[AUTO-CHERRYPICK] Fix CVE-2024-10524 for wget :2.0 - branch main (#11187)
Co-authored-by: KavyaSree2610 <92566732+KavyaSree2610@users.noreply.github.com>
This commit is contained in:
CBL-Mariner-Bot
GitHub
Родитель
fad4d61e56
Коммит
8c06840cfe
|
|
@ -0,0 +1,182 @@
|
|||
From 4cfddf2cd1aac9b0e36cd08df36f077ee68bd87b Mon Sep 17 00:00:00 2001
|
||||
From: kavyasree <kkaitepalli@microsoft.com>
|
||||
Date: Thu, 21 Nov 2024 12:17:03 +0530
|
||||
Subject: [PATCH] Fix CVE-2024-10524
|
||||
|
||||
---
|
||||
doc/wget.texi | 12 ++++-------
|
||||
src/html-url.c | 2 +-
|
||||
src/main.c | 2 +-
|
||||
src/retr.c | 2 +-
|
||||
src/url.c | 57 ++++++++++++++++----------------------------------
|
||||
src/url.h | 2 +-
|
||||
6 files changed, 26 insertions(+), 51 deletions(-)
|
||||
|
||||
diff --git a/doc/wget.texi b/doc/wget.texi
|
||||
index 0c282b3..d59994a 100644
|
||||
--- a/doc/wget.texi
|
||||
+++ b/doc/wget.texi
|
||||
@@ -314,8 +314,8 @@ for text files. Here is an example:
|
||||
ftp://host/directory/file;type=a
|
||||
@end example
|
||||
|
||||
-Two alternative variants of @sc{url} specification are also supported,
|
||||
-because of historical (hysterical?) reasons and their widespreaded use.
|
||||
+The two alternative variants of @sc{url} specifications are no longer
|
||||
+supported because of security considerations:
|
||||
|
||||
@sc{ftp}-only syntax (supported by @code{NcFTP}):
|
||||
@example
|
||||
@@ -327,12 +327,8 @@ host:/dir/file
|
||||
host[:port]/dir/file
|
||||
@end example
|
||||
|
||||
-These two alternative forms are deprecated, and may cease being
|
||||
-supported in the future.
|
||||
-
|
||||
-If you do not understand the difference between these notations, or do
|
||||
-not know which one to use, just use the plain ordinary format you use
|
||||
-with your favorite browser, like @code{Lynx} or @code{Netscape}.
|
||||
+These two alternative forms have been deprecated long time ago,
|
||||
+and support is removed with version 1.22.0.
|
||||
|
||||
@c man begin OPTIONS
|
||||
|
||||
diff --git a/src/html-url.c b/src/html-url.c
|
||||
index eaddc17..ab3ada6 100644
|
||||
--- a/src/html-url.c
|
||||
+++ b/src/html-url.c
|
||||
@@ -931,7 +931,7 @@ get_urls_file (const char *file)
|
||||
url_text = merged;
|
||||
}
|
||||
|
||||
- new_url = rewrite_shorthand_url (url_text);
|
||||
+ new_url = maybe_prepend_scheme (url_text);
|
||||
if (new_url)
|
||||
{
|
||||
xfree (url_text);
|
||||
diff --git a/src/main.c b/src/main.c
|
||||
index 7c27b0c..6e00ca7 100644
|
||||
--- a/src/main.c
|
||||
+++ b/src/main.c
|
||||
@@ -2120,7 +2120,7 @@ only if outputting to a regular file.\n"));
|
||||
struct iri *iri = iri_new ();
|
||||
struct url *url_parsed;
|
||||
|
||||
- t = rewrite_shorthand_url (argv[optind]);
|
||||
+ t = maybe_prepend_scheme (argv[optind]);
|
||||
if (!t)
|
||||
t = argv[optind];
|
||||
|
||||
diff --git a/src/retr.c b/src/retr.c
|
||||
index 2e18eae..7a34dd5 100644
|
||||
--- a/src/retr.c
|
||||
+++ b/src/retr.c
|
||||
@@ -1502,7 +1502,7 @@ getproxy (struct url *u)
|
||||
|
||||
/* Handle shorthands. `rewritten_storage' is a kludge to allow
|
||||
getproxy() to return static storage. */
|
||||
- rewritten_url = rewrite_shorthand_url (proxy);
|
||||
+ rewritten_url = maybe_prepend_scheme (proxy);
|
||||
if (rewritten_url)
|
||||
return rewritten_url;
|
||||
|
||||
diff --git a/src/url.c b/src/url.c
|
||||
index 65dd27d..01a4391 100644
|
||||
--- a/src/url.c
|
||||
+++ b/src/url.c
|
||||
@@ -594,60 +594,39 @@ parse_credentials (const char *beg, const char *end, char **user, char **passwd)
|
||||
return true;
|
||||
}
|
||||
|
||||
-/* Used by main.c: detect URLs written using the "shorthand" URL forms
|
||||
- originally popularized by Netscape and NcFTP. HTTP shorthands look
|
||||
- like this:
|
||||
-
|
||||
- www.foo.com[:port]/dir/file -> http://www.foo.com[:port]/dir/file
|
||||
- www.foo.com[:port] -> http://www.foo.com[:port]
|
||||
-
|
||||
- FTP shorthands look like this:
|
||||
-
|
||||
- foo.bar.com:dir/file -> ftp://foo.bar.com/dir/file
|
||||
- foo.bar.com:/absdir/file -> ftp://foo.bar.com//absdir/file
|
||||
+static bool is_valid_port(const char *p)
|
||||
+{
|
||||
+ unsigned port = (unsigned) atoi (p);
|
||||
+ if (port == 0 || port > 65535)
|
||||
+ return false;
|
||||
|
||||
- If the URL needs not or cannot be rewritten, return NULL. */
|
||||
+ int digits = strspn (p, "0123456789");
|
||||
+ return digits && (p[digits] == '/' || p[digits] == '\0');
|
||||
+}
|
||||
|
||||
+/* Prepend "http://" to url if scheme is missing, otherwise return NULL. */
|
||||
char *
|
||||
-rewrite_shorthand_url (const char *url)
|
||||
+maybe_prepend_scheme (const char *url)
|
||||
{
|
||||
- const char *p;
|
||||
- char *ret;
|
||||
-
|
||||
if (url_scheme (url) != SCHEME_INVALID)
|
||||
return NULL;
|
||||
|
||||
- /* Look for a ':' or '/'. The former signifies NcFTP syntax, the
|
||||
- latter Netscape. */
|
||||
- p = strpbrk (url, ":/");
|
||||
+ const char *p = strchr (url, ':');
|
||||
if (p == url)
|
||||
return NULL;
|
||||
|
||||
/* If we're looking at "://", it means the URL uses a scheme we
|
||||
don't support, which may include "https" when compiled without
|
||||
- SSL support. Don't bogusly rewrite such URLs. */
|
||||
+ SSL support. Don't bogusly prepend "http://" to such URLs. */
|
||||
if (p && p[0] == ':' && p[1] == '/' && p[2] == '/')
|
||||
return NULL;
|
||||
|
||||
- if (p && *p == ':')
|
||||
- {
|
||||
- /* Colon indicates ftp, as in foo.bar.com:path. Check for
|
||||
- special case of http port number ("localhost:10000"). */
|
||||
- int digits = strspn (p + 1, "0123456789");
|
||||
- if (digits && (p[1 + digits] == '/' || p[1 + digits] == '\0'))
|
||||
- goto http;
|
||||
-
|
||||
- /* Turn "foo.bar.com:path" to "ftp://foo.bar.com/path". */
|
||||
- if ((ret = aprintf ("ftp://%s", url)) != NULL)
|
||||
- ret[6 + (p - url)] = '/';
|
||||
- }
|
||||
- else
|
||||
- {
|
||||
- http:
|
||||
- /* Just prepend "http://" to URL. */
|
||||
- ret = aprintf ("http://%s", url);
|
||||
- }
|
||||
- return ret;
|
||||
+ if (p && p[0] == ':' && !is_valid_port (p + 1))
|
||||
+ return NULL;
|
||||
+
|
||||
+
|
||||
+ fprintf(stderr, "Prepended http:// to '%s'\n", url);
|
||||
+ return aprintf ("http://%s", url);
|
||||
}
|
||||
|
||||
static void split_path (const char *, char **, char **);
|
||||
diff --git a/src/url.h b/src/url.h
|
||||
index 29c591d..804c0a7 100644
|
||||
--- a/src/url.h
|
||||
+++ b/src/url.h
|
||||
@@ -128,7 +128,7 @@ char *uri_merge (const char *, const char *);
|
||||
|
||||
int mkalldirs (const char *);
|
||||
|
||||
-char *rewrite_shorthand_url (const char *);
|
||||
+char *maybe_prepend_scheme (const char *);
|
||||
bool schemes_are_similar_p (enum url_scheme a, enum url_scheme b);
|
||||
|
||||
bool are_urls_equal (const char *u1, const char *u2);
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
Summary: A network utility to retrieve files from the Web
|
||||
Name: wget
|
||||
Version: 1.21.2
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
License: GPL-3.0-or-later AND LGPL-3.0-or-later
|
||||
URL: https://www.gnu.org/software/wget/wget.html
|
||||
Group: System Environment/NetworkingPrograms
|
||||
|
|
@ -9,6 +9,7 @@ Vendor: Microsoft Corporation
|
|||
Distribution: Mariner
|
||||
Source0: https://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.gz
|
||||
Patch0: CVE-2024-38428.patch
|
||||
Patch1: CVE-2024-10524.patch
|
||||
BuildRequires: openssl-devel
|
||||
%if %{with_check}
|
||||
BuildRequires: perl
|
||||
|
|
@ -55,6 +56,9 @@ rm -rf %{buildroot}/%{_infodir}
|
|||
%{_datadir}/locale/*/LC_MESSAGES/*.mo
|
||||
|
||||
%changelog
|
||||
* Thu Nov 21 2024 Kavya Sree Kaitepalli <kkaitepalli@microsoft.com> - 1.21.2-4
|
||||
- Patch for CVE-2024-10524
|
||||
|
||||
* Wed Jun 19 2024 Saul Paredes <saulparedes@microsoft.com> - 1.21.2-3
|
||||
- Patch for CVE-2024-38428
|
||||
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче