer.pm
+++ b/tests/FTPServer.pm
@@ -589,7 +589,7 @@ sub new
     foreach my $file (keys %{$self->{_input}})
     {
         my $ref = \$self->{_input}{$file}{content};
-        $$ref =~ s/{{port}}/$self->sockport/eg;
+        $$ref =~ s/\Q{{port}}/$self->sockport/eg;
     }
 
     return $self;
diff --git a/tests/FTPTest.pm b/tests/FTPTest.pm
index 50385ad0..0a1c768c 100644
--- a/tests/FTPTest.pm
+++ b/tests/FTPTest.pm
@@ -53,7 +53,7 @@ sub _substitute_port
 {
     my $self = shift;
     my $ret  = shift;
-    $ret =~ s/{{port}}/$self->{_server}->sockport/eg;
+    $ret =~ s/\Q{{port}}/$self->{_server}->sockport/eg;
     return $ret;
 }
 
diff --git a/tests/HTTPServer.pm b/tests/HTTPServer.pm
index dd8ec043..78609f65 100644
--- a/tests/HTTPServer.pm
+++ b/tests/HTTPServer.pm
@@ -310,7 +310,7 @@ sub _substitute_port
 {
     my $self = shift;
     my $ret  = shift;
-    $ret =~ s/{{port}}/$self->sockport/eg;
+    $ret =~ s/\Q{{port}}/$self->sockport/eg;
     return $ret;
 }
 
diff --git a/tests/HTTPTest.pm b/tests/HTTPTest.pm
index 00f079f8..6225c7f1 100644
--- a/tests/HTTPTest.pm
+++ b/tests/HTTPTest.pm
@@ -47,7 +47,7 @@ sub _substitute_port
 {
     my $self = shift;
     my $ret  = shift;
-    $ret =~ s/{{port}}/$self->{_server}->sockport/eg;
+    $ret =~ s/\Q{{port}}/$self->{_server}->sockport/eg;
     return $ret;
 }
 
diff --git a/tests/Test-proxied-https-auth-keepalive.px b/tests/Test-proxied-https-auth-keepalive.px
index 049bebec..2a18ccfd 100755
--- a/tests/Test-proxied-https-auth-keepalive.px
+++ b/tests/Test-proxied-https-auth-keepalive.px
@@ -153,7 +153,7 @@ my $cmdline = $WgetTest::WGETPATH . " --user=fiddle-dee-dee"
     . " --password=Dodgson -e https_proxy=localhost:{{port}}"
     . " --no-check-certificate"
     . " https://no.such.domain/needs-auth.txt";
-$cmdline =~ s/{{port}}/$SOCKET->sockport()/e;
+$cmdline =~ s/\Q{{port}}/$SOCKET->sockport()/e;
 
 if (defined $srcdir) {
     $VALGRIND_SUPP_FILE = $srcdir . '/valgrind-suppressions-ssl';
diff --git a/tests/Test-proxied-https-auth.px b/tests/Test-proxied-https-auth.px
index ce4e736c..878114e7 100755
--- a/tests/Test-proxied-https-auth.px
+++ b/tests/Test-proxied-https-auth.px
@@ -152,7 +152,7 @@ my $cmdline = $WgetTest::WGETPATH . " --user=fiddle-dee-dee"
     . " --password=Dodgson -e https_proxy=localhost:{{port}}"
     . " --no-check-certificate"
     . " https://no.such.domain/needs-auth.txt";
-$cmdline =~ s/{{port}}/$SOCKET->sockport()/e;
+$cmdline =~ s/\Q{{port}}/$SOCKET->sockport()/e;
 
 if (defined $srcdir) {
     $VALGRIND_SUPP_FILE = $srcdir . '/valgrind-suppressions-ssl';

M gnu/packages/wget.scm => gnu/packages/wget.scm +6 -7
@@ 21,6 21,7 @@
(define-module (gnu packages wget)
  #:use-module (guix licenses)
  #:use-module (gnu packages)
  #:use-module (gnu packages compression)
  #:use-module (gnu packages libidn)
  #:use-module (gnu packages python)
  #:use-module (gnu packages perl)


@@ 34,18 35,15 @@
(define-public wget
  (package
    (name "wget")
    (version "1.19.1")
    (version "1.19.2")
    (source
     (origin
      (method url-fetch)
      (uri (string-append "mirror://gnu/wget/wget-"
                          version ".tar.xz"))
      (patches (search-patches "wget-CVE-2017-6508.patch"
                               "wget-fix-504-test-timeout.patch"
                               "wget-perl-5.26.patch"))
                          version ".tar.lz"))
      (sha256
       (base32
        "1ljcfhbkdsd0zjfm520rbl1ai62fc34i7c45sfj244l8f6b0p58c"))))
        "01yzal7xm85543x02bij3capnigr063d6c5vc039f8n5s9d796nm"))))
    (build-system gnu-build-system)
    (arguments
     '(#:phases (modify-phases %standard-phases


@@ 65,7 63,8 @@
    (inputs
     `(("gnutls" ,gnutls)
       ("libidn2" ,libidn2)
       ("libpsl" ,libpsl)))
       ("libpsl" ,libpsl)
       ("lzip" ,lzip)))
    (native-inputs
     `(("pkg-config" ,pkg-config)
       ("perl" ,perl)