Okay, I will merge this one, but there is no need to follow wget really closely and patch every bug unless someone runs into it.
They had quite a number of severe security issues, hence I was asking.
Best, -Michael
On Wed, 2018-05-09 at 19:36 +0200, Matthias Fischer wrote:
Hi,
On 09.05.2018 13:14, Michael Tremer wrote:
Hi,
are any of these security-relevant?
I'm not sure - I read this discussion on bug-wget@gnu.org:
***SNIP*** On 05/08/2018 09:16 AM, Josef Moellers wrote:
Hi,
While trying to upgrade to 1.19.5, we found a bug in wget (src/host.c) where the (non-existing) return value of a void function is assigned to a variable.
A patch is appended.
Thanks,
setting timer to NULL is not needed here.
I'll amended and pushed the patch.
With Best Regards, Tim ***SNAP***
Being curious, I looked at http://git.savannah.gnu.org/cgit/wget.git, found the two other patches and thought they could be of help.
Unfortunately, I can'T judge what effects these bugs have or why they where added. By now, they're undocumented.
Best, Matthias
Best, -Michael
On Tue, 2018-05-08 at 20:05 +0200, Matthias Fischer wrote:
For details see: http://git.savannah.gnu.org/cgit/wget.git
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
lfs/wget | 4 +++ ...1-src_hosts_c_remove_void_assignment.patch | 13 +++++++++ .../02-src_version_h_add_header_guard.patch | 20 +++++++++++++ .../wget/03-src_hsts_h_fix_header_guard.patch | 29 +++++++++++++++++++ 4 files changed, 66 insertions(+) create mode 100644 src/patches/wget/01- src_hosts_c_remove_void_assignment.patch create mode 100644 src/patches/wget/02- src_version_h_add_header_guard.patch create mode 100644 src/patches/wget/03-src_hsts_h_fix_header_guard.patch
diff --git a/lfs/wget b/lfs/wget index 39f59ba80..f753bef1a 100644 --- a/lfs/wget +++ b/lfs/wget @@ -71,6 +71,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/wget/01-
src_hosts_c_remove_void_assignment.patch
- cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/wget/02-
src_version_h_add_header_guard.patch
- cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/wget/03-
src_hsts_h_fix_header_guard.patch
- cd $(DIR_APP) && ./configure \ --prefix=/usr \ --sysconfdir=/etc \
diff --git a/src/patches/wget/01-src_hosts_c_remove_void_assignment.patch b/src/patches/wget/01-src_hosts_c_remove_void_assignment.patch new file mode 100644 index 000000000..ba488571c --- /dev/null +++ b/src/patches/wget/01-src_hosts_c_remove_void_assignment.patch @@ -0,0 +1,13 @@ +diff --git a/src/host.c b/src/host.c +index 4597f46..b42cd6e 100644 +--- a/src/host.c ++++ b/src/host.c +@@ -732,7 +732,7 @@ wait_ares (ares_channel channel)
ares_process (channel, &read_fds, &write_fds);}- if (timer)
+- timer = ptimer_destroy (timer); ++ ptimer_destroy (timer);
- }
- static void
diff --git a/src/patches/wget/02-src_version_h_add_header_guard.patch b/src/patches/wget/02-src_version_h_add_header_guard.patch new file mode 100644 index 000000000..5fd75b975 --- /dev/null +++ b/src/patches/wget/02-src_version_h_add_header_guard.patch @@ -0,0 +1,20 @@ +diff --git a/src/version.h b/src/version.h +index aeae086..ee40bb1 100644 +--- a/src/version.h ++++ b/src/version.h +@@ -27,6 +27,9 @@ Corresponding Source for a non-source form of such a combination
- shall include the source code for the parts of OpenSSL used as well
- as that of the covered work. */
++#ifndef WGET_VERSION_H ++#define WGET_VERSION_H ++
- /* Extern declarations for strings in version.c */
- extern const char *version_string;
- extern const char *compilation_string;
+@@ -34,3 +37,5 @@ extern const char *link_string;
- /* Extern declaration for string in build_info.c */
- extern const char *compiled_features[];
++ ++#endif /* WGET_VERSION_H */ diff --git a/src/patches/wget/03-src_hsts_h_fix_header_guard.patch b/src/patches/wget/03-src_hsts_h_fix_header_guard.patch new file mode 100644 index 000000000..786d28851 --- /dev/null +++ b/src/patches/wget/03-src_hsts_h_fix_header_guard.patch @@ -0,0 +1,29 @@ +diff --git a/src/hsts.h b/src/hsts.h +index 257f0b0..0065d9f 100644 +--- a/src/hsts.h ++++ b/src/hsts.h +@@ -26,13 +26,13 @@ grants you additional permission to convey the resulting work.
- Corresponding Source for a non-source form of such a combination
- shall include the source code for the parts of OpenSSL used as well
- as that of the covered work. */
+-#include "wget.h"
+-#ifdef HAVE_HSTS ++#ifndef WGET_HSTS_H ++#define WGET_HSTS_H
+-#ifndef HSTS_H +-#define HSTS_H ++#ifdef HAVE_HSTS
++#include "wget.h"
- #include "url.h"
- typedef struct hsts_store *hsts_store_t;
+@@ -48,5 +48,5 @@ bool hsts_store_entry (hsts_store_t,
time_t, bool);- bool hsts_match (hsts_store_t, struct url *);
+-#endif /* HSTS_H */
- #endif /* HAVE_HSTS */
++#endif /* WGET_HSTS_H */