From 5d6792710d3f4f3811b453de05e7b325613185c8 Mon Sep 17 00:00:00 2001 From: xingwei Date: Tue, 3 Dec 2024 08:42:44 +0000 Subject: [PATCH] fix CVE-2024-10524 and backport related patches --- backport-CVE-2024-10524.patch | 183 ++++++++++++++++++ ...c-main-Code-clean-reduce-allocations.patch | 165 ++++++++++++++++ ...src-main.c-main-Remove-use-of-alloca.patch | 40 ++++ ...prepend_scheme-Print-message-only-in.patch | 23 +++ wget.spec | 12 +- 5 files changed, 422 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2024-10524.patch create mode 100644 backport-src-main.c-main-Code-clean-reduce-allocations.patch create mode 100644 backport-src-main.c-main-Remove-use-of-alloca.patch create mode 100644 backport-src-url.c-maybe_prepend_scheme-Print-message-only-in.patch diff --git a/backport-CVE-2024-10524.patch b/backport-CVE-2024-10524.patch new file mode 100644 index 0000000..e5549ba --- /dev/null +++ b/backport-CVE-2024-10524.patch @@ -0,0 +1,183 @@ +From c419542d956a2607bbce5df64b9d378a8588d778 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= +Date: Sun, 27 Oct 2024 19:53:14 +0100 +Subject: [PATCH] Fix CVE-2024-10524 (drop support for shorthand URLs) + +* doc/wget.texi: Add documentation for removed support for shorthand URLs. +* src/html-url.c (src/html-url.c): Call maybe_prepend_scheme. +* src/main.c (main): Likewise. +* src/retr.c (getproxy): Likewise. +* src/url.c: Rename definition of rewrite_shorthand_url to maybe_prepend_scheme, + add new function is_valid_port. +* src/url.h: Rename declaration of rewrite_shorthand_url to maybe_prepend_scheme. + +Reported-by: Goni Golan + +diff --git a/doc/wget.texi b/doc/wget.texi +index 1d026d72..d46da375 100644 +--- a/doc/wget.texi ++++ b/doc/wget.texi +@@ -314,8 +314,8 @@ for text files. Here is an example: + ftp://host/directory/file;type=a + @end example + +-Two alternative variants of @sc{url} specification are also supported, +-because of historical (hysterical?) reasons and their widespreaded use. ++The two alternative variants of @sc{url} specifications are no longer ++supported because of security considerations: + + @sc{ftp}-only syntax (supported by @code{NcFTP}): + @example +@@ -327,12 +327,8 @@ host:/dir/file + host[:port]/dir/file + @end example + +-These two alternative forms are deprecated, and may cease being +-supported in the future. +- +-If you do not understand the difference between these notations, or do +-not know which one to use, just use the plain ordinary format you use +-with your favorite browser, like @code{Lynx} or @code{Netscape}. ++These two alternative forms have been deprecated long time ago, ++and support is removed with version 1.22.0. + + @c man begin OPTIONS + +diff --git a/src/html-url.c b/src/html-url.c +index 8e960092..99914943 100644 +--- a/src/html-url.c ++++ b/src/html-url.c +@@ -932,7 +932,7 @@ get_urls_file (const char *file, bool *read_again) + url_text = merged; + } + +- new_url = rewrite_shorthand_url (url_text); ++ new_url = maybe_prepend_scheme (url_text); + if (new_url) + { + xfree (url_text); +diff --git a/src/main.c b/src/main.c +index 77b1a0b6..6858d2da 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -2126,7 +2126,7 @@ only if outputting to a regular file.\n")); + struct iri *iri = iri_new (); + struct url *url_parsed; + +- t = rewrite_shorthand_url (argv[optind]); ++ t = maybe_prepend_scheme (argv[optind]); + if (!t) + t = argv[optind]; + +diff --git a/src/retr.c b/src/retr.c +index 5422963c..26eb9f17 100644 +--- a/src/retr.c ++++ b/src/retr.c +@@ -1546,7 +1546,7 @@ getproxy (struct url *u) + + /* Handle shorthands. `rewritten_storage' is a kludge to allow + getproxy() to return static storage. */ +- rewritten_url = rewrite_shorthand_url (proxy); ++ rewritten_url = maybe_prepend_scheme (proxy); + if (rewritten_url) + return rewritten_url; + +diff --git a/src/url.c b/src/url.c +index 07c3bc87..2f27c48a 100644 +--- a/src/url.c ++++ b/src/url.c +@@ -594,60 +594,39 @@ parse_credentials (const char *beg, const char *end, char **user, char **passwd) + return true; + } + +-/* Used by main.c: detect URLs written using the "shorthand" URL forms +- originally popularized by Netscape and NcFTP. HTTP shorthands look +- like this: +- +- www.foo.com[:port]/dir/file -> http://www.foo.com[:port]/dir/file +- www.foo.com[:port] -> http://www.foo.com[:port] +- +- FTP shorthands look like this: +- +- foo.bar.com:dir/file -> ftp://foo.bar.com/dir/file +- foo.bar.com:/absdir/file -> ftp://foo.bar.com//absdir/file ++static bool is_valid_port(const char *p) ++{ ++ unsigned port = (unsigned) atoi (p); ++ if (port == 0 || port > 65535) ++ return false; + +- If the URL needs not or cannot be rewritten, return NULL. */ ++ int digits = strspn (p, "0123456789"); ++ return digits && (p[digits] == '/' || p[digits] == '\0'); ++} + ++/* Prepend "http://" to url if scheme is missing, otherwise return NULL. */ + char * +-rewrite_shorthand_url (const char *url) ++maybe_prepend_scheme (const char *url) + { +- const char *p; +- char *ret; +- + if (url_scheme (url) != SCHEME_INVALID) + return NULL; + +- /* Look for a ':' or '/'. The former signifies NcFTP syntax, the +- latter Netscape. */ +- p = strpbrk (url, ":/"); ++ const char *p = strchr (url, ':'); + if (p == url) + return NULL; + + /* If we're looking at "://", it means the URL uses a scheme we + don't support, which may include "https" when compiled without +- SSL support. Don't bogusly rewrite such URLs. */ ++ SSL support. Don't bogusly prepend "http://" to such URLs. */ + if (p && p[0] == ':' && p[1] == '/' && p[2] == '/') + return NULL; + +- if (p && *p == ':') +- { +- /* Colon indicates ftp, as in foo.bar.com:path. Check for +- special case of http port number ("localhost:10000"). */ +- int digits = strspn (p + 1, "0123456789"); +- if (digits && (p[1 + digits] == '/' || p[1 + digits] == '\0')) +- goto http; +- +- /* Turn "foo.bar.com:path" to "ftp://foo.bar.com/path". */ +- if ((ret = aprintf ("ftp://%s", url)) != NULL) +- ret[6 + (p - url)] = '/'; +- } +- else +- { +- http: +- /* Just prepend "http://" to URL. */ +- ret = aprintf ("http://%s", url); +- } +- return ret; ++ if (p && p[0] == ':' && !is_valid_port (p + 1)) ++ return NULL; ++ ++ ++ fprintf(stderr, "Prepended http:// to '%s'\n", url); ++ return aprintf ("http://%s", url); + } + + static void split_path (const char *, char **, char **); +diff --git a/src/url.h b/src/url.h +index 2dfbf30b..7796a21c 100644 +--- a/src/url.h ++++ b/src/url.h +@@ -128,7 +128,7 @@ char *uri_merge (const char *, const char *); + + int mkalldirs (const char *); + +-char *rewrite_shorthand_url (const char *); ++char *maybe_prepend_scheme (const char *); + bool schemes_are_similar_p (enum url_scheme a, enum url_scheme b); + + bool are_urls_equal (const char *u1, const char *u2); +-- +2.33.0 + diff --git a/backport-src-main.c-main-Code-clean-reduce-allocations.patch b/backport-src-main.c-main-Code-clean-reduce-allocations.patch new file mode 100644 index 0000000..9df11a6 --- /dev/null +++ b/backport-src-main.c-main-Code-clean-reduce-allocations.patch @@ -0,0 +1,165 @@ +From 8610b0b355b56c87b9326a71beb21934b15dd17d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= +Date: Fri, 14 Feb 2020 11:14:02 +0100 +Subject: [PATCH] * src/main.c (main): Code clean, reduce allocations + + +diff --git a/src/main.c b/src/main.c +index 16df0671..6158c8de 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -1348,9 +1348,9 @@ int cleaned_up; + int + main (int argc, char **argv) + { +- char **url, **t, *p; ++ char *p; + int i, ret, longindex; +- int nurl; ++ int nurls; + int retconf; + int argstring_length; + bool use_userconfig = false; +@@ -1567,7 +1567,7 @@ main (int argc, char **argv) + longindex = -1; + } + +- nurl = argc - optind; ++ nurls = argc - optind; + + /* Initialize logging ASAP. */ + log_init (opt.lfilename, append_to_log); +@@ -1651,7 +1651,7 @@ Can't timestamp and not clobber old files at the same time.\n")); + if (opt.output_document) + { + if ((opt.convert_links || opt.convert_file_only) +- && (nurl > 1 || opt.page_requisites || opt.recursive)) ++ && (nurls > 1 || opt.page_requisites || opt.recursive)) + { + fputs (_("\ + Cannot specify both -k or --convert-file-only and -O if multiple URLs are given, or in combination\n\ +@@ -1761,7 +1761,7 @@ for details.\n\n")); + opt.always_rest = false; + } + +- if (!nurl && !opt.input_filename ++ if (!nurls && !opt.input_filename + #ifdef HAVE_METALINK + && !opt.input_metalink + #endif +@@ -1931,23 +1931,6 @@ for details.\n\n")); + if (opt.show_progress) + set_progress_implementation (opt.progress_type); + +- /* Fill in the arguments. */ +- url = xmalloc (sizeof (char *) * (nurl + 1)); +- if (url == NULL) +- { +- fprintf (stderr, _("Memory allocation problem\n")); +- exit (WGET_EXIT_PARSE_ERROR); +- } +- for (i = 0; i < nurl; i++, optind++) +- { +- char *rewritten = rewrite_shorthand_url (argv[optind]); +- if (rewritten) +- url[i] = rewritten; +- else +- url[i] = argv[optind]; +- } +- url[i] = NULL; +- + /* Open WARC file. */ + if (opt.warc_filename != 0) + warc_init (); +@@ -2110,8 +2093,9 @@ only if outputting to a regular file.\n")); + #endif + + /* Retrieve the URLs from argument list. */ +- for (t = url; *t; t++) ++ for (i = 0; i < nurls; i++, optind++) + { ++ char *t; + char *filename = NULL, *redirected_URL = NULL; + int dt, url_err; + /* Need to do a new struct iri every time, because +@@ -2120,13 +2104,17 @@ only if outputting to a regular file.\n")); + struct iri *iri = iri_new (); + struct url *url_parsed; + ++ t = rewrite_shorthand_url (argv[optind]); ++ if (!t) ++ t = argv[optind]; ++ + set_uri_encoding (iri, opt.locale, true); +- url_parsed = url_parse (*t, &url_err, iri, true); ++ url_parsed = url_parse (t, &url_err, iri, true); + + if (!url_parsed) + { +- char *error = url_error (*t, url_err); +- logprintf (LOG_NOTQUIET, "%s: %s.\n",*t, error); ++ char *error = url_error (t, url_err); ++ logprintf (LOG_NOTQUIET, "%s: %s.\n",t, error); + xfree (error); + inform_exit_status (URLERROR); + } +@@ -2137,9 +2125,9 @@ only if outputting to a regular file.\n")); + use_askpass (url_parsed); + + if ((opt.recursive || opt.page_requisites) +- && ((url_scheme (*t) != SCHEME_FTP ++ && ((url_scheme (t) != SCHEME_FTP + #ifdef HAVE_SSL +- && url_scheme (*t) != SCHEME_FTPS ++ && url_scheme (t) != SCHEME_FTPS + #endif + ) + || url_uses_proxy (url_parsed))) +@@ -2147,9 +2135,9 @@ only if outputting to a regular file.\n")); + int old_follow_ftp = opt.follow_ftp; + + /* Turn opt.follow_ftp on in case of recursive FTP retrieval */ +- if (url_scheme (*t) == SCHEME_FTP ++ if (url_scheme (t) == SCHEME_FTP + #ifdef HAVE_SSL +- || url_scheme (*t) == SCHEME_FTPS ++ || url_scheme (t) == SCHEME_FTPS + #endif + ) + opt.follow_ftp = 1; +@@ -2160,7 +2148,7 @@ only if outputting to a regular file.\n")); + } + else + { +- retrieve_url (url_parsed, *t, &filename, &redirected_URL, NULL, ++ retrieve_url (url_parsed, t, &filename, &redirected_URL, NULL, + &dt, opt.recursive, iri, true); + } + +@@ -2175,10 +2163,12 @@ only if outputting to a regular file.\n")); + xfree (filename); + url_free (url_parsed); + } ++ + iri_free (iri); +- } + +- xfree(url); ++ if (t != argv[optind]) ++ xfree (t); ++ } + + /* And then from the input file, if any. */ + if (opt.input_filename) +@@ -2249,7 +2239,7 @@ only if outputting to a regular file.\n")); + + /* Print the downloaded sum. */ + if ((opt.recursive || opt.page_requisites +- || nurl > 1 ++ || nurls > 1 + || (opt.input_filename && total_downloaded_bytes != 0)) + && + total_downloaded_bytes != 0) +-- +2.33.0 + diff --git a/backport-src-main.c-main-Remove-use-of-alloca.patch b/backport-src-main.c-main-Remove-use-of-alloca.patch new file mode 100644 index 0000000..6d95ff5 --- /dev/null +++ b/backport-src-main.c-main-Remove-use-of-alloca.patch @@ -0,0 +1,40 @@ +From f460e1d04963dce88b9711002c655497a8a22390 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= +Date: Thu, 13 Feb 2020 15:17:27 +0100 +Subject: [PATCH] * src/main.c (main): Remove use of alloca + + +diff --git a/src/main.c b/src/main.c +index 4d595ef0..3b6e49fc 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -1934,7 +1934,7 @@ for details.\n\n")); + set_progress_implementation (opt.progress_type); + + /* Fill in the arguments. */ +- url = alloca_array (char *, nurl + 1); ++ url = xmalloc (sizeof (char *) * (nurl + 1)); + if (url == NULL) + { + fprintf (stderr, _("Memory allocation problem\n")); +@@ -1946,7 +1946,7 @@ for details.\n\n")); + if (rewritten) + url[i] = rewritten; + else +- url[i] = xstrdup (argv[optind]); ++ url[i] = argv[optind]; + } + url[i] = NULL; + +@@ -2180,6 +2180,8 @@ only if outputting to a regular file.\n")); + iri_free (iri); + } + ++ xfree(url); ++ + /* And then from the input file, if any. */ + if (opt.input_filename) + { +-- +2.33.0 + diff --git a/backport-src-url.c-maybe_prepend_scheme-Print-message-only-in.patch b/backport-src-url.c-maybe_prepend_scheme-Print-message-only-in.patch new file mode 100644 index 0000000..bb00234 --- /dev/null +++ b/backport-src-url.c-maybe_prepend_scheme-Print-message-only-in.patch @@ -0,0 +1,23 @@ +From d98df662121977f3d3ba69d0cfbd4d3322714f2d Mon Sep 17 00:00:00 2001 +From: Darshit Shah +Date: Fri, 15 Nov 2024 22:28:41 +0100 +Subject: [PATCH] * src/url.c (maybe_prepend_scheme): Print message only in + verbose mode + + +diff --git a/src/url.c b/src/url.c +index 2f27c48a..913db4f1 100644 +--- a/src/url.c ++++ b/src/url.c +@@ -625,7 +625,7 @@ maybe_prepend_scheme (const char *url) + return NULL; + + +- fprintf(stderr, "Prepended http:// to '%s'\n", url); ++ logprintf (LOG_VERBOSE, _ ("Prepended http:// to '%s'\n"), url); + return aprintf ("http://%s", url); + } + +-- +2.33.0 + diff --git a/wget.spec b/wget.spec index 6218637..6c98c65 100644 --- a/wget.spec +++ b/wget.spec @@ -1,6 +1,6 @@ Name: wget Version: 1.20.3 -Release: 5 +Release: 6 Summary: A package for retrieving files using HTTP, HTTPS, FTP and FTPS the most widely-used Internet protocols. License: GPLv3+ Url: http://www.gnu.org/software/wget/ @@ -16,6 +16,10 @@ Patch6006: calc_rate-fix-division-by-zero.patch Patch6007: print-row-stats-fix-two-integer-overflows.patch Patch6008: dot-draw-avoid-integer-overflows.patch Patch6009: fix-and-cleanup-progress-bar-code.patch +Patch6010: backport-src-main.c-main-Remove-use-of-alloca.patch +Patch6011: backport-src-main.c-main-Code-clean-reduce-allocations.patch +Patch6012: backport-CVE-2024-10524.patch +Patch6013: backport-src-url.c-maybe_prepend_scheme-Print-message-only-in.patch Patch9000: avoid-triggering-signed-integer-overflow.patch @@ -68,6 +72,12 @@ make check %{_infodir}/* %changelog +* Tue Dec 03 2024 xingwei -1.20.3-6 +- Type:CVES +- ID:NA +- SUG:NA +- DESC:fix CVE-2024-10524 and backport related patches + * Sun Jun 16 2024 xuchenchen -1.20.3-5 - Type:CVES - ID:NA -- Gitee