summaryrefslogtreecommitdiff
path: root/core/wget
diff options
context:
space:
mode:
authorParabola <dev@list.parabolagnulinux.org>2011-08-16 14:12:41 +0000
committerParabola <dev@list.parabolagnulinux.org>2011-08-16 14:12:41 +0000
commit3abfc1ebef5936241997dd882938581c91743ee9 (patch)
tree2115f0512eb82f91f0a536d20631bed8eb37f47a /core/wget
parentea595018ba8ae00d7030ff296ec4f50e122d2ea9 (diff)
Tue Aug 16 14:12:40 UTC 2011
Diffstat (limited to 'core/wget')
-rw-r--r--core/wget/wget-1.12-CVE-2010-2252.patch155
-rw-r--r--core/wget/wget-1.12-subjectAltName.patch216
2 files changed, 0 insertions, 371 deletions
diff --git a/core/wget/wget-1.12-CVE-2010-2252.patch b/core/wget/wget-1.12-CVE-2010-2252.patch
deleted file mode 100644
index d1d797a2c..000000000
--- a/core/wget/wget-1.12-CVE-2010-2252.patch
+++ /dev/null
@@ -1,155 +0,0 @@
-diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' wget~/doc/wget.texi wget/doc/wget.texi
---- wget~/doc/wget.texi 2010-09-05 15:32:44.000000000 +0200
-+++ wget/doc/wget.texi 2010-09-05 15:32:44.000000000 +0200
-@@ -1487,6 +1487,13 @@
- @code{Content-Disposition} headers to describe what the name of a
- downloaded file should be.
-
-+@cindex Trust server names
-+@item --trust-server-names
-+
-+If this is set to on, on a redirect the last component of the
-+redirection URL will be used as the local file name. By default it is
-+used the last component in the original URL.
-+
- @cindex authentication
- @item --auth-no-challenge
-
-@@ -2797,6 +2804,10 @@
- Turn on recognition of the (non-standard) @samp{Content-Disposition}
- HTTP header---if set to @samp{on}, the same as @samp{--content-disposition}.
-
-+@item trust_server_names = on/off
-+If set to on, use the last component of a redirection URL for the local
-+file name.
-+
- @item continue = on/off
- If set to on, force continuation of preexistent partially retrieved
- files. See @samp{-c} before setting it.
-diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' wget~/src/http.c wget/src/http.c
---- wget~/src/http.c 2010-09-05 15:30:22.000000000 +0200
-+++ wget/src/http.c 2010-09-05 15:32:44.000000000 +0200
-@@ -2410,8 +2410,9 @@
- /* The genuine HTTP loop! This is the part where the retrieval is
- retried, and retried, and retried, and... */
- uerr_t
--http_loop (struct url *u, char **newloc, char **local_file, const char *referer,
-- int *dt, struct url *proxy, struct iri *iri)
-+http_loop (struct url *u, struct url *original_url, char **newloc,
-+ char **local_file, const char *referer, int *dt, struct url *proxy,
-+ struct iri *iri)
- {
- int count;
- bool got_head = false; /* used for time-stamping and filename detection */
-@@ -2457,7 +2458,8 @@
- }
- else if (!opt.content_disposition)
- {
-- hstat.local_file = url_file_name (u);
-+ hstat.local_file =
-+ url_file_name (opt.trustservernames ? u : original_url);
- got_name = true;
- }
-
-@@ -2497,7 +2499,7 @@
-
- /* Send preliminary HEAD request if -N is given and we have an existing
- * destination file. */
-- file_name = url_file_name (u);
-+ file_name = url_file_name (opt.trustservernames ? u : original_url);
- if (opt.timestamping
- && !opt.content_disposition
- && file_exists_p (file_name))
-@@ -2852,9 +2854,9 @@
-
- /* Remember that we downloaded the file for later ".orig" code. */
- if (*dt & ADDED_HTML_EXTENSION)
-- downloaded_file(FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, hstat.local_file);
-+ downloaded_file (FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, hstat.local_file);
- else
-- downloaded_file(FILE_DOWNLOADED_NORMALLY, hstat.local_file);
-+ downloaded_file (FILE_DOWNLOADED_NORMALLY, hstat.local_file);
-
- ret = RETROK;
- goto exit;
-@@ -2885,9 +2887,9 @@
-
- /* Remember that we downloaded the file for later ".orig" code. */
- if (*dt & ADDED_HTML_EXTENSION)
-- downloaded_file(FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, hstat.local_file);
-+ downloaded_file (FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, hstat.local_file);
- else
-- downloaded_file(FILE_DOWNLOADED_NORMALLY, hstat.local_file);
-+ downloaded_file (FILE_DOWNLOADED_NORMALLY, hstat.local_file);
-
- ret = RETROK;
- goto exit;
-diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' wget~/src/http.h wget/src/http.h
---- wget~/src/http.h 2010-09-05 15:30:22.000000000 +0200
-+++ wget/src/http.h 2010-09-05 15:32:44.000000000 +0200
-@@ -33,8 +33,8 @@
-
- struct url;
-
--uerr_t http_loop (struct url *, char **, char **, const char *, int *,
-- struct url *, struct iri *);
-+uerr_t http_loop (struct url *, struct url *, char **, char **, const char *,
-+ int *, struct url *, struct iri *);
- void save_cookies (void);
- void http_cleanup (void);
- time_t http_atotm (const char *);
-diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' wget~/src/init.c wget/src/init.c
---- wget~/src/init.c 2010-09-05 15:30:22.000000000 +0200
-+++ wget/src/init.c 2010-09-05 15:32:44.000000000 +0200
-@@ -243,6 +243,7 @@
- { "timeout", NULL, cmd_spec_timeout },
- { "timestamping", &opt.timestamping, cmd_boolean },
- { "tries", &opt.ntry, cmd_number_inf },
-+ { "trustservernames", &opt.trustservernames, cmd_boolean },
- { "useproxy", &opt.use_proxy, cmd_boolean },
- { "user", &opt.user, cmd_string },
- { "useragent", NULL, cmd_spec_useragent },
-diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' wget~/src/main.c wget/src/main.c
---- wget~/src/main.c 2010-09-05 15:30:22.000000000 +0200
-+++ wget/src/main.c 2010-09-05 15:32:44.000000000 +0200
-@@ -266,6 +266,7 @@
- { "timeout", 'T', OPT_VALUE, "timeout", -1 },
- { "timestamping", 'N', OPT_BOOLEAN, "timestamping", -1 },
- { "tries", 't', OPT_VALUE, "tries", -1 },
-+ { "trust-server-names", 0, OPT_BOOLEAN, "trustservernames", -1 },
- { "user", 0, OPT_VALUE, "user", -1 },
- { "user-agent", 'U', OPT_VALUE, "useragent", -1 },
- { "verbose", 'v', OPT_BOOLEAN, "verbose", -1 },
-@@ -675,6 +676,8 @@
- N_("\
- -I, --include-directories=LIST list of allowed directories.\n"),
- N_("\
-+ --trust-server-names use the name specified by the redirection url last component.\n"),
-+ N_("\
- -X, --exclude-directories=LIST list of excluded directories.\n"),
- N_("\
- -np, --no-parent don't ascend to the parent directory.\n"),
-diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' wget~/src/options.h wget/src/options.h
---- wget~/src/options.h 2010-09-05 15:30:22.000000000 +0200
-+++ wget/src/options.h 2010-09-05 15:32:44.000000000 +0200
-@@ -242,6 +242,7 @@
- char *encoding_remote;
- char *locale;
-
-+ bool trustservernames;
- #ifdef __VMS
- int ftp_stmlf; /* Force Stream_LF format for binary FTP. */
- #endif /* def __VMS */
-diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' wget~/src/retr.c wget/src/retr.c
---- wget~/src/retr.c 2010-09-05 15:30:22.000000000 +0200
-+++ wget/src/retr.c 2010-09-05 15:32:44.000000000 +0200
-@@ -689,7 +689,8 @@
- #endif
- || (proxy_url && proxy_url->scheme == SCHEME_HTTP))
- {
-- result = http_loop (u, &mynewloc, &local_file, refurl, dt, proxy_url, iri);
-+ result = http_loop (u, orig_parsed, &mynewloc, &local_file, refurl, dt,
-+ proxy_url, iri);
- }
- else if (u->scheme == SCHEME_FTP)
- {
diff --git a/core/wget/wget-1.12-subjectAltName.patch b/core/wget/wget-1.12-subjectAltName.patch
deleted file mode 100644
index 20f08d216..000000000
--- a/core/wget/wget-1.12-subjectAltName.patch
+++ /dev/null
@@ -1,216 +0,0 @@
-=== modified file 'src/openssl.c'
---- src/openssl.c 2009-09-22 16:16:43 +0000
-+++ src/openssl.c 2009-10-24 23:06:44 +0000
-@@ -39,7 +39,7 @@
- #include <string.h>
-
- #include <openssl/ssl.h>
--#include <openssl/x509.h>
-+#include <openssl/x509v3.h>
- #include <openssl/err.h>
- #include <openssl/rand.h>
-
-@@ -486,9 +486,11 @@
- ssl_check_certificate (int fd, const char *host)
- {
- X509 *cert;
-+ GENERAL_NAMES *subjectAltNames;
- char common_name[256];
- long vresult;
- bool success = true;
-+ bool alt_name_checked = false;
-
- /* If the user has specified --no-check-cert, we still want to warn
- him about problems with the server's certificate. */
-@@ -536,7 +538,8 @@
- break;
- case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
- case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
-- logprintf (LOG_NOTQUIET, _(" Self-signed certificate encountered.\n"));
-+ logprintf (LOG_NOTQUIET,
-+ _(" Self-signed certificate encountered.\n"));
- break;
- case X509_V_ERR_CERT_NOT_YET_VALID:
- logprintf (LOG_NOTQUIET, _(" Issued certificate not yet valid.\n"));
-@@ -558,10 +561,6 @@
- /* Check that HOST matches the common name in the certificate.
- #### The following remains to be done:
-
-- - It should use dNSName/ipAddress subjectAltName extensions if
-- available; according to rfc2818: "If a subjectAltName extension
-- of type dNSName is present, that MUST be used as the identity."
--
- - When matching against common names, it should loop over all
- common names and choose the most specific one, i.e. the last
- one, not the first one, which the current code picks.
-@@ -569,50 +568,123 @@
- - Ensure that ASN1 strings from the certificate are encoded as
- UTF-8 which can be meaningfully compared to HOST. */
-
-- X509_NAME *xname = X509_get_subject_name(cert);
-- common_name[0] = '\0';
-- X509_NAME_get_text_by_NID (xname, NID_commonName, common_name,
-- sizeof (common_name));
-+ subjectAltNames = X509_get_ext_d2i (cert, NID_subject_alt_name, NULL, NULL);
-
-- if (!pattern_match (common_name, host))
-+ if (subjectAltNames)
- {
-- logprintf (LOG_NOTQUIET, _("\
--%s: certificate common name %s doesn't match requested host name %s.\n"),
-- severity, quote_n (0, common_name), quote_n (1, host));
-- success = false;
-+ /* Test subject alternative names */
-+
-+ /* Do we want to check for dNSNAmes or ipAddresses (see RFC 2818)?
-+ * Signal it by host_in_octet_string. */
-+ ASN1_OCTET_STRING *host_in_octet_string = NULL;
-+ host_in_octet_string = a2i_IPADDRESS (host);
-+
-+ int numaltnames = sk_GENERAL_NAME_num (subjectAltNames);
-+ int i;
-+ for (i=0; i < numaltnames; i++)
-+ {
-+ const GENERAL_NAME *name =
-+ sk_GENERAL_NAME_value (subjectAltNames, i);
-+ if (name)
-+ {
-+ if (host_in_octet_string)
-+ {
-+ if (name->type == GEN_IPADD)
-+ {
-+ /* Check for ipAddress */
-+ /* TODO: Should we convert between IPv4-mapped IPv6
-+ * addresses and IPv4 addresses? */
-+ alt_name_checked = true;
-+ if (!ASN1_STRING_cmp (host_in_octet_string,
-+ name->d.iPAddress))
-+ break;
-+ }
-+ }
-+ else if (name->type == GEN_DNS)
-+ {
-+ /* Check for dNSName */
-+ alt_name_checked = true;
-+ /* dNSName should be IA5String (i.e. ASCII), however who
-+ * does trust CA? Convert it into UTF-8 for sure. */
-+ unsigned char *name_in_utf8 = NULL;
-+ if (0 <= ASN1_STRING_to_UTF8 (&name_in_utf8, name->d.dNSName))
-+ {
-+ /* Compare and check for NULL attack in ASN1_STRING */
-+ if (pattern_match ((char *)name_in_utf8, host) &&
-+ (strlen ((char *)name_in_utf8) ==
-+ ASN1_STRING_length (name->d.dNSName)))
-+ {
-+ OPENSSL_free (name_in_utf8);
-+ break;
-+ }
-+ OPENSSL_free (name_in_utf8);
-+ }
-+ }
-+ }
-+ }
-+ sk_GENERAL_NAME_free (subjectAltNames);
-+ if (host_in_octet_string)
-+ ASN1_OCTET_STRING_free(host_in_octet_string);
-+
-+ if (alt_name_checked == true && i >= numaltnames)
-+ {
-+ logprintf (LOG_NOTQUIET,
-+ _("%s: no certificate subject alternative name matches\n"
-+ "\trequested host name %s.\n"),
-+ severity, quote_n (1, host));
-+ success = false;
-+ }
- }
-- else
-+
-+ if (alt_name_checked == false)
- {
-- /* We now determine the length of the ASN1 string. If it differs from
-- * common_name's length, then there is a \0 before the string terminates.
-- * This can be an instance of a null-prefix attack.
-- *
-- * https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike
-- * */
--
-- int i = -1, j;
-- X509_NAME_ENTRY *xentry;
-- ASN1_STRING *sdata;
--
-- if (xname) {
-- for (;;)
-- {
-- j = X509_NAME_get_index_by_NID (xname, NID_commonName, i);
-- if (j == -1) break;
-- i = j;
-+ /* Test commomName */
-+ X509_NAME *xname = X509_get_subject_name(cert);
-+ common_name[0] = '\0';
-+ X509_NAME_get_text_by_NID (xname, NID_commonName, common_name,
-+ sizeof (common_name));
-+
-+ if (!pattern_match (common_name, host))
-+ {
-+ logprintf (LOG_NOTQUIET, _("\
-+ %s: certificate common name %s doesn't match requested host name %s.\n"),
-+ severity, quote_n (0, common_name), quote_n (1, host));
-+ success = false;
-+ }
-+ else
-+ {
-+ /* We now determine the length of the ASN1 string. If it
-+ * differs from common_name's length, then there is a \0
-+ * before the string terminates. This can be an instance of a
-+ * null-prefix attack.
-+ *
-+ * https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike
-+ * */
-+
-+ int i = -1, j;
-+ X509_NAME_ENTRY *xentry;
-+ ASN1_STRING *sdata;
-+
-+ if (xname) {
-+ for (;;)
-+ {
-+ j = X509_NAME_get_index_by_NID (xname, NID_commonName, i);
-+ if (j == -1) break;
-+ i = j;
-+ }
- }
-- }
-
-- xentry = X509_NAME_get_entry(xname,i);
-- sdata = X509_NAME_ENTRY_get_data(xentry);
-- if (strlen (common_name) != ASN1_STRING_length (sdata))
-- {
-- logprintf (LOG_NOTQUIET, _("\
--%s: certificate common name is invalid (contains a NUL character).\n\
--This may be an indication that the host is not who it claims to be\n\
--(that is, it is not the real %s).\n"),
-- severity, quote (host));
-- success = false;
-+ xentry = X509_NAME_get_entry(xname,i);
-+ sdata = X509_NAME_ENTRY_get_data(xentry);
-+ if (strlen (common_name) != ASN1_STRING_length (sdata))
-+ {
-+ logprintf (LOG_NOTQUIET, _("\
-+ %s: certificate common name is invalid (contains a NUL character).\n\
-+ This may be an indication that the host is not who it claims to be\n\
-+ (that is, it is not the real %s).\n"),
-+ severity, quote (host));
-+ success = false;
-+ }
- }
- }
-
-@@ -631,3 +703,7 @@
- /* Allow --no-check-cert to disable certificate checking. */
- return opt.check_cert ? success : true;
- }
-+
-+/*
-+ * vim: tabstop=2 shiftwidth=2 softtabstop=2
-+ */
-