X-Original-To: alpine-aports@lists.alpinelinux.org Received: from mail-lf0-f68.google.com (mail-lf0-f68.google.com [209.85.215.68]) by lists.alpinelinux.org (Postfix) with ESMTP id 9B8375C528D for ; Wed, 5 Apr 2017 05:53:52 +0000 (GMT) Received: by mail-lf0-f68.google.com with SMTP id v2so265180lfi.2 for ; Tue, 04 Apr 2017 22:53:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=k6BiWTKJmgvvlt6m2STDiYgIxg8GYfkBSDW7TcEVUvM=; b=YgpvESqRxa2Wc71fPyAgnyK0iWvNUlPyPzoJqWT9KUfbRTO8/iNEq0upzaPzHq98CG yEQU8Mbe8bCTPQbSSri3B265b4Lw21zUEUWuN2AOaBcOqXJF6AzQcxPSnrAAx8o8UYuo 0H+nyi9QMDCxQlWSpERugdHdz/77jjU5lAKKNAXnd5h86/4Cvrc9cExuonVfZEfI6DcB nZfVfb6c/XhDQ7I5qOOB5Bs5h01PZZTE3Hv0olstzZnoonbMpQKdLd9nFzLdUvRIPqB8 pJplivcISOirGlv2+W6yV+Hydk3ctVCpRGGjzwrzvP/7P2M7wgOB0zvXRAUQj5xsGiJA ZGlA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=k6BiWTKJmgvvlt6m2STDiYgIxg8GYfkBSDW7TcEVUvM=; b=iv02GQOKyZKjqND/+wJ1a+zb+daCHSLP+uYxoroSNVV6JF3ahtqjpVILWXBNhZ+T8S fx6lM6V+hpLKjnitu301QiJT/Std8zxr1PUqgZQiT31cWUjXgliBEvX2pacthF70K5Mt 3FuiXqbj90+m2FY50YbRE94nyoixlWhb3/oHEGUKnlxxxOupmzzMXaVjTXzlmAwpPu7o eJR01gUXM48TA++l4UGc233QU8D37tveuHrvYn+G2nlxVPIOwJmMyUAmlg+Pb2yqqu/8 ETZA73PTmS1XclSQEISKSIXDbq7Z+VaN9jS/L3cMgDBnAoJCACRhc8WOJZLbIRG0hL+R bSWw== X-Gm-Message-State: AFeK/H3QxR073stH4BK/W4+Fmb5mjLj6VsyzNqq+hy1pr+AhzaqtPIMajPEF8pOsJ3m1TQ== X-Received: by 10.25.229.156 with SMTP id i28mr8585892lfk.11.1491371631668; Tue, 04 Apr 2017 22:53:51 -0700 (PDT) Received: from v3-3.util.wtbts.net ([83.145.235.199]) by smtp.gmail.com with ESMTPSA id b17sm3496462lje.13.2017.04.04.22.53.50 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 04 Apr 2017 22:53:50 -0700 (PDT) From: Sergei Lukin To: alpine-aports@lists.alpinelinux.org Cc: Sergei Lukin Subject: [alpine-aports] [PATCH v3.3] main/wget: security fixes #7090 Date: Wed, 5 Apr 2017 05:53:43 +0000 Message-Id: <1491371623-24855-1-git-send-email-sergej.lukin@gmail.com> X-Mailer: git-send-email 2.6.6 X-Mailinglist: alpine-aports Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: CVE-2017-6508: CRLF injection in the url_parse function in url.c --- main/wget/APKBUILD | 20 +++++++++++++++----- main/wget/CVE-2017-6508.patch | 26 ++++++++++++++++++++++++++ 2 files changed, 41 insertions(+), 5 deletions(-) create mode 100644 main/wget/CVE-2017-6508.patch diff --git a/main/wget/APKBUILD b/main/wget/APKBUILD index d101957..8ff495e 100644 --- a/main/wget/APKBUILD +++ b/main/wget/APKBUILD @@ -1,8 +1,9 @@ +# Contributor: Sergei Lukin # Contributor: Carlo Landmeter # Maintainer: Carlo Landmeter pkgname=wget pkgver=1.17.1 -pkgrel=1 +pkgrel=2 pkgdesc="A network utility to retrieve files from the Web" url="http://www.gnu.org/software/wget/wget.html" arch="all" @@ -12,7 +13,13 @@ makedepends="openssl-dev perl" subpackages="$pkgname-doc" install="" source="ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz - CVE-2016-4971.patch" + CVE-2016-4971.patch + CVE-2017-6508.patch + " + +# secfixes: +# 1.17.1-r2: +# - CVE-2017-6508 _builddir="$srcdir"/$pkgname-$pkgver prepare() { @@ -49,8 +56,11 @@ package() { } md5sums="a6a908c9ae0e6a4194c628974cc3f05a wget-1.17.1.tar.gz -9e02ee4b55e4121339696db6150fc57a CVE-2016-4971.patch" +9e02ee4b55e4121339696db6150fc57a CVE-2016-4971.patch +142f1d01db302e1429673701472df182 CVE-2017-6508.patch" sha256sums="029fbb93bdc1c0c5a7507b6076a6ec2f8d34204a85aa87e5b2f61a9405b290f5 wget-1.17.1.tar.gz -f1371a6e21d105c67fc1079af24e16596762dfd442ca0c4c8af37f1f92371f34 CVE-2016-4971.patch" +f1371a6e21d105c67fc1079af24e16596762dfd442ca0c4c8af37f1f92371f34 CVE-2016-4971.patch +f298bc740e32a5b14b61ff08a40a671221e7e8238268624211751174092b5451 CVE-2017-6508.patch" sha512sums="1e99f898669bdb6a330a53b40fac1fc563ad1ce9f6c7f2f25fe3f1cdd3a1a1f094e59c45a8f6497ab0c05d47cbc453ffb5fb6a5507e9a2c9ccf6cddda2aaeaf0 wget-1.17.1.tar.gz -3ae20be07620020f34782f89c1c22444f4da10b7ab10bbc56da38e2c59958841a8c4d5984d7b40f6d1a6a9632ba7410650b1460569ff7bb6f2fcec34bfdd2ec4 CVE-2016-4971.patch" +3ae20be07620020f34782f89c1c22444f4da10b7ab10bbc56da38e2c59958841a8c4d5984d7b40f6d1a6a9632ba7410650b1460569ff7bb6f2fcec34bfdd2ec4 CVE-2016-4971.patch +b640db3aaadb6d25b8391bbf1b6c4d8d07bd7200f9dd21502ff9533e4e356a1c55dd252c9bc2c6e27dcc8d41596e0890ff460c80a0a06166c7bb63e112824e1b CVE-2017-6508.patch" diff --git a/main/wget/CVE-2017-6508.patch b/main/wget/CVE-2017-6508.patch new file mode 100644 index 0000000..0da025d --- /dev/null +++ b/main/wget/CVE-2017-6508.patch @@ -0,0 +1,26 @@ +Patch source: +http://git.savannah.gnu.org/cgit/wget.git/diff/?id=4d729e322fae359a1aefaafec1144764a54e8ad4 + +diff --git a/src/url.c b/src/url.c +index 8f8ff0b..7d36b27 100644 +--- a/src/url.c ++++ b/src/url.c +@@ -925,6 +925,17 @@ url_parse (const char *url, int *error, struct iri *iri, bool percent_encode) + url_unescape (u->host); + host_modified = true; + ++ /* check for invalid control characters in host name */ ++ for (p = u->host; *p; p++) ++ { ++ if (c_iscntrl(*p)) ++ { ++ url_free(u); ++ error_code = PE_INVALID_HOST_NAME; ++ goto error; ++ } ++ } ++ + /* Apply IDNA regardless of iri->utf8_encode status */ + if (opt.enable_iri && iri) + { + -- 2.6.6 --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---