X-Original-To: alpine-aports@lists.alpinelinux.org
Received: from mail-lf0-f65.google.com (mail-lf0-f65.google.com [209.85.215.65])
	by lists.alpinelinux.org (Postfix) with ESMTP id 8A6015C4696
	for <alpine-aports@lists.alpinelinux.org>; Wed,  5 Apr 2017 05:16:48 +0000 (GMT)
Received: by mail-lf0-f65.google.com with SMTP id x137so213771lff.1
        for <alpine-aports@lists.alpinelinux.org>; Tue, 04 Apr 2017 22:16:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id;
        bh=1C+tFENuhmv8k/RK5Dh6cibJMHkaIMhCq+D98uFM3ZU=;
        b=o1u3UkFm5ZWisIkj3CaGUGi7mxiKfSgkqrFytiKYPF+NHYqe2jZ1v54O7bA9adkJkq
         KZk9naxVRsNUNxfEAMz0taoOKSqdOrmaV1x9VAXAxqO+hhgXCync/kKT9PeblpcofWZG
         9fOGHBLaRXAv+SjIX47rUUTGx1RWglBrpBGA6Njz8TV5iBeziPBVeZ6LyCALzUNuwNnY
         9WHfGFMFBMEVUMDkHvFeYdNwSh/s/O344GsAIINQHppXcpWnWU0B4ppyQm5ePh5FceF8
         snn+JUmtN4zEEy1l7JsY961nuHhfkq1Dp0ex8g7bh4qpD1yFe25XeViprhhc6Yn/XCMK
         SUaQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=1C+tFENuhmv8k/RK5Dh6cibJMHkaIMhCq+D98uFM3ZU=;
        b=ool0dzBykaxS2Y22Doyw5+bxxRqn7ZUY9OVtWzTswV5qLVYNi94TeGFtCWbgTZob1C
         fRsi/hyAEMg+2EKFoAJLSHy6RTuDmGqHyVAA7XQr/VYnmUgjmIjgJr6LvV51rpLycjdv
         EWgU2yJuOesYMU6JLCq008FbnM9YbT54o+OZDM+oIWu+IvEb+D6e4V6wKWfe1Etn0ZLE
         V29WPtYpVSWCnCOLWWSrh6FrIkbuKrz0c5QVYSGCvU8kBaDES5QnclyuzrImFn9DWpVl
         w6C6g9cbROCVv0btGzBh1txdBDD7iTq7FgBPoFvFqqd1z86tg8rwziPq7DVm92PkbUVh
         XC1w==
X-Gm-Message-State: AFeK/H3Efb7+SWc/67wMDbKlLI2CO8cIG6zLL2K4HOj2xLfS+xal96NtB+Qk0xNJOWOD6g==
X-Received: by 10.46.87.13 with SMTP id l13mr7209009ljb.85.1491369407538;
        Tue, 04 Apr 2017 22:16:47 -0700 (PDT)
Received: from edge.util.wtbts.net ([83.145.235.199])
        by smtp.gmail.com with ESMTPSA id l11sm3360030ljb.45.2017.04.04.22.16.46
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 04 Apr 2017 22:16:46 -0700 (PDT)
From: Sergei Lukin <sergej.lukin@gmail.com>
To: alpine-aports@lists.alpinelinux.org
Cc: Sergei Lukin <sergej.lukin@gmail.com>
Subject: [alpine-aports] [PATCH edge] main/wget: security fixes #7087
Date: Wed,  5 Apr 2017 05:16:36 +0000
Message-Id: <20170405051636.26882-1-sergej.lukin@gmail.com>
X-Mailer: git-send-email 2.12.2
X-Mailinglist: alpine-aports
Precedence: list
List-Id: Alpine Development <alpine-aports.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-aports+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-aports@lists.alpinelinux.org>
List-Help: <mailto:alpine-aports+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-aports+subscribe@lists.alpinelinux.org?subject=subscribe>

CVE-2017-6508: CRLF injection in the url_parse function in url.c
---
 main/wget/APKBUILD            | 15 ++++++++++++---
 main/wget/CVE-2017-6508.patch | 25 +++++++++++++++++++++++++
 2 files changed, 37 insertions(+), 3 deletions(-)
 create mode 100644 main/wget/CVE-2017-6508.patch

diff --git a/main/wget/APKBUILD b/main/wget/APKBUILD
index 5c0db13045..99997bb122 100644
--- a/main/wget/APKBUILD
+++ b/main/wget/APKBUILD
@@ -1,8 +1,9 @@
+# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
 # Contributor: Carlo Landmeter <clandmeter@gmail.com>
 # Maintainer: Carlo Landmeter <clandmeter@gmail.com>
 pkgname=wget
 pkgver=1.19.1
-pkgrel=0
+pkgrel=1
 pkgdesc="A network utility to retrieve files from the Web"
 url="http://www.gnu.org/software/wget/wget.html"
 arch="all"
@@ -11,7 +12,14 @@ depends=""
 makedepends="libressl-dev perl"
 subpackages="$pkgname-doc"
 install=""
-source="ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz"
+source="ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz
+	CVE-2017-6508.patch
+	"
+
+# secfixes:
+#   1.19.1-r1:
+#   - CVE-2017-6508
+
 builddir="$srcdir/$pkgname-$pkgver"
 
 build() {
@@ -36,4 +44,5 @@ package() {
 	rm -rf "$pkgdir"/usr/lib
 }
 
-sha512sums="d212ce1387b8e4269c6010bd4c2b4822c14e290d2af6442f3eebe05df27433434600e8e0bdf89a3cb1b5eff1a58eca193bddeac44c1691efe44eb245c5ee7f04  wget-1.19.1.tar.gz"
+sha512sums="d212ce1387b8e4269c6010bd4c2b4822c14e290d2af6442f3eebe05df27433434600e8e0bdf89a3cb1b5eff1a58eca193bddeac44c1691efe44eb245c5ee7f04  wget-1.19.1.tar.gz
+666b94bcba6a257be01f0d18897c13afe7dcc4eb156e7d6b386de06fdcbdd0da31a2cc7a8ffaa5108dff67872f610b9df30d0df9e8132283255ec6c608fff904  CVE-2017-6508.patch"
diff --git a/main/wget/CVE-2017-6508.patch b/main/wget/CVE-2017-6508.patch
new file mode 100644
index 0000000000..b685d8dab4
--- /dev/null
+++ b/main/wget/CVE-2017-6508.patch
@@ -0,0 +1,25 @@
+Patch source:
+http://git.savannah.gnu.org/cgit/wget.git/diff/?id=4d729e322fae359a1aefaafec1144764a54e8ad4
+
+diff --git a/src/url.c b/src/url.c
+index 8f8ff0b..7d36b27 100644
+--- a/src/url.c
++++ b/src/url.c
+@@ -925,6 +925,17 @@ url_parse (const char *url, int *error, struct iri *iri, bool percent_encode)
+       url_unescape (u->host);
+       host_modified = true;
+ 
++      /* check for invalid control characters in host name */
++      for (p = u->host; *p; p++)
++        {
++          if (c_iscntrl(*p))
++            {
++              url_free(u);
++              error_code = PE_INVALID_HOST_NAME;
++              goto error;
++            }
++        }
++
+       /* Apply IDNA regardless of iri->utf8_encode status */
+       if (opt.enable_iri && iri)
+         {
-- 
2.12.2



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---