X-Original-To: alpine-aports@lists.alpinelinux.org
Received: from mail-lf0-f68.google.com (mail-lf0-f68.google.com [209.85.215.68])
	by lists.alpinelinux.org (Postfix) with ESMTP id 783A65C46DB
	for <alpine-aports@lists.alpinelinux.org>; Wed,  5 Apr 2017 05:58:00 +0000 (GMT)
Received: by mail-lf0-f68.google.com with SMTP id r36so272393lfi.0
        for <alpine-aports@lists.alpinelinux.org>; Tue, 04 Apr 2017 22:58:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id;
        bh=pTbyGE7rlM4G2V9r/3jxKtRkv16s8ioUVH/SdlY0iEI=;
        b=pNnSKwNpIsaOiD9SIBbh9Z5kQAbBOi87uXhZMLIfHQcWPC4vd9ZUjJO+GJ+9D0+x20
         J9XhiTl6hfaQc5y4KENZMQfxpDkhOsNsXVfA+sIXcS1V4Oq2WiPVG480qHyKqPTRqybw
         JiVBcUNcYZpKJN6h9u7X1m0iAZykXbFKxoCM1Dd9XxAquIXSlhJezgYv0uU5tChcQwAx
         QQEywx8Ml/nTHk+At651ScR+j+dHV2FtUREX8eIpcf75fsvgPXsEfsdEiJE+nMEE8UCq
         zSmzc1I94Sm9Nf1xnPWNmxl9GCXWxcPaIv1KuY0zSC/f99k76vAcNTufPMtfqy+LYmjF
         h7gg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=pTbyGE7rlM4G2V9r/3jxKtRkv16s8ioUVH/SdlY0iEI=;
        b=KBoecSdz2TvZNNTK4wrkW/ho4HDnqF54oTaapqwq8d2olBJccbTUrJFHSQkyk5XnX+
         wIvLcvLNQKoD9bXDNNfmuiUrzrAuneSpWBB19+n3DlBW4CyS6MkLfw5/Uebp8SSRpGLH
         eW4itKXOK88PHQEWPSMqENq4k4wIn5BgfijRndDpB1zPdmDP9BkNuDPavLdRXVJhnjrS
         taDO3k4Jpw+mRwwTHSQ3hGP0Ibp1oWHR3aQyspHBapBCUNIGGRrhdhoiKy7II9Prr0yG
         TZdXPpRdxagsjjv065Q+8O267XtTLnt8Vt1oWAFF0ybHC3+ZLH3hSfIS3SlnjTQsvoQf
         9NOA==
X-Gm-Message-State: AFeK/H0s2h68ImDJuovQvEZUKgJZ9NIvuwjt2AIS9+8hwkZhq6PVO8XhGMPiy4tjcZcQag==
X-Received: by 10.25.79.15 with SMTP id d15mr7504388lfb.14.1491371879544;
        Tue, 04 Apr 2017 22:57:59 -0700 (PDT)
Received: from v3-2.util.wtbts.net ([83.145.235.199])
        by smtp.gmail.com with ESMTPSA id 187sm3555749ljf.32.2017.04.04.22.57.58
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Tue, 04 Apr 2017 22:57:58 -0700 (PDT)
From: Sergei Lukin <sergej.lukin@gmail.com>
To: alpine-aports@lists.alpinelinux.org
Cc: Sergei Lukin <sergej.lukin@gmail.com>
Subject: [alpine-aports] [PATCH v3.2] main/wget: security fixes #7091
Date: Wed,  5 Apr 2017 05:57:52 +0000
Message-Id: <1491371872-12588-1-git-send-email-sergej.lukin@gmail.com>
X-Mailer: git-send-email 2.4.11
X-Mailinglist: alpine-aports
Precedence: list
List-Id: Alpine Development <alpine-aports.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-aports+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-aports@lists.alpinelinux.org>
List-Help: <mailto:alpine-aports+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-aports+subscribe@lists.alpinelinux.org?subject=subscribe>

CVE-2017-6508: CRLF injection in the url_parse function in url.c
---
 main/wget/APKBUILD            | 20 +++++++++++++++-----
 main/wget/CVE-2017-6508.patch | 26 ++++++++++++++++++++++++++
 2 files changed, 41 insertions(+), 5 deletions(-)
 create mode 100644 main/wget/CVE-2017-6508.patch

diff --git a/main/wget/APKBUILD b/main/wget/APKBUILD
index 1ac7625..edf6e3a 100644
--- a/main/wget/APKBUILD
+++ b/main/wget/APKBUILD
@@ -1,8 +1,9 @@
+# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
 # Contributor: Carlo Landmeter <clandmeter@gmail.com>
 # Maintainer: Carlo Landmeter <clandmeter@gmail.com>
 pkgname=wget
 pkgver=1.18
-pkgrel=0
+pkgrel=1
 pkgdesc="A network utility to retrieve files from the Web"
 url="http://www.gnu.org/software/wget/wget.html"
 arch="all"
@@ -11,7 +12,13 @@ depends=""
 makedepends="openssl-dev perl"
 subpackages="$pkgname-doc"
 install="wget.post-deinstall"
-source="ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz"
+source="ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz
+	CVE-2017-6508.patch
+	"
+
+# secfixes:
+#   1.18-r1:
+#   - CVE-2017-6508
 
 _builddir="$srcdir"/$pkgname-$pkgver
 prepare() {
@@ -47,6 +54,9 @@ package() {
 	return 0
 }
 
-md5sums="fc2debd8399e3b933a9b226794e2a886  wget-1.18.tar.gz"
-sha256sums="a00a65fab84cc46e24c53ce88c45604668a7a479276e037dc2f558e34717fb2d  wget-1.18.tar.gz"
-sha512sums="a6c31ea7161e5af1552713edc6d9e386e4d63e53660bedbc4b099c7a4c7bbbdfedb4fc8abea67158899dee82b6331c87b1f2a9cb14cbcbcfa6e19a7fdf26b0a1  wget-1.18.tar.gz"
+md5sums="fc2debd8399e3b933a9b226794e2a886  wget-1.18.tar.gz
+142f1d01db302e1429673701472df182  CVE-2017-6508.patch"
+sha256sums="a00a65fab84cc46e24c53ce88c45604668a7a479276e037dc2f558e34717fb2d  wget-1.18.tar.gz
+f298bc740e32a5b14b61ff08a40a671221e7e8238268624211751174092b5451  CVE-2017-6508.patch"
+sha512sums="a6c31ea7161e5af1552713edc6d9e386e4d63e53660bedbc4b099c7a4c7bbbdfedb4fc8abea67158899dee82b6331c87b1f2a9cb14cbcbcfa6e19a7fdf26b0a1  wget-1.18.tar.gz
+b640db3aaadb6d25b8391bbf1b6c4d8d07bd7200f9dd21502ff9533e4e356a1c55dd252c9bc2c6e27dcc8d41596e0890ff460c80a0a06166c7bb63e112824e1b  CVE-2017-6508.patch"
diff --git a/main/wget/CVE-2017-6508.patch b/main/wget/CVE-2017-6508.patch
new file mode 100644
index 0000000..0da025d
--- /dev/null
+++ b/main/wget/CVE-2017-6508.patch
@@ -0,0 +1,26 @@
+Patch source:
+http://git.savannah.gnu.org/cgit/wget.git/diff/?id=4d729e322fae359a1aefaafec1144764a54e8ad4
+
+diff --git a/src/url.c b/src/url.c
+index 8f8ff0b..7d36b27 100644
+--- a/src/url.c
++++ b/src/url.c
+@@ -925,6 +925,17 @@ url_parse (const char *url, int *error, struct iri *iri, bool percent_encode)
+       url_unescape (u->host);
+       host_modified = true;
+ 
++      /* check for invalid control characters in host name */
++      for (p = u->host; *p; p++)
++        {
++          if (c_iscntrl(*p))
++            {
++              url_free(u);
++              error_code = PE_INVALID_HOST_NAME;
++              goto error;
++            }
++        }
++
+       /* Apply IDNA regardless of iri->utf8_encode status */
+       if (opt.enable_iri && iri)
+         {
+
-- 
2.4.11



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---