diff options
author | Armin Kuster <akuster@mvista.com> | 2016-09-17 22:33:07 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-09-23 15:27:05 +0100 |
commit | 96fe15caf6761c5746f1848fbdfd4351189462f7 (patch) | |
tree | 1cd033f1139c21b3d72a433547ae0e419815fa04 /meta | |
parent | b6e49668742e2cbbf464e3e79bc543eb5c1673ab (diff) | |
download | poky-96fe15caf6761c5746f1848fbdfd4351189462f7.tar.gz |
wget: Security fix CVE-2016-4971
affects wget < 1.18.0
(From OE-Core rev: f4ea85d9c33a18f9e18e789a3399cf2d5c4f8164)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-extended/wget/wget/CVE-2016-4971.patch | 295 | ||||
-rw-r--r-- | meta/recipes-extended/wget/wget_1.17.1.bb | 1 |
2 files changed, 296 insertions, 0 deletions
diff --git a/meta/recipes-extended/wget/wget/CVE-2016-4971.patch b/meta/recipes-extended/wget/wget/CVE-2016-4971.patch new file mode 100644 index 0000000000..e8b22f4d8d --- /dev/null +++ b/meta/recipes-extended/wget/wget/CVE-2016-4971.patch | |||
@@ -0,0 +1,295 @@ | |||
1 | From e996e322ffd42aaa051602da182d03178d0f13e1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Giuseppe Scrivano <gscrivan@redhat.com> | ||
3 | Date: Mon, 6 Jun 2016 21:20:24 +0200 | ||
4 | Subject: [PATCH] ftp: understand --trust-server-names on a HTTP->FTP redirect | ||
5 | |||
6 | If not --trust-server-names is used, FTP will also get the destination | ||
7 | file name from the original url specified by the user instead of the | ||
8 | redirected url. Closes CVE-2016-4971. | ||
9 | |||
10 | * src/ftp.c (ftp_get_listing): Add argument original_url. | ||
11 | (getftp): Likewise. | ||
12 | (ftp_loop_internal): Likewise. Use original_url to generate the | ||
13 | file name if --trust-server-names is not provided. | ||
14 | (ftp_retrieve_glob): Likewise. | ||
15 | (ftp_loop): Likewise. | ||
16 | |||
17 | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> | ||
18 | |||
19 | Upstream-Status: Backport | ||
20 | CVE: CVE-2016-4971 | ||
21 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
22 | |||
23 | --- | ||
24 | src/ftp.c | 71 +++++++++++++++++++++++++++++++++++++------------------------- | ||
25 | src/ftp.h | 3 ++- | ||
26 | src/retr.c | 3 ++- | ||
27 | 3 files changed, 47 insertions(+), 30 deletions(-) | ||
28 | |||
29 | Index: wget-1.17.1/src/ftp.c | ||
30 | =================================================================== | ||
31 | --- wget-1.17.1.orig/src/ftp.c | ||
32 | +++ wget-1.17.1/src/ftp.c | ||
33 | @@ -236,7 +236,7 @@ print_length (wgint size, wgint start, b | ||
34 | logputs (LOG_VERBOSE, !authoritative ? _(" (unauthoritative)\n") : "\n"); | ||
35 | } | ||
36 | |||
37 | -static uerr_t ftp_get_listing (struct url *, ccon *, struct fileinfo **); | ||
38 | +static uerr_t ftp_get_listing (struct url *, struct url *, ccon *, struct fileinfo **); | ||
39 | |||
40 | static uerr_t | ||
41 | get_ftp_greeting(int csock, ccon *con) | ||
42 | @@ -315,7 +315,8 @@ init_control_ssl_connection (int csock, | ||
43 | and closes the control connection in case of error. If warc_tmp | ||
44 | is non-NULL, the downloaded data will be written there as well. */ | ||
45 | static uerr_t | ||
46 | -getftp (struct url *u, wgint passed_expected_bytes, wgint *qtyread, | ||
47 | +getftp (struct url *u, struct url *original_url, | ||
48 | + wgint passed_expected_bytes, wgint *qtyread, | ||
49 | wgint restval, ccon *con, int count, wgint *last_expected_bytes, | ||
50 | FILE *warc_tmp) | ||
51 | { | ||
52 | @@ -1189,7 +1190,7 @@ Error in server response, closing contro | ||
53 | { | ||
54 | bool exists = false; | ||
55 | struct fileinfo *f; | ||
56 | - uerr_t _res = ftp_get_listing (u, con, &f); | ||
57 | + uerr_t _res = ftp_get_listing (u, original_url, con, &f); | ||
58 | /* Set the DO_RETR command flag again, because it gets unset when | ||
59 | calling ftp_get_listing() and would otherwise cause an assertion | ||
60 | failure earlier on when this function gets repeatedly called | ||
61 | @@ -1780,8 +1781,8 @@ exit_error: | ||
62 | This loop either gets commands from con, or (if ON_YOUR_OWN is | ||
63 | set), makes them up to retrieve the file given by the URL. */ | ||
64 | static uerr_t | ||
65 | -ftp_loop_internal (struct url *u, struct fileinfo *f, ccon *con, char **local_file, | ||
66 | - bool force_full_retrieve) | ||
67 | +ftp_loop_internal (struct url *u, struct url *original_url, struct fileinfo *f, | ||
68 | + ccon *con, char **local_file, bool force_full_retrieve) | ||
69 | { | ||
70 | int count, orig_lp; | ||
71 | wgint restval, len = 0, qtyread = 0; | ||
72 | @@ -1806,7 +1807,7 @@ ftp_loop_internal (struct url *u, struct | ||
73 | { | ||
74 | /* URL-derived file. Consider "-O file" name. */ | ||
75 | xfree (con->target); | ||
76 | - con->target = url_file_name (u, NULL); | ||
77 | + con->target = url_file_name (opt.trustservernames || !original_url ? u : original_url, NULL); | ||
78 | if (!opt.output_document) | ||
79 | locf = con->target; | ||
80 | else | ||
81 | @@ -1924,8 +1925,8 @@ ftp_loop_internal (struct url *u, struct | ||
82 | |||
83 | /* If we are working on a WARC record, getftp should also write | ||
84 | to the warc_tmp file. */ | ||
85 | - err = getftp (u, len, &qtyread, restval, con, count, &last_expected_bytes, | ||
86 | - warc_tmp); | ||
87 | + err = getftp (u, original_url, len, &qtyread, restval, con, count, | ||
88 | + &last_expected_bytes, warc_tmp); | ||
89 | |||
90 | if (con->csock == -1) | ||
91 | con->st &= ~DONE_CWD; | ||
92 | @@ -2093,7 +2094,8 @@ Removing file due to --delete-after in f | ||
93 | /* Return the directory listing in a reusable format. The directory | ||
94 | is specifed in u->dir. */ | ||
95 | static uerr_t | ||
96 | -ftp_get_listing (struct url *u, ccon *con, struct fileinfo **f) | ||
97 | +ftp_get_listing (struct url *u, struct url *original_url, ccon *con, | ||
98 | + struct fileinfo **f) | ||
99 | { | ||
100 | uerr_t err; | ||
101 | char *uf; /* url file name */ | ||
102 | @@ -2114,7 +2116,7 @@ ftp_get_listing (struct url *u, ccon *co | ||
103 | |||
104 | con->target = xstrdup (lf); | ||
105 | xfree (lf); | ||
106 | - err = ftp_loop_internal (u, NULL, con, NULL, false); | ||
107 | + err = ftp_loop_internal (u, original_url, NULL, con, NULL, false); | ||
108 | lf = xstrdup (con->target); | ||
109 | xfree (con->target); | ||
110 | con->target = old_target; | ||
111 | @@ -2137,8 +2139,9 @@ ftp_get_listing (struct url *u, ccon *co | ||
112 | return err; | ||
113 | } | ||
114 | |||
115 | -static uerr_t ftp_retrieve_dirs (struct url *, struct fileinfo *, ccon *); | ||
116 | -static uerr_t ftp_retrieve_glob (struct url *, ccon *, int); | ||
117 | +static uerr_t ftp_retrieve_dirs (struct url *, struct url *, | ||
118 | + struct fileinfo *, ccon *); | ||
119 | +static uerr_t ftp_retrieve_glob (struct url *, struct url *, ccon *, int); | ||
120 | static struct fileinfo *delelement (struct fileinfo *, struct fileinfo **); | ||
121 | static void freefileinfo (struct fileinfo *f); | ||
122 | |||
123 | @@ -2150,7 +2153,8 @@ static void freefileinfo (struct fileinf | ||
124 | If opt.recursive is set, after all files have been retrieved, | ||
125 | ftp_retrieve_dirs will be called to retrieve the directories. */ | ||
126 | static uerr_t | ||
127 | -ftp_retrieve_list (struct url *u, struct fileinfo *f, ccon *con) | ||
128 | +ftp_retrieve_list (struct url *u, struct url *original_url, | ||
129 | + struct fileinfo *f, ccon *con) | ||
130 | { | ||
131 | static int depth = 0; | ||
132 | uerr_t err; | ||
133 | @@ -2311,7 +2315,10 @@ Already have correct symlink %s -> %s\n\ | ||
134 | else /* opt.retr_symlinks */ | ||
135 | { | ||
136 | if (dlthis) | ||
137 | - err = ftp_loop_internal (u, f, con, NULL, force_full_retrieve); | ||
138 | + { | ||
139 | + err = ftp_loop_internal (u, original_url, f, con, NULL, | ||
140 | + force_full_retrieve); | ||
141 | + } | ||
142 | } /* opt.retr_symlinks */ | ||
143 | break; | ||
144 | case FT_DIRECTORY: | ||
145 | @@ -2322,7 +2329,10 @@ Already have correct symlink %s -> %s\n\ | ||
146 | case FT_PLAINFILE: | ||
147 | /* Call the retrieve loop. */ | ||
148 | if (dlthis) | ||
149 | - err = ftp_loop_internal (u, f, con, NULL, force_full_retrieve); | ||
150 | + { | ||
151 | + err = ftp_loop_internal (u, original_url, f, con, NULL, | ||
152 | + force_full_retrieve); | ||
153 | + } | ||
154 | break; | ||
155 | case FT_UNKNOWN: | ||
156 | logprintf (LOG_NOTQUIET, _("%s: unknown/unsupported file type.\n"), | ||
157 | @@ -2387,7 +2397,7 @@ Already have correct symlink %s -> %s\n\ | ||
158 | /* We do not want to call ftp_retrieve_dirs here */ | ||
159 | if (opt.recursive && | ||
160 | !(opt.reclevel != INFINITE_RECURSION && depth >= opt.reclevel)) | ||
161 | - err = ftp_retrieve_dirs (u, orig, con); | ||
162 | + err = ftp_retrieve_dirs (u, original_url, orig, con); | ||
163 | else if (opt.recursive) | ||
164 | DEBUGP ((_("Will not retrieve dirs since depth is %d (max %d).\n"), | ||
165 | depth, opt.reclevel)); | ||
166 | @@ -2400,7 +2410,8 @@ Already have correct symlink %s -> %s\n\ | ||
167 | ftp_retrieve_glob on each directory entry. The function knows | ||
168 | about excluded directories. */ | ||
169 | static uerr_t | ||
170 | -ftp_retrieve_dirs (struct url *u, struct fileinfo *f, ccon *con) | ||
171 | +ftp_retrieve_dirs (struct url *u, struct url *original_url, | ||
172 | + struct fileinfo *f, ccon *con) | ||
173 | { | ||
174 | char *container = NULL; | ||
175 | int container_size = 0; | ||
176 | @@ -2450,7 +2461,7 @@ Not descending to %s as it is excluded/n | ||
177 | odir = xstrdup (u->dir); /* because url_set_dir will free | ||
178 | u->dir. */ | ||
179 | url_set_dir (u, newdir); | ||
180 | - ftp_retrieve_glob (u, con, GLOB_GETALL); | ||
181 | + ftp_retrieve_glob (u, original_url, con, GLOB_GETALL); | ||
182 | url_set_dir (u, odir); | ||
183 | xfree (odir); | ||
184 | |||
185 | @@ -2509,14 +2520,15 @@ is_invalid_entry (struct fileinfo *f) | ||
186 | GLOB_GLOBALL, use globbing; if it's GLOB_GETALL, download the whole | ||
187 | directory. */ | ||
188 | static uerr_t | ||
189 | -ftp_retrieve_glob (struct url *u, ccon *con, int action) | ||
190 | +ftp_retrieve_glob (struct url *u, struct url *original_url, | ||
191 | + ccon *con, int action) | ||
192 | { | ||
193 | struct fileinfo *f, *start; | ||
194 | uerr_t res; | ||
195 | |||
196 | con->cmd |= LEAVE_PENDING; | ||
197 | |||
198 | - res = ftp_get_listing (u, con, &start); | ||
199 | + res = ftp_get_listing (u, original_url, con, &start); | ||
200 | if (res != RETROK) | ||
201 | return res; | ||
202 | /* First: weed out that do not conform the global rules given in | ||
203 | @@ -2612,7 +2624,7 @@ ftp_retrieve_glob (struct url *u, ccon * | ||
204 | if (start) | ||
205 | { | ||
206 | /* Just get everything. */ | ||
207 | - res = ftp_retrieve_list (u, start, con); | ||
208 | + res = ftp_retrieve_list (u, original_url, start, con); | ||
209 | } | ||
210 | else | ||
211 | { | ||
212 | @@ -2628,7 +2640,7 @@ ftp_retrieve_glob (struct url *u, ccon * | ||
213 | { | ||
214 | /* Let's try retrieving it anyway. */ | ||
215 | con->st |= ON_YOUR_OWN; | ||
216 | - res = ftp_loop_internal (u, NULL, con, NULL, false); | ||
217 | + res = ftp_loop_internal (u, original_url, NULL, con, NULL, false); | ||
218 | return res; | ||
219 | } | ||
220 | |||
221 | @@ -2648,8 +2660,8 @@ ftp_retrieve_glob (struct url *u, ccon * | ||
222 | of URL. Inherently, its capabilities are limited on what can be | ||
223 | encoded into a URL. */ | ||
224 | uerr_t | ||
225 | -ftp_loop (struct url *u, char **local_file, int *dt, struct url *proxy, | ||
226 | - bool recursive, bool glob) | ||
227 | +ftp_loop (struct url *u, struct url *original_url, char **local_file, int *dt, | ||
228 | + struct url *proxy, bool recursive, bool glob) | ||
229 | { | ||
230 | ccon con; /* FTP connection */ | ||
231 | uerr_t res; | ||
232 | @@ -2670,16 +2682,17 @@ ftp_loop (struct url *u, char **local_fi | ||
233 | if (!*u->file && !recursive) | ||
234 | { | ||
235 | struct fileinfo *f; | ||
236 | - res = ftp_get_listing (u, &con, &f); | ||
237 | + res = ftp_get_listing (u, original_url, &con, &f); | ||
238 | |||
239 | if (res == RETROK) | ||
240 | { | ||
241 | if (opt.htmlify && !opt.spider) | ||
242 | { | ||
243 | + struct url *url_file = opt.trustservernames ? u : original_url; | ||
244 | char *filename = (opt.output_document | ||
245 | ? xstrdup (opt.output_document) | ||
246 | : (con.target ? xstrdup (con.target) | ||
247 | - : url_file_name (u, NULL))); | ||
248 | + : url_file_name (url_file, NULL))); | ||
249 | res = ftp_index (filename, u, f); | ||
250 | if (res == FTPOK && opt.verbose) | ||
251 | { | ||
252 | @@ -2724,11 +2737,13 @@ ftp_loop (struct url *u, char **local_fi | ||
253 | /* ftp_retrieve_glob is a catch-all function that gets called | ||
254 | if we need globbing, time-stamping, recursion or preserve | ||
255 | permissions. Its third argument is just what we really need. */ | ||
256 | - res = ftp_retrieve_glob (u, &con, | ||
257 | + res = ftp_retrieve_glob (u, original_url, &con, | ||
258 | ispattern ? GLOB_GLOBALL : GLOB_GETONE); | ||
259 | } | ||
260 | else | ||
261 | - res = ftp_loop_internal (u, NULL, &con, local_file, false); | ||
262 | + { | ||
263 | + res = ftp_loop_internal (u, original_url, NULL, &con, local_file, false); | ||
264 | + } | ||
265 | } | ||
266 | if (res == FTPOK) | ||
267 | res = RETROK; | ||
268 | Index: wget-1.17.1/src/ftp.h | ||
269 | =================================================================== | ||
270 | --- wget-1.17.1.orig/src/ftp.h | ||
271 | +++ wget-1.17.1/src/ftp.h | ||
272 | @@ -169,7 +169,8 @@ enum wget_ftp_fstatus | ||
273 | }; | ||
274 | |||
275 | struct fileinfo *ftp_parse_ls (const char *, const enum stype); | ||
276 | -uerr_t ftp_loop (struct url *, char **, int *, struct url *, bool, bool); | ||
277 | +uerr_t ftp_loop (struct url *, struct url *, char **, int *, struct url *, | ||
278 | + bool, bool); | ||
279 | |||
280 | uerr_t ftp_index (const char *, struct url *, struct fileinfo *); | ||
281 | |||
282 | Index: wget-1.17.1/src/retr.c | ||
283 | =================================================================== | ||
284 | --- wget-1.17.1.orig/src/retr.c | ||
285 | +++ wget-1.17.1/src/retr.c | ||
286 | @@ -830,7 +830,8 @@ retrieve_url (struct url * orig_parsed, | ||
287 | if (redirection_count) | ||
288 | oldrec = glob = false; | ||
289 | |||
290 | - result = ftp_loop (u, &local_file, dt, proxy_url, recursive, glob); | ||
291 | + result = ftp_loop (u, orig_parsed, &local_file, dt, proxy_url, | ||
292 | + recursive, glob); | ||
293 | recursive = oldrec; | ||
294 | |||
295 | /* There is a possibility of having HTTP being redirected to | ||
diff --git a/meta/recipes-extended/wget/wget_1.17.1.bb b/meta/recipes-extended/wget/wget_1.17.1.bb index dca5d1f712..eac8abf377 100644 --- a/meta/recipes-extended/wget/wget_1.17.1.bb +++ b/meta/recipes-extended/wget/wget_1.17.1.bb | |||
@@ -1,5 +1,6 @@ | |||
1 | SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \ | 1 | SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \ |
2 | file://0001-Unset-need_charset_alias-when-building-for-musl.patch \ | 2 | file://0001-Unset-need_charset_alias-when-building-for-musl.patch \ |
3 | file://CVE-2016-4971.patch \ | ||
3 | " | 4 | " |
4 | 5 | ||
5 | SRC_URI[md5sum] = "a6a908c9ae0e6a4194c628974cc3f05a" | 6 | SRC_URI[md5sum] = "a6a908c9ae0e6a4194c628974cc3f05a" |