3 files changed, 202 insertions, 0 deletions
diff --git a/meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch b/meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch
new file mode 100644
index 0000000000..cbc4a127a8
--- /dev/null
+++ b/meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch
@@ -0,0 +1,73 @@
+From 6c5471e4834aebd7359d88b760b087136473bac8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Wed, 26 Dec 2018 13:51:48 +0100
+Subject: [PATCH 1/2] Don't use extended attributes (--xattr) by default
+* src/init.c (defaults): Set enable_xattr to false by default
+* src/main.c (print_help): Reverse option logic of --xattr
+* doc/wget.texi: Add description for --xattr
+Users may not be aware that the origin URL and Referer are saved
+including credentials, and possibly access tokens within
+the urls.
+CVE: CVE-2018-20483 patch 1
+Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/wget.git/commit/?id=c125d24762962d91050d925fbbd9e6f30b2302f8]
+Signed-off-by: Aviraj CJ <acj@cisco.com>
+---
+ doc/wget.texi | 8 ++++++++
+ src/init.c    | 4 ----
+ src/main.c    | 2 +-
+ 3 files changed, 9 insertions(+), 5 deletions(-)
+diff --git a/doc/wget.texi b/doc/wget.texi
+index eaf6b380..3f9d7c1c 100644
+--- a/doc/wget.texi
+++ b/doc/wget.texi
+@@ -540,6 +540,14 @@ right NUMBER.
+ Set preferred location for Metalink resources. This has effect if multiple
+ resources with same priority are available.
+ 
+@cindex xattr
+@item --xattr
+Enable use of file system's extended attributes to save the
+original URL and the Referer HTTP header value if used.
+
+Be aware that the URL might contain private information like
+access tokens or credentials.
+
+ 
+ @cindex force html
+ @item -F
+diff --git a/src/init.c b/src/init.c
+index eb81ab47..800970c5 100644
+--- a/src/init.c
+++ b/src/init.c
+@@ -509,11 +509,7 @@ defaults (void)
+   opt.hsts = true;
+ #endif
+ 
+-#ifdef ENABLE_XATTR
+-  opt.enable_xattr = true;
+-#else
+   opt.enable_xattr = false;
+-#endif
+ }
+ 
+ /* Return the user's home directory (strdup-ed), or NULL if none is
+diff --git a/src/main.c b/src/main.c
+index 81db9319..6ac1621b 100644
+--- a/src/main.c
+++ b/src/main.c
+@@ -754,7 +754,7 @@ Download:\n"),
+ #endif
+ #ifdef ENABLE_XATTR
+     N_("\
+-       --no-xattr                  turn off storage of metadata in extended file attributes\n"),
+       --xattr                     turn on storage of metadata in extended file attributes\n"),
+ #endif
+     "\n",
+ 
+-- 
+2.19.1
diff --git a/meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch b/meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch
new file mode 100644
index 0000000000..72ce8a0b33
--- /dev/null
+++ b/meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch
@@ -0,0 +1,127 @@
+From 5a4ee4f3c07cc5dc7ef5f7244fcf51fd2fa3bc67 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Wed, 26 Dec 2018 14:38:18 +0100
+Subject: [PATCH 2/2] Don't save user/pw with --xattr
+Also the Referer info is reduced to scheme+host+port.
+* src/ftp.c (getftp): Change params of set_file_metadata()
+* src/http.c (gethttp): Change params of set_file_metadata()
+* src/xattr.c (set_file_metadata): Remove user/password from origin URL,
+  reduce Referer value to scheme/host/port.
+* src/xattr.h: Change prototype of set_file_metadata()
+CVE: CVE-2018-20483 patch 2
+Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/wget.git/commit/?id=3cdfb594cf75f11cdbb9702ac5e856c332ccacfa]
+Signed-off-by: Aviraj CJ <acj@cisco.com>
+---
+ src/ftp.c   |  2 +-
+ src/http.c  |  4 ++--
+ src/xattr.c | 24 ++++++++++++++++++++----
+ src/xattr.h |  3 ++-
+ 4 files changed, 25 insertions(+), 8 deletions(-)
+diff --git a/src/ftp.c b/src/ftp.c
+index 69148936..db8a6267 100644
+--- a/src/ftp.c
+++ b/src/ftp.c
+@@ -1580,7 +1580,7 @@ Error in server response, closing control connection.\n"));
+ 
+ #ifdef ENABLE_XATTR
+   if (opt.enable_xattr)
+-    set_file_metadata (u->url, NULL, fp);
+    set_file_metadata (u, NULL, fp);
+ #endif
+ 
+   fd_close (local_sock);
+diff --git a/src/http.c b/src/http.c
+index 77bdbbed..472c328f 100644
+--- a/src/http.c
+++ b/src/http.c
+@@ -4120,9 +4120,9 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
+   if (opt.enable_xattr)
+     {
+       if (original_url != u)
+-        set_file_metadata (u->url, original_url->url, fp);
+        set_file_metadata (u, original_url, fp);
+       else
+-        set_file_metadata (u->url, NULL, fp);
+        set_file_metadata (u, NULL, fp);
+     }
+ #endif
+ 
+diff --git a/src/xattr.c b/src/xattr.c
+index 66524226..0f20fadf 100644
+--- a/src/xattr.c
+++ b/src/xattr.c
+@@ -21,6 +21,7 @@
+ #include <string.h>
+ 
+ #include "log.h"
+#include "utils.h"
+ #include "xattr.h"
+ 
+ #ifdef USE_XATTR
+@@ -57,7 +58,7 @@ write_xattr_metadata (const char *name, const char *value, FILE *fp)
+ #endif /* USE_XATTR */
+ 
+ int
+-set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp)
+set_file_metadata (const struct url *origin_url, const struct url *referrer_url, FILE *fp)
+ {
+   /* Save metadata about where the file came from (requested, final URLs) to
+    * user POSIX Extended Attributes of retrieved file.
+@@ -67,13 +68,28 @@ set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp)
+    * [http://0pointer.de/lennart/projects/mod_mime_xattr/].
+    */
+   int retval = -1;
+  char *value;
+ 
+   if (!origin_url || !fp)
+     return retval;
+ 
+-  retval = write_xattr_metadata ("user.xdg.origin.url", escnonprint_uri (origin_url), fp);
+-  if ((!retval) && referrer_url)
+-    retval = write_xattr_metadata ("user.xdg.referrer.url", escnonprint_uri (referrer_url), fp);
+  value = url_string (origin_url, URL_AUTH_HIDE);
+  retval = write_xattr_metadata ("user.xdg.origin.url", escnonprint_uri (value), fp);
+  xfree (value);
+
+  if (!retval && referrer_url)
+    {
+         struct url u;
+
+         memset(&u, 0, sizeof(u));
+      u.scheme = referrer_url->scheme;
+      u.host = referrer_url->host;
+      u.port = referrer_url->port;
+
+      value = url_string (&u, 0);
+      retval = write_xattr_metadata ("user.xdg.referrer.url", escnonprint_uri (value), fp);
+      xfree (value);
+    }
+ 
+   return retval;
+ }
+diff --git a/src/xattr.h b/src/xattr.h
+index 10f3ed11..40c7a8d3 100644
+--- a/src/xattr.h
+++ b/src/xattr.h
+@@ -16,12 +16,13 @@
+    along with this program; if not, see <http://www.gnu.org/licenses/>.  */
+ 
+ #include <stdio.h>
+#include <url.h>
+ 
+ #ifndef _XATTR_H
+ #define _XATTR_H
+ 
+ /* Store metadata name/value attributes against fp. */
+-int set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp);
+int set_file_metadata (const struct url *origin_url, const struct url *referrer_url, FILE *fp);
+ 
+ #if defined(__linux)
+ /* libc on Linux has fsetxattr (5 arguments). */
+-- 
+2.19.1
diff --git a/meta/recipes-extended/wget/wget_1.19.5.bb b/meta/recipes-extended/wget/wget_1.19.5.bb
index 920b74de1b..a53844bb8f 100644
--- a/meta/recipes-extended/wget/wget_1.19.5.bb
+++ b/meta/recipes-extended/wget/wget_1.19.5.bb
@@ -2,6 +2,8 @@ SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \
           file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
           file://0002-improve-reproducibility.patch \
           file://CVE-2019-5953.patch \
+           file://CVE-2018-20483_p1.patch \
+           file://CVE-2018-20483_p2.patch \
          "
 SRC_URI[md5sum] = "2db6f03d655041f82eb64b8c8a1fa7da"

diff --git a/meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch b/meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch new file mode 100644 index 0000000000..cbc4a127a8 --- /dev/null +++ b/meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch
@@ -0,0 +1,73 @@
		1	From 6c5471e4834aebd7359d88b760b087136473bac8 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
		3	Date: Wed, 26 Dec 2018 13:51:48 +0100
		4	Subject: [PATCH 1/2] Don't use extended attributes (--xattr) by default
		5
		6	* src/init.c (defaults): Set enable_xattr to false by default
		7	* src/main.c (print_help): Reverse option logic of --xattr
		8	* doc/wget.texi: Add description for --xattr
		9
		10	Users may not be aware that the origin URL and Referer are saved
		11	including credentials, and possibly access tokens within
		12	the urls.
		13
		14	CVE: CVE-2018-20483 patch 1
		15	Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/wget.git/commit/?id=c125d24762962d91050d925fbbd9e6f30b2302f8]
		16	Signed-off-by: Aviraj CJ <acj@cisco.com>
		17	---
		18	doc/wget.texi \| 8 ++++++++
		19	src/init.c \| 4 ----
		20	src/main.c \| 2 +-
		21	3 files changed, 9 insertions(+), 5 deletions(-)
		22
		23	diff --git a/doc/wget.texi b/doc/wget.texi
		24	index eaf6b380..3f9d7c1c 100644
		25	--- a/doc/wget.texi
		26	+++ b/doc/wget.texi
		27	@@ -540,6 +540,14 @@ right NUMBER.
		28	Set preferred location for Metalink resources. This has effect if multiple
		29	resources with same priority are available.
		30
		31	+@cindex xattr
		32	+@item --xattr
		33	+Enable use of file system's extended attributes to save the
		34	+original URL and the Referer HTTP header value if used.
		35	+
		36	+Be aware that the URL might contain private information like
		37	+access tokens or credentials.
		38	+
		39
		40	@cindex force html
		41	@item -F
		42	diff --git a/src/init.c b/src/init.c
		43	index eb81ab47..800970c5 100644
		44	--- a/src/init.c
		45	+++ b/src/init.c
		46	@@ -509,11 +509,7 @@ defaults (void)
		47	opt.hsts = true;
		48	#endif
		49
		50	-#ifdef ENABLE_XATTR
		51	- opt.enable_xattr = true;
		52	-#else
		53	opt.enable_xattr = false;
		54	-#endif
		55	}
		56
		57	/* Return the user's home directory (strdup-ed), or NULL if none is
		58	diff --git a/src/main.c b/src/main.c
		59	index 81db9319..6ac1621b 100644
		60	--- a/src/main.c
		61	+++ b/src/main.c
		62	@@ -754,7 +754,7 @@ Download:\n"),
		63	#endif
		64	#ifdef ENABLE_XATTR
		65	N_("\
		66	- --no-xattr turn off storage of metadata in extended file attributes\n"),
		67	+ --xattr turn on storage of metadata in extended file attributes\n"),
		68	#endif
		69	"\n",
		70
		71	--
		72	2.19.1
		73


diff --git a/meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch b/meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch new file mode 100644 index 0000000000..72ce8a0b33 --- /dev/null +++ b/meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch
@@ -0,0 +1,127 @@
		1	From 5a4ee4f3c07cc5dc7ef5f7244fcf51fd2fa3bc67 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
		3	Date: Wed, 26 Dec 2018 14:38:18 +0100
		4	Subject: [PATCH 2/2] Don't save user/pw with --xattr
		5
		6	Also the Referer info is reduced to scheme+host+port.
		7
		8	* src/ftp.c (getftp): Change params of set_file_metadata()
		9	* src/http.c (gethttp): Change params of set_file_metadata()
		10	* src/xattr.c (set_file_metadata): Remove user/password from origin URL,
		11	reduce Referer value to scheme/host/port.
		12	* src/xattr.h: Change prototype of set_file_metadata()
		13
		14	CVE: CVE-2018-20483 patch 2
		15	Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/wget.git/commit/?id=3cdfb594cf75f11cdbb9702ac5e856c332ccacfa]
		16	Signed-off-by: Aviraj CJ <acj@cisco.com>
		17	---
		18	src/ftp.c \| 2 +-
		19	src/http.c \| 4 ++--
		20	src/xattr.c \| 24 ++++++++++++++++++++----
		21	src/xattr.h \| 3 ++-
		22	4 files changed, 25 insertions(+), 8 deletions(-)
		23
		24	diff --git a/src/ftp.c b/src/ftp.c
		25	index 69148936..db8a6267 100644
		26	--- a/src/ftp.c
		27	+++ b/src/ftp.c
		28	@@ -1580,7 +1580,7 @@ Error in server response, closing control connection.\n"));
		29
		30	#ifdef ENABLE_XATTR
		31	if (opt.enable_xattr)
		32	- set_file_metadata (u->url, NULL, fp);
		33	+ set_file_metadata (u, NULL, fp);
		34	#endif
		35
		36	fd_close (local_sock);
		37	diff --git a/src/http.c b/src/http.c
		38	index 77bdbbed..472c328f 100644
		39	--- a/src/http.c
		40	+++ b/src/http.c
		41	@@ -4120,9 +4120,9 @@ gethttp (const struct url u, struct url original_url, struct http_stat *hs,
		42	if (opt.enable_xattr)
		43	{
		44	if (original_url != u)
		45	- set_file_metadata (u->url, original_url->url, fp);
		46	+ set_file_metadata (u, original_url, fp);
		47	else
		48	- set_file_metadata (u->url, NULL, fp);
		49	+ set_file_metadata (u, NULL, fp);
		50	}
		51	#endif
		52
		53	diff --git a/src/xattr.c b/src/xattr.c
		54	index 66524226..0f20fadf 100644
		55	--- a/src/xattr.c
		56	+++ b/src/xattr.c
		57	@@ -21,6 +21,7 @@
		58	#include <string.h>
		59
		60	#include "log.h"
		61	+#include "utils.h"
		62	#include "xattr.h"
		63
		64	#ifdef USE_XATTR
		65	@@ -57,7 +58,7 @@ write_xattr_metadata (const char name, const char value, FILE *fp)
		66	#endif /* USE_XATTR */
		67
		68	int
		69	-set_file_metadata (const char origin_url, const char referrer_url, FILE *fp)
		70	+set_file_metadata (const struct url origin_url, const struct url referrer_url, FILE *fp)
		71	{
		72	/* Save metadata about where the file came from (requested, final URLs) to
		73	* user POSIX Extended Attributes of retrieved file.
		74	@@ -67,13 +68,28 @@ set_file_metadata (const char origin_url, const char referrer_url, FILE *fp)
		75	* [http://0pointer.de/lennart/projects/mod_mime_xattr/].
		76	*/
		77	int retval = -1;
		78	+ char *value;
		79
		80	if (!origin_url \|\| !fp)
		81	return retval;
		82
		83	- retval = write_xattr_metadata ("user.xdg.origin.url", escnonprint_uri (origin_url), fp);
		84	- if ((!retval) && referrer_url)
		85	- retval = write_xattr_metadata ("user.xdg.referrer.url", escnonprint_uri (referrer_url), fp);
		86	+ value = url_string (origin_url, URL_AUTH_HIDE);
		87	+ retval = write_xattr_metadata ("user.xdg.origin.url", escnonprint_uri (value), fp);
		88	+ xfree (value);
		89	+
		90	+ if (!retval && referrer_url)
		91	+ {
		92	+ struct url u;
		93	+
		94	+ memset(&u, 0, sizeof(u));
		95	+ u.scheme = referrer_url->scheme;
		96	+ u.host = referrer_url->host;
		97	+ u.port = referrer_url->port;
		98	+
		99	+ value = url_string (&u, 0);
		100	+ retval = write_xattr_metadata ("user.xdg.referrer.url", escnonprint_uri (value), fp);
		101	+ xfree (value);
		102	+ }
		103
		104	return retval;
		105	}
		106	diff --git a/src/xattr.h b/src/xattr.h
		107	index 10f3ed11..40c7a8d3 100644
		108	--- a/src/xattr.h
		109	+++ b/src/xattr.h
		110	@@ -16,12 +16,13 @@
		111	along with this program; if not, see <http://www.gnu.org/licenses/>. */
		112
		113	#include <stdio.h>
		114	+#include <url.h>
		115
		116	#ifndef _XATTR_H
		117	#define _XATTR_H
		118
		119	/* Store metadata name/value attributes against fp. */
		120	-int set_file_metadata (const char origin_url, const char referrer_url, FILE *fp);
		121	+int set_file_metadata (const struct url origin_url, const struct url referrer_url, FILE *fp);
		122
		123	#if defined(__linux)
		124	/* libc on Linux has fsetxattr (5 arguments). */
		125	--
		126	2.19.1
		127


diff --git a/meta/recipes-extended/wget/wget_1.19.5.bb b/meta/recipes-extended/wget/wget_1.19.5.bb index 920b74de1b..a53844bb8f 100644 --- a/meta/recipes-extended/wget/wget_1.19.5.bb +++ b/meta/recipes-extended/wget/wget_1.19.5.bb
@@ -2,6 +2,8 @@ SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \
2	file://0001-Unset-need_charset_alias-when-building-for-musl.patch \	2	file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
3	file://0002-improve-reproducibility.patch \	3	file://0002-improve-reproducibility.patch \
4	file://CVE-2019-5953.patch \	4	file://CVE-2019-5953.patch \
		5	file://CVE-2018-20483_p1.patch \
		6	file://CVE-2018-20483_p2.patch \
5	"	7	"
6		8
7	SRC_URI[md5sum] = "2db6f03d655041f82eb64b8c8a1fa7da"	9	SRC_URI[md5sum] = "2db6f03d655041f82eb64b8c8a1fa7da"