From b5e211f0249078c5d9f988274664e396f6848636 Mon Sep 17 00:00:00 2001 From: KavyaSree2610 <92566732+KavyaSree2610@users.noreply.github.com> Date: Sat, 23 Nov 2024 01:21:07 +0530 Subject: [PATCH] Fix CVE-2024-10524 for wget :2.0 (#11173) Co-authored-by: kavyasree Co-authored-by: jslobodzian (cherry picked from commit 2384b16cb9147776a7ba349db1148a3309963d1d) --- SPECS/wget/CVE-2024-10524.patch | 182 ++++++++++++++++++++++++++++++++ SPECS/wget/wget.spec | 6 +- 2 files changed, 187 insertions(+), 1 deletion(-) create mode 100644 SPECS/wget/CVE-2024-10524.patch diff --git a/SPECS/wget/CVE-2024-10524.patch b/SPECS/wget/CVE-2024-10524.patch new file mode 100644 index 00000000000..fb2608c07df --- /dev/null +++ b/SPECS/wget/CVE-2024-10524.patch @@ -0,0 +1,182 @@ +From 4cfddf2cd1aac9b0e36cd08df36f077ee68bd87b Mon Sep 17 00:00:00 2001 +From: kavyasree +Date: Thu, 21 Nov 2024 12:17:03 +0530 +Subject: [PATCH] Fix CVE-2024-10524 + +--- + doc/wget.texi | 12 ++++------- + src/html-url.c | 2 +- + src/main.c | 2 +- + src/retr.c | 2 +- + src/url.c | 57 ++++++++++++++++---------------------------------- + src/url.h | 2 +- + 6 files changed, 26 insertions(+), 51 deletions(-) + +diff --git a/doc/wget.texi b/doc/wget.texi +index 0c282b3..d59994a 100644 +--- a/doc/wget.texi ++++ b/doc/wget.texi +@@ -314,8 +314,8 @@ for text files. Here is an example: + ftp://host/directory/file;type=a + @end example + +-Two alternative variants of @sc{url} specification are also supported, +-because of historical (hysterical?) reasons and their widespreaded use. ++The two alternative variants of @sc{url} specifications are no longer ++supported because of security considerations: + + @sc{ftp}-only syntax (supported by @code{NcFTP}): + @example +@@ -327,12 +327,8 @@ host:/dir/file + host[:port]/dir/file + @end example + +-These two alternative forms are deprecated, and may cease being +-supported in the future. +- +-If you do not understand the difference between these notations, or do +-not know which one to use, just use the plain ordinary format you use +-with your favorite browser, like @code{Lynx} or @code{Netscape}. ++These two alternative forms have been deprecated long time ago, ++and support is removed with version 1.22.0. + + @c man begin OPTIONS + +diff --git a/src/html-url.c b/src/html-url.c +index eaddc17..ab3ada6 100644 +--- a/src/html-url.c ++++ b/src/html-url.c +@@ -931,7 +931,7 @@ get_urls_file (const char *file) + url_text = merged; + } + +- new_url = rewrite_shorthand_url (url_text); ++ new_url = maybe_prepend_scheme (url_text); + if (new_url) + { + xfree (url_text); +diff --git a/src/main.c b/src/main.c +index 7c27b0c..6e00ca7 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -2120,7 +2120,7 @@ only if outputting to a regular file.\n")); + struct iri *iri = iri_new (); + struct url *url_parsed; + +- t = rewrite_shorthand_url (argv[optind]); ++ t = maybe_prepend_scheme (argv[optind]); + if (!t) + t = argv[optind]; + +diff --git a/src/retr.c b/src/retr.c +index 2e18eae..7a34dd5 100644 +--- a/src/retr.c ++++ b/src/retr.c +@@ -1502,7 +1502,7 @@ getproxy (struct url *u) + + /* Handle shorthands. `rewritten_storage' is a kludge to allow + getproxy() to return static storage. */ +- rewritten_url = rewrite_shorthand_url (proxy); ++ rewritten_url = maybe_prepend_scheme (proxy); + if (rewritten_url) + return rewritten_url; + +diff --git a/src/url.c b/src/url.c +index 65dd27d..01a4391 100644 +--- a/src/url.c ++++ b/src/url.c +@@ -594,60 +594,39 @@ parse_credentials (const char *beg, const char *end, char **user, char **passwd) + return true; + } + +-/* Used by main.c: detect URLs written using the "shorthand" URL forms +- originally popularized by Netscape and NcFTP. HTTP shorthands look +- like this: +- +- www.foo.com[:port]/dir/file -> http://www.foo.com[:port]/dir/file +- www.foo.com[:port] -> http://www.foo.com[:port] +- +- FTP shorthands look like this: +- +- foo.bar.com:dir/file -> ftp://foo.bar.com/dir/file +- foo.bar.com:/absdir/file -> ftp://foo.bar.com//absdir/file ++static bool is_valid_port(const char *p) ++{ ++ unsigned port = (unsigned) atoi (p); ++ if (port == 0 || port > 65535) ++ return false; + +- If the URL needs not or cannot be rewritten, return NULL. */ ++ int digits = strspn (p, "0123456789"); ++ return digits && (p[digits] == '/' || p[digits] == '\0'); ++} + ++/* Prepend "http://" to url if scheme is missing, otherwise return NULL. */ + char * +-rewrite_shorthand_url (const char *url) ++maybe_prepend_scheme (const char *url) + { +- const char *p; +- char *ret; +- + if (url_scheme (url) != SCHEME_INVALID) + return NULL; + +- /* Look for a ':' or '/'. The former signifies NcFTP syntax, the +- latter Netscape. */ +- p = strpbrk (url, ":/"); ++ const char *p = strchr (url, ':'); + if (p == url) + return NULL; + + /* If we're looking at "://", it means the URL uses a scheme we + don't support, which may include "https" when compiled without +- SSL support. Don't bogusly rewrite such URLs. */ ++ SSL support. Don't bogusly prepend "http://" to such URLs. */ + if (p && p[0] == ':' && p[1] == '/' && p[2] == '/') + return NULL; + +- if (p && *p == ':') +- { +- /* Colon indicates ftp, as in foo.bar.com:path. Check for +- special case of http port number ("localhost:10000"). */ +- int digits = strspn (p + 1, "0123456789"); +- if (digits && (p[1 + digits] == '/' || p[1 + digits] == '\0')) +- goto http; +- +- /* Turn "foo.bar.com:path" to "ftp://foo.bar.com/path". */ +- if ((ret = aprintf ("ftp://%s", url)) != NULL) +- ret[6 + (p - url)] = '/'; +- } +- else +- { +- http: +- /* Just prepend "http://" to URL. */ +- ret = aprintf ("http://%s", url); +- } +- return ret; ++ if (p && p[0] == ':' && !is_valid_port (p + 1)) ++ return NULL; ++ ++ ++ fprintf(stderr, "Prepended http:// to '%s'\n", url); ++ return aprintf ("http://%s", url); + } + + static void split_path (const char *, char **, char **); +diff --git a/src/url.h b/src/url.h +index 29c591d..804c0a7 100644 +--- a/src/url.h ++++ b/src/url.h +@@ -128,7 +128,7 @@ char *uri_merge (const char *, const char *); + + int mkalldirs (const char *); + +-char *rewrite_shorthand_url (const char *); ++char *maybe_prepend_scheme (const char *); + bool schemes_are_similar_p (enum url_scheme a, enum url_scheme b); + + bool are_urls_equal (const char *u1, const char *u2); +-- +2.34.1 + diff --git a/SPECS/wget/wget.spec b/SPECS/wget/wget.spec index c58809a79b5..23f2e11f144 100644 --- a/SPECS/wget/wget.spec +++ b/SPECS/wget/wget.spec @@ -1,7 +1,7 @@ Summary: A network utility to retrieve files from the Web Name: wget Version: 1.21.2 -Release: 3%{?dist} +Release: 4%{?dist} License: GPL-3.0-or-later AND LGPL-3.0-or-later URL: https://www.gnu.org/software/wget/wget.html Group: System Environment/NetworkingPrograms @@ -9,6 +9,7 @@ Vendor: Microsoft Corporation Distribution: Mariner Source0: https://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.gz Patch0: CVE-2024-38428.patch +Patch1: CVE-2024-10524.patch BuildRequires: openssl-devel %if %{with_check} BuildRequires: perl @@ -55,6 +56,9 @@ rm -rf %{buildroot}/%{_infodir} %{_datadir}/locale/*/LC_MESSAGES/*.mo %changelog +* Thu Nov 21 2024 Kavya Sree Kaitepalli - 1.21.2-4 +- Patch for CVE-2024-10524 + * Wed Jun 19 2024 Saul Paredes - 1.21.2-3 - Patch for CVE-2024-38428