Re: [PATCH] wget 1.19.5: latest patches (01-03)

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] wget 1.19.5: latest patches (01-03)
Date: Wed, 09 May 2018 19:30:42 +0100	[thread overview]
Message-ID: <5edd7370284142da63963cb403b4e7c8c13a98e4.camel@ipfire.org> (raw)
In-Reply-To: <d67fef05-c08b-b57b-a396-11cb359a6ffe@ipfire.org>

[-- Attachment #1: Type: text/plain, Size: 6133 bytes --]

Okay, I will merge this one, but there is no need to follow wget really closely
and patch every bug unless someone runs into it.

They had quite a number of severe security issues, hence I was asking.

Best,
-Michael

On Wed, 2018-05-09 at 19:36 +0200, Matthias Fischer wrote:
> Hi,
> 
> On 09.05.2018 13:14, Michael Tremer wrote:
> > Hi,
> > 
> > are any of these security-relevant?
> 
> I'm not sure - I read this discussion on bug-wget(a)gnu.org:
> 
> ***SNIP***
> On 05/08/2018 09:16 AM, Josef Moellers wrote:
> > > Hi,
> > > 
> > > While trying to upgrade to 1.19.5, we found a bug in wget
> > > (src/host.c)
> > > where the (non-existing) return value of a void function is assigned
> > > to
> > > a variable.
> > > 
> > > A patch is appended.
> 
> Thanks,
> 
> setting timer to NULL is not needed here.
> 
> I'll amended and pushed the patch.
> 
> With Best Regards, Tim
> ***SNAP***
> 
> Being curious, I looked at http://git.savannah.gnu.org/cgit/wget.git,
> found the two other patches and thought they could be of help.
> 
> Unfortunately, I can'T judge what effects these bugs have or why they
> where added. By now, they're undocumented.
> 
> Best,
> Matthias
> 
> > Best,
> > -Michael
> > 
> > On Tue, 2018-05-08 at 20:05 +0200, Matthias Fischer wrote:
> > > For details see:
> > > http://git.savannah.gnu.org/cgit/wget.git
> > > 
> > > Best,
> > > Matthias
> > > 
> > > Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
> > > ---
> > >  lfs/wget                                      |  4 +++
> > >  ...1-src_hosts_c_remove_void_assignment.patch | 13 +++++++++
> > >  .../02-src_version_h_add_header_guard.patch   | 20 +++++++++++++
> > >  .../wget/03-src_hsts_h_fix_header_guard.patch | 29 +++++++++++++++++++
> > >  4 files changed, 66 insertions(+)
> > >  create mode 100644 src/patches/wget/01-
> > > src_hosts_c_remove_void_assignment.patch
> > >  create mode 100644 src/patches/wget/02-
> > > src_version_h_add_header_guard.patch
> > >  create mode 100644 src/patches/wget/03-src_hsts_h_fix_header_guard.patch
> > > 
> > > diff --git a/lfs/wget b/lfs/wget
> > > index 39f59ba80..f753bef1a 100644
> > > --- a/lfs/wget
> > > +++ b/lfs/wget
> > > @@ -71,6 +71,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> > >  	@$(PREBUILD)
> > >  	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf
> > > $(DIR_DL)/$(DL_FILE)
> > >  
> > > +	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/wget/01-
> > > src_hosts_c_remove_void_assignment.patch
> > > +	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/wget/02-
> > > src_version_h_add_header_guard.patch
> > > +	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/wget/03-
> > > src_hsts_h_fix_header_guard.patch
> > > +
> > >  	cd $(DIR_APP) && ./configure \
> > >  		--prefix=/usr \
> > >  		--sysconfdir=/etc \
> > > diff --git a/src/patches/wget/01-src_hosts_c_remove_void_assignment.patch
> > > b/src/patches/wget/01-src_hosts_c_remove_void_assignment.patch
> > > new file mode 100644
> > > index 000000000..ba488571c
> > > --- /dev/null
> > > +++ b/src/patches/wget/01-src_hosts_c_remove_void_assignment.patch
> > > @@ -0,0 +1,13 @@
> > > +diff --git a/src/host.c b/src/host.c
> > > +index 4597f46..b42cd6e 100644
> > > +--- a/src/host.c
> > > ++++ b/src/host.c
> > > +@@ -732,7 +732,7 @@ wait_ares (ares_channel channel)
> > > +         ares_process (channel, &read_fds, &write_fds);
> > > +     }
> > > +   if (timer)
> > > +-    timer = ptimer_destroy (timer);
> > > ++    ptimer_destroy (timer);
> > > + }
> > > + 
> > > + static void
> > > diff --git a/src/patches/wget/02-src_version_h_add_header_guard.patch
> > > b/src/patches/wget/02-src_version_h_add_header_guard.patch
> > > new file mode 100644
> > > index 000000000..5fd75b975
> > > --- /dev/null
> > > +++ b/src/patches/wget/02-src_version_h_add_header_guard.patch
> > > @@ -0,0 +1,20 @@
> > > +diff --git a/src/version.h b/src/version.h
> > > +index aeae086..ee40bb1 100644
> > > +--- a/src/version.h
> > > ++++ b/src/version.h
> > > +@@ -27,6 +27,9 @@ Corresponding Source for a non-source form of such a
> > > combination
> > > + shall include the source code for the parts of OpenSSL used as well
> > > + as that of the covered work.  */
> > > + 
> > > ++#ifndef WGET_VERSION_H
> > > ++#define WGET_VERSION_H
> > > ++
> > > + /* Extern declarations for strings in version.c */
> > > + extern const char *version_string;
> > > + extern const char *compilation_string;
> > > +@@ -34,3 +37,5 @@ extern const char *link_string;
> > > + 
> > > + /* Extern declaration for string in build_info.c */
> > > + extern const char *compiled_features[];
> > > ++
> > > ++#endif /* WGET_VERSION_H */
> > > diff --git a/src/patches/wget/03-src_hsts_h_fix_header_guard.patch
> > > b/src/patches/wget/03-src_hsts_h_fix_header_guard.patch
> > > new file mode 100644
> > > index 000000000..786d28851
> > > --- /dev/null
> > > +++ b/src/patches/wget/03-src_hsts_h_fix_header_guard.patch
> > > @@ -0,0 +1,29 @@
> > > +diff --git a/src/hsts.h b/src/hsts.h
> > > +index 257f0b0..0065d9f 100644
> > > +--- a/src/hsts.h
> > > ++++ b/src/hsts.h
> > > +@@ -26,13 +26,13 @@ grants you additional permission to convey the
> > > resulting
> > > work.
> > > + Corresponding Source for a non-source form of such a combination
> > > + shall include the source code for the parts of OpenSSL used as well
> > > + as that of the covered work.  */
> > > +-#include "wget.h"
> > > + 
> > > +-#ifdef HAVE_HSTS
> > > ++#ifndef WGET_HSTS_H
> > > ++#define WGET_HSTS_H
> > > + 
> > > +-#ifndef HSTS_H
> > > +-#define HSTS_H
> > > ++#ifdef HAVE_HSTS
> > > + 
> > > ++#include "wget.h"
> > > + #include "url.h"
> > > + 
> > > + typedef struct hsts_store *hsts_store_t;
> > > +@@ -48,5 +48,5 @@ bool hsts_store_entry (hsts_store_t,
> > > +                        time_t, bool);
> > > + bool hsts_match (hsts_store_t, struct url *);
> > > + 
> > > +-#endif /* HSTS_H */
> > > + #endif /* HAVE_HSTS */
> > > ++#endif /* WGET_HSTS_H */
> 
>

     prev parent reply	other threads:[~2018-05-09 18:30 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-08 18:05 Matthias Fischer
2018-05-09 11:14 ` Michael Tremer
2018-05-09 17:36   ` Matthias Fischer
2018-05-09 18:30     ` Michael Tremer [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5edd7370284142da63963cb403b4e7c8c13a98e4.camel@ipfire.org \
    --to=michael.tremer@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox