head 1.2; access; symbols pkgsrc-2016Q4:1.1.0.4 pkgsrc-2016Q4-base:1.1 pkgsrc-2016Q3:1.1.0.2; locks; strict; comment @# @; 1.2 date 2017.02.20.12.25.48; author ryoon; state dead; branches; next 1.1; commitid qM3cQzq4KUG4IGGz; 1.1 date 2016.10.30.20.55.39; author spz; state Exp; branches 1.1.2.1; next ; commitid 8MU1fENQ6H87adsz; 1.1.2.1 date 2016.10.30.20.55.39; author bsiegert; state dead; branches; next 1.1.2.2; commitid LdHfnhZmU0BxGIsz; 1.1.2.2 date 2016.11.03.19.52.25; author bsiegert; state Exp; branches; next ; commitid LdHfnhZmU0BxGIsz; desc @@ 1.2 log @Update to 1.19.1 Changelog: * Changes in Wget 1.19.1 * Fix bugs, a regression, portability/build issues * Add new option --retry-on-http-error * Changes in Wget 1.19 * New option --use-askpass=COMMAND. Fetch user/password by calling an external program. * Use IDNA2008 (+ TR46 if available) through libidn2 * When processing a Metalink header, --metalink-index= allows to process the header's application/metalink4+xml files. * When processing a Metalink file, --trust-server-names enables the use of the destination file names specified in the Metalink file, otherwise a safe destination file name is computed. * When processing a Metalink file, enforce a safe destination path. Remove any drive letter prefix under w32, i.e. 'C:D:file'. Call libmetalink's metalink_check_safe_path() to prevent absolute, relative, or home paths: https://tools.ietf.org/html/rfc5854#section-4.1.2.1 https://tools.ietf.org/html/rfc5854#section-4.2.8.3 * When processing a Metalink file, --directory-prefix= sets the top of the retrieval tree to prefix for Metalink downloads. * When processing a Metalink file, reject downloaded files which don't agree with their own metalink:size value: https://tools.ietf.org/html/rfc5854#section-4.2.16 * When processing a Metalink file, with --continue resume partially downloaded files and keep fully downloaded files even if they fail the verification. * When processing a Metalink file, create the parent directories of a "path/file" destination file name: https://tools.ietf.org/html/rfc5854#section-4.1.2.1 https://tools.ietf.org/html/rfc5854#section-4.2.8.3 * On a recursive download, append a .tmp suffix to temporary files that will be deleted after being parsed, and create them readable/writable only by the owner. * New make target 'check-valgrind' * Fix several bugs * Fix compatibility issues @ text @patch for CVE-2016-7098 from http://git.savannah.gnu.org/cgit/wget.git/commit/?id=9ffb64ba6a8121909b01e984deddce8d096c498d http://git.savannah.gnu.org/cgit/wget.git/commit/?id=690c47e3b18c099843cdf557a0425d701fca4957 (only the compilable parts) --- src/http.c.orig 2016-06-09 16:10:14.000000000 +0000 +++ src/http.c 2016-10-27 20:02:46.000000000 +0000 @@@@ -39,6 +39,7 @@@@ as that of the covered work. */ #include #include #include +#include #include "hash.h" #include "http.h" @@@@ -1564,6 +1565,7 @@@@ struct http_stat #ifdef HAVE_METALINK metalink_t *metalink; #endif + bool temporary; /* downloading a temporary file */ }; static void @@@@ -2254,6 +2256,15 @@@@ check_file_output (struct url *u, struct xfree (local_file); } + hs->temporary = opt.delete_after || opt.spider || !acceptable (hs->local_file); + if (hs->temporary) + { + char *tmp = NULL; + asprintf (&tmp, "%s.tmp", hs->local_file); + xfree (hs->local_file); + hs->local_file = tmp; + } + /* TODO: perform this check only once. */ if (!hs->existence_checked && file_exists_p (hs->local_file)) { @@@@ -2467,7 +2478,15 @@@@ open_output_stream (struct http_stat *hs open_id = 22; *fp = fopen (hs->local_file, "wb", FOPEN_OPT_ARGS); #else /* def __VMS */ - *fp = fopen (hs->local_file, "wb"); + if (hs->temporary) + { + *fp = fdopen (open (hs->local_file, O_BINARY | O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR), "wb"); + } + else + { + *fp = fopen (hs->local_file, "wb"); + } + #endif /* def __VMS [else] */ } else @ 1.1 log @add a patch for CVE-2016-7098 from upstream @ text @@ 1.1.2.1 log @file patch-CVE-2016-7098 was added on branch pkgsrc-2016Q3 on 2016-11-03 19:52:25 +0000 @ text @d1 56 @ 1.1.2.2 log @Pullup ticket #5148 - requested by spz net/wget: security fix Revisions pulled up: - net/wget/Makefile 1.133 - net/wget/distinfo 1.52 - net/wget/patches/patch-CVE-2016-7098 1.1 --- Module Name: pkgsrc Committed By: spz Date: Sun Oct 30 20:55:39 UTC 2016 Modified Files: pkgsrc/net/wget: Makefile distinfo Added Files: pkgsrc/net/wget/patches: patch-CVE-2016-7098 Log Message: add a patch for CVE-2016-7098 from upstream @ text @a0 56 patch for CVE-2016-7098 from http://git.savannah.gnu.org/cgit/wget.git/commit/?id=9ffb64ba6a8121909b01e984deddce8d096c498d http://git.savannah.gnu.org/cgit/wget.git/commit/?id=690c47e3b18c099843cdf557a0425d701fca4957 (only the compilable parts) --- src/http.c.orig 2016-06-09 16:10:14.000000000 +0000 +++ src/http.c 2016-10-27 20:02:46.000000000 +0000 @@@@ -39,6 +39,7 @@@@ as that of the covered work. */ #include #include #include +#include #include "hash.h" #include "http.h" @@@@ -1564,6 +1565,7 @@@@ struct http_stat #ifdef HAVE_METALINK metalink_t *metalink; #endif + bool temporary; /* downloading a temporary file */ }; static void @@@@ -2254,6 +2256,15 @@@@ check_file_output (struct url *u, struct xfree (local_file); } + hs->temporary = opt.delete_after || opt.spider || !acceptable (hs->local_file); + if (hs->temporary) + { + char *tmp = NULL; + asprintf (&tmp, "%s.tmp", hs->local_file); + xfree (hs->local_file); + hs->local_file = tmp; + } + /* TODO: perform this check only once. */ if (!hs->existence_checked && file_exists_p (hs->local_file)) { @@@@ -2467,7 +2478,15 @@@@ open_output_stream (struct http_stat *hs open_id = 22; *fp = fopen (hs->local_file, "wb", FOPEN_OPT_ARGS); #else /* def __VMS */ - *fp = fopen (hs->local_file, "wb"); + if (hs->temporary) + { + *fp = fdopen (open (hs->local_file, O_BINARY | O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR), "wb"); + } + else + { + *fp = fopen (hs->local_file, "wb"); + } + #endif /* def __VMS [else] */ } else @