diff options
| author | Parabola <dev@list.parabolagnulinux.org> | 2011-08-16 14:12:41 +0000 |
|---|---|---|
| committer | Parabola <dev@list.parabolagnulinux.org> | 2011-08-16 14:12:41 +0000 |
| commit | 3abfc1ebef5936241997dd882938581c91743ee9 (patch) | |
| tree | 2115f0512eb82f91f0a536d20631bed8eb37f47a /core/wget | |
| parent | ea595018ba8ae00d7030ff296ec4f50e122d2ea9 (diff) | |
Tue Aug 16 14:12:40 UTC 2011
Diffstat (limited to 'core/wget')
| -rw-r--r-- | core/wget/wget-1.12-CVE-2010-2252.patch | 155 | ||||
| -rw-r--r-- | core/wget/wget-1.12-subjectAltName.patch | 216 |
2 files changed, 0 insertions, 371 deletions
diff --git a/core/wget/wget-1.12-CVE-2010-2252.patch b/core/wget/wget-1.12-CVE-2010-2252.patch deleted file mode 100644 index d1d797a2c..000000000 --- a/core/wget/wget-1.12-CVE-2010-2252.patch +++ /dev/null @@ -1,155 +0,0 @@ -diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' wget~/doc/wget.texi wget/doc/wget.texi ---- wget~/doc/wget.texi 2010-09-05 15:32:44.000000000 +0200 -+++ wget/doc/wget.texi 2010-09-05 15:32:44.000000000 +0200 -@@ -1487,6 +1487,13 @@ - @code{Content-Disposition} headers to describe what the name of a - downloaded file should be. - -+@cindex Trust server names -+@item --trust-server-names -+ -+If this is set to on, on a redirect the last component of the -+redirection URL will be used as the local file name. By default it is -+used the last component in the original URL. -+ - @cindex authentication - @item --auth-no-challenge - -@@ -2797,6 +2804,10 @@ - Turn on recognition of the (non-standard) @samp{Content-Disposition} - HTTP header---if set to @samp{on}, the same as @samp{--content-disposition}. - -+@item trust_server_names = on/off -+If set to on, use the last component of a redirection URL for the local -+file name. -+ - @item continue = on/off - If set to on, force continuation of preexistent partially retrieved - files. See @samp{-c} before setting it. -diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' wget~/src/http.c wget/src/http.c ---- wget~/src/http.c 2010-09-05 15:30:22.000000000 +0200 -+++ wget/src/http.c 2010-09-05 15:32:44.000000000 +0200 -@@ -2410,8 +2410,9 @@ - /* The genuine HTTP loop! This is the part where the retrieval is - retried, and retried, and retried, and... */ - uerr_t --http_loop (struct url *u, char **newloc, char **local_file, const char *referer, -- int *dt, struct url *proxy, struct iri *iri) -+http_loop (struct url *u, struct url *original_url, char **newloc, -+ char **local_file, const char *referer, int *dt, struct url *proxy, -+ struct iri *iri) - { - int count; - bool got_head = false; /* used for time-stamping and filename detection */ -@@ -2457,7 +2458,8 @@ - } - else if (!opt.content_disposition) - { -- hstat.local_file = url_file_name (u); -+ hstat.local_file = -+ url_file_name (opt.trustservernames ? u : original_url); - got_name = true; - } - -@@ -2497,7 +2499,7 @@ - - /* Send preliminary HEAD request if -N is given and we have an existing - * destination file. */ -- file_name = url_file_name (u); -+ file_name = url_file_name (opt.trustservernames ? u : original_url); - if (opt.timestamping - && !opt.content_disposition - && file_exists_p (file_name)) -@@ -2852,9 +2854,9 @@ - - /* Remember that we downloaded the file for later ".orig" code. */ - if (*dt & ADDED_HTML_EXTENSION) -- downloaded_file(FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, hstat.local_file); -+ downloaded_file (FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, hstat.local_file); - else -- downloaded_file(FILE_DOWNLOADED_NORMALLY, hstat.local_file); -+ downloaded_file (FILE_DOWNLOADED_NORMALLY, hstat.local_file); - - ret = RETROK; - goto exit; -@@ -2885,9 +2887,9 @@ - - /* Remember that we downloaded the file for later ".orig" code. */ - if (*dt & ADDED_HTML_EXTENSION) -- downloaded_file(FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, hstat.local_file); -+ downloaded_file (FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, hstat.local_file); - else -- downloaded_file(FILE_DOWNLOADED_NORMALLY, hstat.local_file); -+ downloaded_file (FILE_DOWNLOADED_NORMALLY, hstat.local_file); - - ret = RETROK; - goto exit; -diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' wget~/src/http.h wget/src/http.h ---- wget~/src/http.h 2010-09-05 15:30:22.000000000 +0200 -+++ wget/src/http.h 2010-09-05 15:32:44.000000000 +0200 -@@ -33,8 +33,8 @@ - - struct url; - --uerr_t http_loop (struct url *, char **, char **, const char *, int *, -- struct url *, struct iri *); -+uerr_t http_loop (struct url *, struct url *, char **, char **, const char *, -+ int *, struct url *, struct iri *); - void save_cookies (void); - void http_cleanup (void); - time_t http_atotm (const char *); -diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' wget~/src/init.c wget/src/init.c ---- wget~/src/init.c 2010-09-05 15:30:22.000000000 +0200 -+++ wget/src/init.c 2010-09-05 15:32:44.000000000 +0200 -@@ -243,6 +243,7 @@ - { "timeout", NULL, cmd_spec_timeout }, - { "timestamping", &opt.timestamping, cmd_boolean }, - { "tries", &opt.ntry, cmd_number_inf }, -+ { "trustservernames", &opt.trustservernames, cmd_boolean }, - { "useproxy", &opt.use_proxy, cmd_boolean }, - { "user", &opt.user, cmd_string }, - { "useragent", NULL, cmd_spec_useragent }, -diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' wget~/src/main.c wget/src/main.c ---- wget~/src/main.c 2010-09-05 15:30:22.000000000 +0200 -+++ wget/src/main.c 2010-09-05 15:32:44.000000000 +0200 -@@ -266,6 +266,7 @@ - { "timeout", 'T', OPT_VALUE, "timeout", -1 }, - { "timestamping", 'N', OPT_BOOLEAN, "timestamping", -1 }, - { "tries", 't', OPT_VALUE, "tries", -1 }, -+ { "trust-server-names", 0, OPT_BOOLEAN, "trustservernames", -1 }, - { "user", 0, OPT_VALUE, "user", -1 }, - { "user-agent", 'U', OPT_VALUE, "useragent", -1 }, - { "verbose", 'v', OPT_BOOLEAN, "verbose", -1 }, -@@ -675,6 +676,8 @@ - N_("\ - -I, --include-directories=LIST list of allowed directories.\n"), - N_("\ -+ --trust-server-names use the name specified by the redirection url last component.\n"), -+ N_("\ - -X, --exclude-directories=LIST list of excluded directories.\n"), - N_("\ - -np, --no-parent don't ascend to the parent directory.\n"), -diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' wget~/src/options.h wget/src/options.h ---- wget~/src/options.h 2010-09-05 15:30:22.000000000 +0200 -+++ wget/src/options.h 2010-09-05 15:32:44.000000000 +0200 -@@ -242,6 +242,7 @@ - char *encoding_remote; - char *locale; - -+ bool trustservernames; - #ifdef __VMS - int ftp_stmlf; /* Force Stream_LF format for binary FTP. */ - #endif /* def __VMS */ -diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' wget~/src/retr.c wget/src/retr.c ---- wget~/src/retr.c 2010-09-05 15:30:22.000000000 +0200 -+++ wget/src/retr.c 2010-09-05 15:32:44.000000000 +0200 -@@ -689,7 +689,8 @@ - #endif - || (proxy_url && proxy_url->scheme == SCHEME_HTTP)) - { -- result = http_loop (u, &mynewloc, &local_file, refurl, dt, proxy_url, iri); -+ result = http_loop (u, orig_parsed, &mynewloc, &local_file, refurl, dt, -+ proxy_url, iri); - } - else if (u->scheme == SCHEME_FTP) - { diff --git a/core/wget/wget-1.12-subjectAltName.patch b/core/wget/wget-1.12-subjectAltName.patch deleted file mode 100644 index 20f08d216..000000000 --- a/core/wget/wget-1.12-subjectAltName.patch +++ /dev/null @@ -1,216 +0,0 @@ -=== modified file 'src/openssl.c' ---- src/openssl.c 2009-09-22 16:16:43 +0000 -+++ src/openssl.c 2009-10-24 23:06:44 +0000 -@@ -39,7 +39,7 @@ - #include <string.h> - - #include <openssl/ssl.h> --#include <openssl/x509.h> -+#include <openssl/x509v3.h> - #include <openssl/err.h> - #include <openssl/rand.h> - -@@ -486,9 +486,11 @@ - ssl_check_certificate (int fd, const char *host) - { - X509 *cert; -+ GENERAL_NAMES *subjectAltNames; - char common_name[256]; - long vresult; - bool success = true; -+ bool alt_name_checked = false; - - /* If the user has specified --no-check-cert, we still want to warn - him about problems with the server's certificate. */ -@@ -536,7 +538,8 @@ - break; - case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: - case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: -- logprintf (LOG_NOTQUIET, _(" Self-signed certificate encountered.\n")); -+ logprintf (LOG_NOTQUIET, -+ _(" Self-signed certificate encountered.\n")); - break; - case X509_V_ERR_CERT_NOT_YET_VALID: - logprintf (LOG_NOTQUIET, _(" Issued certificate not yet valid.\n")); -@@ -558,10 +561,6 @@ - /* Check that HOST matches the common name in the certificate. - #### The following remains to be done: - -- - It should use dNSName/ipAddress subjectAltName extensions if -- available; according to rfc2818: "If a subjectAltName extension -- of type dNSName is present, that MUST be used as the identity." -- - - When matching against common names, it should loop over all - common names and choose the most specific one, i.e. the last - one, not the first one, which the current code picks. -@@ -569,50 +568,123 @@ - - Ensure that ASN1 strings from the certificate are encoded as - UTF-8 which can be meaningfully compared to HOST. */ - -- X509_NAME *xname = X509_get_subject_name(cert); -- common_name[0] = '\0'; -- X509_NAME_get_text_by_NID (xname, NID_commonName, common_name, -- sizeof (common_name)); -+ subjectAltNames = X509_get_ext_d2i (cert, NID_subject_alt_name, NULL, NULL); - -- if (!pattern_match (common_name, host)) -+ if (subjectAltNames) - { -- logprintf (LOG_NOTQUIET, _("\ --%s: certificate common name %s doesn't match requested host name %s.\n"), -- severity, quote_n (0, common_name), quote_n (1, host)); -- success = false; -+ /* Test subject alternative names */ -+ -+ /* Do we want to check for dNSNAmes or ipAddresses (see RFC 2818)? -+ * Signal it by host_in_octet_string. */ -+ ASN1_OCTET_STRING *host_in_octet_string = NULL; -+ host_in_octet_string = a2i_IPADDRESS (host); -+ -+ int numaltnames = sk_GENERAL_NAME_num (subjectAltNames); -+ int i; -+ for (i=0; i < numaltnames; i++) -+ { -+ const GENERAL_NAME *name = -+ sk_GENERAL_NAME_value (subjectAltNames, i); -+ if (name) -+ { -+ if (host_in_octet_string) -+ { -+ if (name->type == GEN_IPADD) -+ { -+ /* Check for ipAddress */ -+ /* TODO: Should we convert between IPv4-mapped IPv6 -+ * addresses and IPv4 addresses? */ -+ alt_name_checked = true; -+ if (!ASN1_STRING_cmp (host_in_octet_string, -+ name->d.iPAddress)) -+ break; -+ } -+ } -+ else if (name->type == GEN_DNS) -+ { -+ /* Check for dNSName */ -+ alt_name_checked = true; -+ /* dNSName should be IA5String (i.e. ASCII), however who -+ * does trust CA? Convert it into UTF-8 for sure. */ -+ unsigned char *name_in_utf8 = NULL; -+ if (0 <= ASN1_STRING_to_UTF8 (&name_in_utf8, name->d.dNSName)) -+ { -+ /* Compare and check for NULL attack in ASN1_STRING */ -+ if (pattern_match ((char *)name_in_utf8, host) && -+ (strlen ((char *)name_in_utf8) == -+ ASN1_STRING_length (name->d.dNSName))) -+ { -+ OPENSSL_free (name_in_utf8); -+ break; -+ } -+ OPENSSL_free (name_in_utf8); -+ } -+ } -+ } -+ } -+ sk_GENERAL_NAME_free (subjectAltNames); -+ if (host_in_octet_string) -+ ASN1_OCTET_STRING_free(host_in_octet_string); -+ -+ if (alt_name_checked == true && i >= numaltnames) -+ { -+ logprintf (LOG_NOTQUIET, -+ _("%s: no certificate subject alternative name matches\n" -+ "\trequested host name %s.\n"), -+ severity, quote_n (1, host)); -+ success = false; -+ } - } -- else -+ -+ if (alt_name_checked == false) - { -- /* We now determine the length of the ASN1 string. If it differs from -- * common_name's length, then there is a \0 before the string terminates. -- * This can be an instance of a null-prefix attack. -- * -- * https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike -- * */ -- -- int i = -1, j; -- X509_NAME_ENTRY *xentry; -- ASN1_STRING *sdata; -- -- if (xname) { -- for (;;) -- { -- j = X509_NAME_get_index_by_NID (xname, NID_commonName, i); -- if (j == -1) break; -- i = j; -+ /* Test commomName */ -+ X509_NAME *xname = X509_get_subject_name(cert); -+ common_name[0] = '\0'; -+ X509_NAME_get_text_by_NID (xname, NID_commonName, common_name, -+ sizeof (common_name)); -+ -+ if (!pattern_match (common_name, host)) -+ { -+ logprintf (LOG_NOTQUIET, _("\ -+ %s: certificate common name %s doesn't match requested host name %s.\n"), -+ severity, quote_n (0, common_name), quote_n (1, host)); -+ success = false; -+ } -+ else -+ { -+ /* We now determine the length of the ASN1 string. If it -+ * differs from common_name's length, then there is a \0 -+ * before the string terminates. This can be an instance of a -+ * null-prefix attack. -+ * -+ * https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike -+ * */ -+ -+ int i = -1, j; -+ X509_NAME_ENTRY *xentry; -+ ASN1_STRING *sdata; -+ -+ if (xname) { -+ for (;;) -+ { -+ j = X509_NAME_get_index_by_NID (xname, NID_commonName, i); -+ if (j == -1) break; -+ i = j; -+ } - } -- } - -- xentry = X509_NAME_get_entry(xname,i); -- sdata = X509_NAME_ENTRY_get_data(xentry); -- if (strlen (common_name) != ASN1_STRING_length (sdata)) -- { -- logprintf (LOG_NOTQUIET, _("\ --%s: certificate common name is invalid (contains a NUL character).\n\ --This may be an indication that the host is not who it claims to be\n\ --(that is, it is not the real %s).\n"), -- severity, quote (host)); -- success = false; -+ xentry = X509_NAME_get_entry(xname,i); -+ sdata = X509_NAME_ENTRY_get_data(xentry); -+ if (strlen (common_name) != ASN1_STRING_length (sdata)) -+ { -+ logprintf (LOG_NOTQUIET, _("\ -+ %s: certificate common name is invalid (contains a NUL character).\n\ -+ This may be an indication that the host is not who it claims to be\n\ -+ (that is, it is not the real %s).\n"), -+ severity, quote (host)); -+ success = false; -+ } - } - } - -@@ -631,3 +703,7 @@ - /* Allow --no-check-cert to disable certificate checking. */ - return opt.check_cert ? success : true; - } -+ -+/* -+ * vim: tabstop=2 shiftwidth=2 softtabstop=2 -+ */ - |