2 files changed, 198 insertions, 0 deletions
diff --git a/meta/recipes-extended/wget/wget/CVE-2024-10524.patch b/meta/recipes-extended/wget/wget/CVE-2024-10524.patch
new file mode 100644
index 0000000000..21f990ee73
--- /dev/null
+++ b/meta/recipes-extended/wget/wget/CVE-2024-10524.patch
@@ -0,0 +1,197 @@
+From c419542d956a2607bbce5df64b9d378a8588d778 Mon Sep 17 00:00:00 2001
+From: Tim Rühsen <tim.ruehsen@gmx.de>
+Date: Sun, 27 Oct 2024 19:53:14 +0100
+Subject: [PATCH] Fix CVE-2024-10524 (drop support for shorthand URLs)
+* doc/wget.texi: Add documentation for removed support for shorthand URLs.
+* src/html-url.c (src/html-url.c): Call maybe_prepend_scheme.
+* src/main.c (main): Likewise.
+* src/retr.c (getproxy): Likewise.
+* src/url.c: Rename definition of rewrite_shorthand_url to maybe_prepend_scheme,
+  add new function is_valid_port.
+* src/url.h: Rename declaration of rewrite_shorthand_url to maybe_prepend_scheme.
+Reported-by: Goni Golan <gonig@jfrog.com>
+CVE: CVE-2024-10524
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/wget.git/commit/?id=c419542d956a2607bbce5df64b9d378a8588d778]
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ doc/wget.texi  | 12 ++++-------
+ src/html-url.c |  2 +-
+ src/main.c     |  2 +-
+ src/retr.c     |  2 +-
+ src/url.c      | 57 ++++++++++++++++----------------------------------
+ src/url.h      |  2 +-
+ 6 files changed, 26 insertions(+), 51 deletions(-)
+diff --git a/doc/wget.texi b/doc/wget.texi
+index 3c24de2..503a03d 100644
+--- a/doc/wget.texi
+++ b/doc/wget.texi
+@@ -314,8 +314,8 @@ for text files.  Here is an example:
+ ftp://host/directory/file;type=a
+ @end example
+ 
+-Two alternative variants of @sc{url} specification are also supported,
+-because of historical (hysterical?) reasons and their widespreaded use.
+The two alternative variants of @sc{url} specifications are no longer
+supported because of security considerations:
+ 
+ @sc{ftp}-only syntax (supported by @code{NcFTP}):
+ @example
+@@ -327,12 +327,8 @@ host:/dir/file
+ host[:port]/dir/file
+ @end example
+ 
+-These two alternative forms are deprecated, and may cease being
+-supported in the future.
+-
+-If you do not understand the difference between these notations, or do
+-not know which one to use, just use the plain ordinary format you use
+-with your favorite browser, like @code{Lynx} or @code{Netscape}.
+These two alternative forms have been deprecated long time ago,
+and support is removed with version 1.22.0.
+ 
+ @c man begin OPTIONS
+ 
+diff --git a/src/html-url.c b/src/html-url.c
+index 896d6fc..3deea9c 100644
+--- a/src/html-url.c
+++ b/src/html-url.c
+@@ -931,7 +931,7 @@ get_urls_file (const char *file)
+           url_text = merged;
+         }
+ 
+-      new_url = rewrite_shorthand_url (url_text);
+      new_url = maybe_prepend_scheme (url_text);
+       if (new_url)
+         {
+           xfree (url_text);
+diff --git a/src/main.c b/src/main.c
+index d1c3c3e..f1d7792 100644
+--- a/src/main.c
+++ b/src/main.c
+@@ -2126,7 +2126,7 @@ only if outputting to a regular file.\n"));
+       struct iri *iri = iri_new ();
+       struct url *url_parsed;
+ 
+-      t = rewrite_shorthand_url (argv[optind]);
+      t = maybe_prepend_scheme (argv[optind]);
+       if (!t)
+         t = argv[optind];
+ 
+diff --git a/src/retr.c b/src/retr.c
+index 38c9fcf..a124046 100644
+--- a/src/retr.c
+++ b/src/retr.c
+@@ -1493,7 +1493,7 @@ getproxy (struct url *u)
+ 
+   /* Handle shorthands.  `rewritten_storage' is a kludge to allow
+      getproxy() to return static storage. */
+-  rewritten_url = rewrite_shorthand_url (proxy);
+  rewritten_url = maybe_prepend_scheme (proxy);
+   if (rewritten_url)
+     return rewritten_url;
+ 
+diff --git a/src/url.c b/src/url.c
+index 0acd3f3..6868825 100644
+--- a/src/url.c
+++ b/src/url.c
+@@ -594,60 +594,39 @@ parse_credentials (const char *beg, const char *end, char **user, char **passwd)
+   return true;
+ }
+ 
+-/* Used by main.c: detect URLs written using the "shorthand" URL forms
+-   originally popularized by Netscape and NcFTP.  HTTP shorthands look
+-   like this:
+-
+-   www.foo.com[:port]/dir/file   -> http://www.foo.com[:port]/dir/file
+-   www.foo.com[:port]            -> http://www.foo.com[:port]
+-
+-   FTP shorthands look like this:
+-
+-   foo.bar.com:dir/file          -> ftp://foo.bar.com/dir/file
+-   foo.bar.com:/absdir/file      -> ftp://foo.bar.com//absdir/file
+static bool is_valid_port(const char *p)
+{
+  unsigned port = (unsigned) atoi (p);
+  if (port == 0 || port > 65535)
+    return false;
+ 
+-   If the URL needs not or cannot be rewritten, return NULL.  */
+  int digits = strspn (p, "0123456789");
+  return digits && (p[digits] == '/' || p[digits] == '\0');
+}
+ 
+/* Prepend "http://" to url if scheme is missing, otherwise return NULL. */
+ char *
+-rewrite_shorthand_url (const char *url)
+maybe_prepend_scheme (const char *url)
+ {
+-  const char *p;
+-  char *ret;
+-
+   if (url_scheme (url) != SCHEME_INVALID)
+     return NULL;
+ 
+-  /* Look for a ':' or '/'.  The former signifies NcFTP syntax, the
+-     latter Netscape.  */
+-  p = strpbrk (url, ":/");
+  const char *p = strchr (url, ':');
+   if (p == url)
+     return NULL;
+ 
+   /* If we're looking at "://", it means the URL uses a scheme we
+      don't support, which may include "https" when compiled without
+-     SSL support.  Don't bogusly rewrite such URLs.  */
+     SSL support.  Don't bogusly prepend "http://" to such URLs.  */
+   if (p && p[0] == ':' && p[1] == '/' && p[2] == '/')
+     return NULL;
+ 
+-  if (p && *p == ':')
+-    {
+-      /* Colon indicates ftp, as in foo.bar.com:path.  Check for
+-         special case of http port number ("localhost:10000").  */
+-      int digits = strspn (p + 1, "0123456789");
+-      if (digits && (p[1 + digits] == '/' || p[1 + digits] == '\0'))
+-        goto http;
+-
+-      /* Turn "foo.bar.com:path" to "ftp://foo.bar.com/path". */
+-      if ((ret = aprintf ("ftp://%s", url)) != NULL)
+-        ret[6 + (p - url)] = '/';
+-    }
+-  else
+-    {
+-    http:
+-      /* Just prepend "http://" to URL. */
+-      ret = aprintf ("http://%s", url);
+-    }
+-  return ret;
+  if (p && p[0] == ':' && !is_valid_port (p + 1))
+    return NULL;
+
+
+  fprintf(stderr, "Prepended http:// to '%s'\n", url);
+  return aprintf ("http://%s", url);
+ }
+ 
+ static void split_path (const char *, char **, char **);
+diff --git a/src/url.h b/src/url.h
+index fb9da33..5f99b0a 100644
+--- a/src/url.h
+++ b/src/url.h
+@@ -128,7 +128,7 @@ char *uri_merge (const char *, const char *);
+ 
+ int mkalldirs (const char *);
+ 
+-char *rewrite_shorthand_url (const char *);
+char *maybe_prepend_scheme (const char *);
+ bool schemes_are_similar_p (enum url_scheme a, enum url_scheme b);
+ 
+ bool are_urls_equal (const char *u1, const char *u2);
+-- 
+2.40.0
diff --git a/meta/recipes-extended/wget/wget_1.21.4.bb b/meta/recipes-extended/wget/wget_1.21.4.bb
index bc65a8f7c8..b5f50f6c84 100644
--- a/meta/recipes-extended/wget/wget_1.21.4.bb
+++ b/meta/recipes-extended/wget/wget_1.21.4.bb
@@ -1,6 +1,7 @@
 SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \
           file://0002-improve-reproducibility.patch \
           file://CVE-2024-38428.patch \
+           file://CVE-2024-10524.patch \
          "
 SRC_URI[sha256sum] = "81542f5cefb8faacc39bbbc6c82ded80e3e4a88505ae72ea51df27525bcde04c"

diff --git a/meta/recipes-extended/wget/wget/CVE-2024-10524.patch b/meta/recipes-extended/wget/wget/CVE-2024-10524.patch new file mode 100644 index 0000000000..21f990ee73 --- /dev/null +++ b/meta/recipes-extended/wget/wget/CVE-2024-10524.patch
@@ -0,0 +1,197 @@
		1	From c419542d956a2607bbce5df64b9d378a8588d778 Mon Sep 17 00:00:00 2001
		2	From: Tim Rühsen <tim.ruehsen@gmx.de>
		3	Date: Sun, 27 Oct 2024 19:53:14 +0100
		4	Subject: [PATCH] Fix CVE-2024-10524 (drop support for shorthand URLs)
		5
		6	* doc/wget.texi: Add documentation for removed support for shorthand URLs.
		7	* src/html-url.c (src/html-url.c): Call maybe_prepend_scheme.
		8	* src/main.c (main): Likewise.
		9	* src/retr.c (getproxy): Likewise.
		10	* src/url.c: Rename definition of rewrite_shorthand_url to maybe_prepend_scheme,
		11	add new function is_valid_port.
		12	* src/url.h: Rename declaration of rewrite_shorthand_url to maybe_prepend_scheme.
		13
		14	Reported-by: Goni Golan <gonig@jfrog.com>
		15
		16	CVE: CVE-2024-10524
		17
		18	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/wget.git/commit/?id=c419542d956a2607bbce5df64b9d378a8588d778]
		19
		20	Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
		21	---
		22	doc/wget.texi \| 12 ++++-------
		23	src/html-url.c \| 2 +-
		24	src/main.c \| 2 +-
		25	src/retr.c \| 2 +-
		26	src/url.c \| 57 ++++++++++++++++----------------------------------
		27	src/url.h \| 2 +-
		28	6 files changed, 26 insertions(+), 51 deletions(-)
		29
		30	diff --git a/doc/wget.texi b/doc/wget.texi
		31	index 3c24de2..503a03d 100644
		32	--- a/doc/wget.texi
		33	+++ b/doc/wget.texi
		34	@@ -314,8 +314,8 @@ for text files. Here is an example:
		35	ftp://host/directory/file;type=a
		36	@end example
		37
		38	-Two alternative variants of @sc{url} specification are also supported,
		39	-because of historical (hysterical?) reasons and their widespreaded use.
		40	+The two alternative variants of @sc{url} specifications are no longer
		41	+supported because of security considerations:
		42
		43	@sc{ftp}-only syntax (supported by @code{NcFTP}):
		44	@example
		45	@@ -327,12 +327,8 @@ host:/dir/file
		46	host[:port]/dir/file
		47	@end example
		48
		49	-These two alternative forms are deprecated, and may cease being
		50	-supported in the future.
		51	-
		52	-If you do not understand the difference between these notations, or do
		53	-not know which one to use, just use the plain ordinary format you use
		54	-with your favorite browser, like @code{Lynx} or @code{Netscape}.
		55	+These two alternative forms have been deprecated long time ago,
		56	+and support is removed with version 1.22.0.
		57
		58	@c man begin OPTIONS
		59
		60	diff --git a/src/html-url.c b/src/html-url.c
		61	index 896d6fc..3deea9c 100644
		62	--- a/src/html-url.c
		63	+++ b/src/html-url.c
		64	@@ -931,7 +931,7 @@ get_urls_file (const char *file)
		65	url_text = merged;
		66	}
		67
		68	- new_url = rewrite_shorthand_url (url_text);
		69	+ new_url = maybe_prepend_scheme (url_text);
		70	if (new_url)
		71	{
		72	xfree (url_text);
		73	diff --git a/src/main.c b/src/main.c
		74	index d1c3c3e..f1d7792 100644
		75	--- a/src/main.c
		76	+++ b/src/main.c
		77	@@ -2126,7 +2126,7 @@ only if outputting to a regular file.\n"));
		78	struct iri *iri = iri_new ();
		79	struct url *url_parsed;
		80
		81	- t = rewrite_shorthand_url (argv[optind]);
		82	+ t = maybe_prepend_scheme (argv[optind]);
		83	if (!t)
		84	t = argv[optind];
		85
		86	diff --git a/src/retr.c b/src/retr.c
		87	index 38c9fcf..a124046 100644
		88	--- a/src/retr.c
		89	+++ b/src/retr.c
		90	@@ -1493,7 +1493,7 @@ getproxy (struct url *u)
		91
		92	/* Handle shorthands. `rewritten_storage' is a kludge to allow
		93	getproxy() to return static storage. */
		94	- rewritten_url = rewrite_shorthand_url (proxy);
		95	+ rewritten_url = maybe_prepend_scheme (proxy);
		96	if (rewritten_url)
		97	return rewritten_url;
		98
		99	diff --git a/src/url.c b/src/url.c
		100	index 0acd3f3..6868825 100644
		101	--- a/src/url.c
		102	+++ b/src/url.c
		103	@@ -594,60 +594,39 @@ parse_credentials (const char beg, const char end, char user, char passwd)
		104	return true;
		105	}
		106
		107	-/* Used by main.c: detect URLs written using the "shorthand" URL forms
		108	- originally popularized by Netscape and NcFTP. HTTP shorthands look
		109	- like this:
		110	-
		111	- www.foo.com[:port]/dir/file -> http://www.foo.com[:port]/dir/file
		112	- www.foo.com[:port] -> http://www.foo.com[:port]
		113	-
		114	- FTP shorthands look like this:
		115	-
		116	- foo.bar.com:dir/file -> ftp://foo.bar.com/dir/file
		117	- foo.bar.com:/absdir/file -> ftp://foo.bar.com//absdir/file
		118	+static bool is_valid_port(const char *p)
		119	+{
		120	+ unsigned port = (unsigned) atoi (p);
		121	+ if (port == 0 \|\| port > 65535)
		122	+ return false;
		123
		124	- If the URL needs not or cannot be rewritten, return NULL. */
		125	+ int digits = strspn (p, "0123456789");
		126	+ return digits && (p[digits] == '/' \|\| p[digits] == '\0');
		127	+}
		128
		129	+/* Prepend "http://" to url if scheme is missing, otherwise return NULL. */
		130	char *
		131	-rewrite_shorthand_url (const char *url)
		132	+maybe_prepend_scheme (const char *url)
		133	{
		134	- const char *p;
		135	- char *ret;
		136	-
		137	if (url_scheme (url) != SCHEME_INVALID)
		138	return NULL;
		139
		140	- /* Look for a ':' or '/'. The former signifies NcFTP syntax, the
		141	- latter Netscape. */
		142	- p = strpbrk (url, ":/");
		143	+ const char *p = strchr (url, ':');
		144	if (p == url)
		145	return NULL;
		146
		147	/* If we're looking at "://", it means the URL uses a scheme we
		148	don't support, which may include "https" when compiled without
		149	- SSL support. Don't bogusly rewrite such URLs. */
		150	+ SSL support. Don't bogusly prepend "http://" to such URLs. */
		151	if (p && p[0] == ':' && p[1] == '/' && p[2] == '/')
		152	return NULL;
		153
		154	- if (p && *p == ':')
		155	- {
		156	- /* Colon indicates ftp, as in foo.bar.com:path. Check for
		157	- special case of http port number ("localhost:10000"). */
		158	- int digits = strspn (p + 1, "0123456789");
		159	- if (digits && (p[1 + digits] == '/' \|\| p[1 + digits] == '\0'))
		160	- goto http;
		161	-
		162	- /* Turn "foo.bar.com:path" to "ftp://foo.bar.com/path". */
		163	- if ((ret = aprintf ("ftp://%s", url)) != NULL)
		164	- ret[6 + (p - url)] = '/';
		165	- }
		166	- else
		167	- {
		168	- http:
		169	- /* Just prepend "http://" to URL. */
		170	- ret = aprintf ("http://%s", url);
		171	- }
		172	- return ret;
		173	+ if (p && p[0] == ':' && !is_valid_port (p + 1))
		174	+ return NULL;
		175	+
		176	+
		177	+ fprintf(stderr, "Prepended http:// to '%s'\n", url);
		178	+ return aprintf ("http://%s", url);
		179	}
		180
		181	static void split_path (const char , char , char *);
		182	diff --git a/src/url.h b/src/url.h
		183	index fb9da33..5f99b0a 100644
		184	--- a/src/url.h
		185	+++ b/src/url.h
		186	@@ -128,7 +128,7 @@ char uri_merge (const char , const char *);
		187
		188	int mkalldirs (const char *);
		189
		190	-char rewrite_shorthand_url (const char );
		191	+char maybe_prepend_scheme (const char );
		192	bool schemes_are_similar_p (enum url_scheme a, enum url_scheme b);
		193
		194	bool are_urls_equal (const char u1, const char u2);
		195	--
		196	2.40.0
		197


diff --git a/meta/recipes-extended/wget/wget_1.21.4.bb b/meta/recipes-extended/wget/wget_1.21.4.bb index bc65a8f7c8..b5f50f6c84 100644 --- a/meta/recipes-extended/wget/wget_1.21.4.bb +++ b/meta/recipes-extended/wget/wget_1.21.4.bb
@@ -1,6 +1,7 @@
1	SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \	1	SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \
2	file://0002-improve-reproducibility.patch \	2	file://0002-improve-reproducibility.patch \
3	file://CVE-2024-38428.patch \	3	file://CVE-2024-38428.patch \
		4	file://CVE-2024-10524.patch \
4	"	5	"
5		6
6	SRC_URI[sha256sum] = "81542f5cefb8faacc39bbbc6c82ded80e3e4a88505ae72ea51df27525bcde04c"	7	SRC_URI[sha256sum] = "81542f5cefb8faacc39bbbc6c82ded80e3e4a88505ae72ea51df27525bcde04c"