From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthias Fischer To: development@lists.ipfire.org Subject: Re: [PATCH] wget 1.19.5: latest patches (01-03) Date: Wed, 09 May 2018 19:36:23 +0200 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1249468506299804554==" List-Id: --===============1249468506299804554== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, On 09.05.2018 13:14, Michael Tremer wrote: > Hi, >=20 > are any of these security-relevant? I'm not sure - I read this discussion on bug-wget(a)gnu.org: ***SNIP*** On 05/08/2018 09:16 AM, Josef Moellers wrote: > > Hi, > > > > While trying to upgrade to 1.19.5, we found a bug in wget > > (src/host.c) > > where the (non-existing) return value of a void function is assigned > > to > > a variable. > > > > A patch is appended. Thanks, setting timer to NULL is not needed here. I'll amended and pushed the patch. With Best Regards, Tim ***SNAP*** Being curious, I looked at http://git.savannah.gnu.org/cgit/wget.git, found the two other patches and thought they could be of help. Unfortunately, I can'T judge what effects these bugs have or why they where added. By now, they're undocumented. Best, Matthias > Best, > -Michael >=20 > On Tue, 2018-05-08 at 20:05 +0200, Matthias Fischer wrote: >> For details see: >> http://git.savannah.gnu.org/cgit/wget.git >>=20 >> Best, >> Matthias >>=20 >> Signed-off-by: Matthias Fischer >> --- >> lfs/wget | 4 +++ >> ...1-src_hosts_c_remove_void_assignment.patch | 13 +++++++++ >> .../02-src_version_h_add_header_guard.patch | 20 +++++++++++++ >> .../wget/03-src_hsts_h_fix_header_guard.patch | 29 +++++++++++++++++++ >> 4 files changed, 66 insertions(+) >> create mode 100644 src/patches/wget/01- >> src_hosts_c_remove_void_assignment.patch >> create mode 100644 src/patches/wget/02-src_version_h_add_header_guard.pat= ch >> create mode 100644 src/patches/wget/03-src_hsts_h_fix_header_guard.patch >>=20 >> diff --git a/lfs/wget b/lfs/wget >> index 39f59ba80..f753bef1a 100644 >> --- a/lfs/wget >> +++ b/lfs/wget >> @@ -71,6 +71,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >> @$(PREBUILD) >> @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) >> =20 >> + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/wget/01- >> src_hosts_c_remove_void_assignment.patch >> + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/wget/02- >> src_version_h_add_header_guard.patch >> + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/wget/03- >> src_hsts_h_fix_header_guard.patch >> + >> cd $(DIR_APP) && ./configure \ >> --prefix=3D/usr \ >> --sysconfdir=3D/etc \ >> diff --git a/src/patches/wget/01-src_hosts_c_remove_void_assignment.patch >> b/src/patches/wget/01-src_hosts_c_remove_void_assignment.patch >> new file mode 100644 >> index 000000000..ba488571c >> --- /dev/null >> +++ b/src/patches/wget/01-src_hosts_c_remove_void_assignment.patch >> @@ -0,0 +1,13 @@ >> +diff --git a/src/host.c b/src/host.c >> +index 4597f46..b42cd6e 100644 >> +--- a/src/host.c >> ++++ b/src/host.c >> +@@ -732,7 +732,7 @@ wait_ares (ares_channel channel) >> + ares_process (channel, &read_fds, &write_fds); >> + } >> + if (timer) >> +- timer =3D ptimer_destroy (timer); >> ++ ptimer_destroy (timer); >> + } >> +=20 >> + static void >> diff --git a/src/patches/wget/02-src_version_h_add_header_guard.patch >> b/src/patches/wget/02-src_version_h_add_header_guard.patch >> new file mode 100644 >> index 000000000..5fd75b975 >> --- /dev/null >> +++ b/src/patches/wget/02-src_version_h_add_header_guard.patch >> @@ -0,0 +1,20 @@ >> +diff --git a/src/version.h b/src/version.h >> +index aeae086..ee40bb1 100644 >> +--- a/src/version.h >> ++++ b/src/version.h >> +@@ -27,6 +27,9 @@ Corresponding Source for a non-source form of such a >> combination >> + shall include the source code for the parts of OpenSSL used as well >> + as that of the covered work. */ >> +=20 >> ++#ifndef WGET_VERSION_H >> ++#define WGET_VERSION_H >> ++ >> + /* Extern declarations for strings in version.c */ >> + extern const char *version_string; >> + extern const char *compilation_string; >> +@@ -34,3 +37,5 @@ extern const char *link_string; >> +=20 >> + /* Extern declaration for string in build_info.c */ >> + extern const char *compiled_features[]; >> ++ >> ++#endif /* WGET_VERSION_H */ >> diff --git a/src/patches/wget/03-src_hsts_h_fix_header_guard.patch >> b/src/patches/wget/03-src_hsts_h_fix_header_guard.patch >> new file mode 100644 >> index 000000000..786d28851 >> --- /dev/null >> +++ b/src/patches/wget/03-src_hsts_h_fix_header_guard.patch >> @@ -0,0 +1,29 @@ >> +diff --git a/src/hsts.h b/src/hsts.h >> +index 257f0b0..0065d9f 100644 >> +--- a/src/hsts.h >> ++++ b/src/hsts.h >> +@@ -26,13 +26,13 @@ grants you additional permission to convey the result= ing >> work. >> + Corresponding Source for a non-source form of such a combination >> + shall include the source code for the parts of OpenSSL used as well >> + as that of the covered work. */ >> +-#include "wget.h" >> +=20 >> +-#ifdef HAVE_HSTS >> ++#ifndef WGET_HSTS_H >> ++#define WGET_HSTS_H >> +=20 >> +-#ifndef HSTS_H >> +-#define HSTS_H >> ++#ifdef HAVE_HSTS >> +=20 >> ++#include "wget.h" >> + #include "url.h" >> +=20 >> + typedef struct hsts_store *hsts_store_t; >> +@@ -48,5 +48,5 @@ bool hsts_store_entry (hsts_store_t, >> + time_t, bool); >> + bool hsts_match (hsts_store_t, struct url *); >> +=20 >> +-#endif /* HSTS_H */ >> + #endif /* HAVE_HSTS */ >> ++#endif /* WGET_HSTS_H */ >=20 --===============1249468506299804554==--