From 239bd5a216aa2d39370cdcc7a14b90d52dadf004 Mon Sep 17 00:00:00 2001 From: Karsten Hopp Date: Nov 17 2009 11:35:20 +0000 Subject: - update to wget-1.12 - fixes CVE-2009-3490 wget: incorrect verification of SSL certificate with NUL in name --- diff --git a/wget-1.10.1-helpfix.patch b/wget-1.10.1-helpfix.patch deleted file mode 100644 index 3cae6c5..0000000 --- a/wget-1.10.1-helpfix.patch +++ /dev/null @@ -1,14 +0,0 @@ ---- wget-1.10.1/src/main.c.helpfix 2005-09-08 14:45:32.000000000 +0000 -+++ wget-1.10.1/src/main.c 2005-09-08 14:46:49.000000000 +0000 -@@ -534,9 +534,9 @@ - N_("\ - --no-cookies don't use cookies.\n"), - N_("\ -- --load-cookies=FILE load cookies from FILE before session.\n"), -+ --load-cookies FILE load cookies from FILE before session.\n"), - N_("\ -- --save-cookies=FILE save cookies to FILE after session.\n"), -+ --save-cookies FILE save cookies to FILE after session.\n"), - N_("\ - --keep-session-cookies load and save session (non-permanent) cookies.\n"), - N_("\ diff --git a/wget-1.11-path.patch b/wget-1.11-path.patch deleted file mode 100644 index 735df0a..0000000 --- a/wget-1.11-path.patch +++ /dev/null @@ -1,206 +0,0 @@ -diff -up wget-1.11/NEWS.rhpath wget-1.11/NEWS ---- wget-1.11/NEWS.rhpath 2008-01-26 10:26:56.000000000 +0100 -+++ wget-1.11/NEWS 2008-01-27 00:01:56.000000000 +0100 -@@ -444,7 +444,7 @@ distributed with Wget. - - ** Compiles on pre-ANSI compilers. - --** Global wgetrc now goes to /usr/local/etc (i.e. $sysconfdir). -+** Global wgetrc now goes to /etc (i.e. $sysconfdir). - - ** Lots of bugfixes. - -@@ -507,7 +507,7 @@ Emacs, standalone info, or converted to - ** Fixed a long-standing bug, so that Wget now works over SLIP - connections. - --** You can have a system-wide wgetrc (/usr/local/lib/wgetrc by -+** You can have a system-wide wgetrc (/etc/wgetrc by - default). Settings in $HOME/.wgetrc override the global ones, of - course :-) - -diff -up wget-1.11/README.rhpath wget-1.11/README ---- wget-1.11/README.rhpath 2008-01-27 00:02:29.000000000 +0100 -+++ wget-1.11/README 2008-01-27 00:02:40.000000000 +0100 -@@ -33,7 +33,7 @@ for socks. - - Most of the features are configurable, either through command-line - options, or via initialization file .wgetrc. Wget allows you to --install a global startup file (/usr/local/etc/wgetrc by default) for -+install a global startup file (/etc/wgetrc by default) for - site settings. - - Wget works under almost all Unix variants in use today and, unlike -diff -up wget-1.11/doc/sample.wgetrc.rhpath wget-1.11/doc/sample.wgetrc ---- wget-1.11/doc/sample.wgetrc.rhpath 2008-01-26 10:26:56.000000000 +0100 -+++ wget-1.11/doc/sample.wgetrc 2008-01-27 00:01:56.000000000 +0100 -@@ -7,7 +7,7 @@ - ## not contain a comprehensive list of commands -- look at the manual - ## to find out what you can put into this file. - ## --## Wget initialization file can reside in /usr/local/etc/wgetrc -+## Wget initialization file can reside in /etc/wgetrc - ## (global, for all users) or $HOME/.wgetrc (for a single user). - ## - ## To use the settings in this file, you will have to uncomment them, -@@ -16,7 +16,7 @@ - - - ## --## Global settings (useful for setting up in /usr/local/etc/wgetrc). -+## Global settings (useful for setting up in /etc/wgetrc). - ## Think well before you change them, since they may reduce wget's - ## functionality, and make it behave contrary to the documentation: - ## -diff -up wget-1.11/doc/wget.1.rhpath wget-1.11/doc/wget.1 ---- wget-1.11/doc/wget.1.rhpath 2008-01-26 10:56:05.000000000 +0100 -+++ wget-1.11/doc/wget.1 2008-01-27 00:01:56.000000000 +0100 -@@ -1706,8 +1706,8 @@ This is a useful option, since it guaran - \&\fIbelow\fR a certain hierarchy will be downloaded. - .SH "FILES" - .IX Header "FILES" --.IP "\fB/usr/local/etc/wgetrc\fR" 4 --.IX Item "/usr/local/etc/wgetrc" -+.IP "\fB/etc/wgetrc\fR" 4 -+.IX Item "/etc/wgetrc" - Default location of the \fIglobal\fR startup file. - .IP "\fB.wgetrc\fR" 4 - .IX Item ".wgetrc" -diff -up wget-1.11/doc/wget.texi.rhpath wget-1.11/doc/wget.texi ---- wget-1.11/doc/wget.texi.rhpath 2008-01-26 10:26:56.000000000 +0100 -+++ wget-1.11/doc/wget.texi 2008-01-27 00:01:56.000000000 +0100 -@@ -199,12 +199,12 @@ gauge can be customized to your preferen - Most of the features are fully configurable, either through command line - options, or via the initialization file @file{.wgetrc} (@pxref{Startup - File}). Wget allows you to define @dfn{global} startup files --(@file{/usr/local/etc/wgetrc} by default) for site settings. -+(@file{/etc/wgetrc} by default) for site settings. - - @ignore - @c man begin FILES - @table @samp --@item /usr/local/etc/wgetrc -+@item /etc/wgetrc - Default location of the @dfn{global} startup file. - - @item .wgetrc -@@ -465,8 +465,6 @@ administrator may have chosen to compile - which case @samp{-d} will not work. Please note that compiling with - debug support is always safe---Wget compiled with the debug support will - @emph{not} print any debug info unless requested with @samp{-d}. --@xref{Reporting Bugs}, for more information on how to use @samp{-d} for --sending bug reports. - - @cindex quiet - @item -q -@@ -909,7 +907,7 @@ When mode is set to ``windows'', Wget es - @samp{>}, and the control characters in the ranges 0--31 and 128--159. - In addition to this, Wget in Windows mode uses @samp{+} instead of - @samp{:} to separate host and port in local file names, and uses --@samp{@@} instead of @samp{?} to separate the query portion of the file -+@samp{ @@ } instead of @samp{ ? } to separate the query portion of the file - name from the rest. Therefore, a URL that would be saved as - @samp{www.xemacs.org:4300/search.pl?input=blah} in Unix mode would be - saved as @samp{www.xemacs.org+4300/search.pl@@input=blah} in Windows -@@ -1149,7 +1147,7 @@ browser sends when communicating with th - would send in the same situation. Different browsers keep textual - cookie files in different locations: - --@table @asis -+@table @samp - @item Netscape 4.x. - The cookies are in @file{~/.netscape/cookies.txt}. - -@@ -2450,9 +2448,7 @@ commands. - @cindex location of wgetrc - - When initializing, Wget will look for a @dfn{global} startup file, --@file{/usr/local/etc/wgetrc} by default (or some prefix other than --@file{/usr/local}, if Wget was not installed there) and read commands --from there, if it exists. -+@file{/etc/wgetrc} by default and read commands from there, if it exists. - - Then it will look for the user's file. If the environmental variable - @code{WGETRC} is set, Wget will try to load that file. Failing that, no -@@ -2462,8 +2458,7 @@ If @code{WGETRC} is not set, Wget will t - - The fact that user's settings are loaded after the system-wide ones - means that in case of collision user's wgetrc @emph{overrides} the --system-wide wgetrc (in @file{/usr/local/etc/wgetrc} by default). --Fascist admins, away! -+system-wide wgetrc (in @file{/etc/wgetrc} by default). - - @node Wgetrc Syntax - @section Wgetrc Syntax -@@ -2509,7 +2504,7 @@ Most of these commands have direct comma - wgetrc command can be specified on the command line using the - @samp{--execute} switch (@pxref{Basic Startup Options}.) - --@table @asis -+@table @samp - @item accept/reject = @var{string} - Same as @samp{-A}/@samp{-R} (@pxref{Types of Files}). - -diff -up wget-1.11/doc/wget.pod.rhpath wget-1.11/doc/wget.pod ---- wget-1.11/doc/wget.pod.rhpath 2008-01-26 10:56:05.000000000 +0100 -+++ wget-1.11/doc/wget.pod 2008-01-27 00:01:56.000000000 +0100 -@@ -1829,7 +1829,7 @@ I a certain hierarchy will be dow - =over 4 - - --=item B -+=item B - - Default location of the I startup file. - -diff -up wget-1.11/doc/wget.info.rhpath wget-1.11/doc/wget.info ---- wget-1.11/doc/wget.info.rhpath 2008-01-26 10:56:04.000000000 +0100 -+++ wget-1.11/doc/wget.info 2008-01-27 00:01:56.000000000 +0100 -@@ -112,7 +112,7 @@ retrieval through HTTP proxies. - * Most of the features are fully configurable, either through - command line options, or via the initialization file `.wgetrc' - (*note Startup File::). Wget allows you to define "global" -- startup files (`/usr/local/etc/wgetrc' by default) for site -+ startup files (`/etc/wgetrc' by default) for site - settings. - - * Finally, GNU Wget is free software. This means that everyone may -@@ -2144,9 +2144,7 @@ File: wget.info, Node: Wgetrc Location, - =================== - - When initializing, Wget will look for a "global" startup file, --`/usr/local/etc/wgetrc' by default (or some prefix other than --`/usr/local', if Wget was not installed there) and read commands from --there, if it exists. -+`/etc/wgetrc' by default and read commands from there, if it exists. - - Then it will look for the user's file. If the environmental variable - `WGETRC' is set, Wget will try to load that file. Failing that, no -@@ -2156,8 +2154,7 @@ further attempts will be made. - - The fact that user's settings are loaded after the system-wide ones - means that in case of collision user's wgetrc _overrides_ the --system-wide wgetrc (in `/usr/local/etc/wgetrc' by default). Fascist --admins, away! -+system-wide wgetrc (in `/etc/wgetrc' by default). - -  - File: wget.info, Node: Wgetrc Syntax, Next: Wgetrc Commands, Prev: Wgetrc Location, Up: Startup File -@@ -2625,7 +2622,7 @@ its line. - ## not contain a comprehensive list of commands -- look at the manual - ## to find out what you can put into this file. - ## -- ## Wget initialization file can reside in /usr/local/etc/wgetrc -+ ## Wget initialization file can reside in /etc/wgetrc - ## (global, for all users) or $HOME/.wgetrc (for a single user). - ## - ## To use the settings in this file, you will have to uncomment them, -@@ -2634,7 +2631,7 @@ its line. - - - ## -- ## Global settings (useful for setting up in /usr/local/etc/wgetrc). -+ ## Global settings (useful for setting up in /etc/wgetrc). - ## Think well before you change them, since they may reduce wget's - ## functionality, and make it behave contrary to the documentation: - ## diff --git a/wget-1.12-path.patch b/wget-1.12-path.patch new file mode 100644 index 0000000..ec6d19e --- /dev/null +++ b/wget-1.12-path.patch @@ -0,0 +1,163 @@ +diff -urN wget-1.12/doc/sample.wgetrc wget-1.12.patched/doc/sample.wgetrc +--- wget-1.12/doc/sample.wgetrc 2009-09-22 04:53:58.000000000 +0200 ++++ wget-1.12.patched/doc/sample.wgetrc 2009-11-17 12:29:18.000000000 +0100 +@@ -7,7 +7,7 @@ + ## not contain a comprehensive list of commands -- look at the manual + ## to find out what you can put into this file. + ## +-## Wget initialization file can reside in /usr/local/etc/wgetrc ++## Wget initialization file can reside in /etc/wgetrc + ## (global, for all users) or $HOME/.wgetrc (for a single user). + ## + ## To use the settings in this file, you will have to uncomment them, +@@ -16,7 +16,7 @@ + + + ## +-## Global settings (useful for setting up in /usr/local/etc/wgetrc). ++## Global settings (useful for setting up in /etc/wgetrc). + ## Think well before you change them, since they may reduce wget's + ## functionality, and make it behave contrary to the documentation: + ## +diff -urN wget-1.12/doc/sample.wgetrc.munged_for_texi_inclusion wget-1.12.patched/doc/sample.wgetrc.munged_for_texi_inclusion +--- wget-1.12/doc/sample.wgetrc.munged_for_texi_inclusion 2009-09-22 06:08:52.000000000 +0200 ++++ wget-1.12.patched/doc/sample.wgetrc.munged_for_texi_inclusion 2009-11-17 12:29:39.000000000 +0100 +@@ -7,7 +7,7 @@ + ## not contain a comprehensive list of commands -- look at the manual + ## to find out what you can put into this file. + ## +-## Wget initialization file can reside in /usr/local/etc/wgetrc ++## Wget initialization file can reside in /etc/wgetrc + ## (global, for all users) or $HOME/.wgetrc (for a single user). + ## + ## To use the settings in this file, you will have to uncomment them, +@@ -16,7 +16,7 @@ + + + ## +-## Global settings (useful for setting up in /usr/local/etc/wgetrc). ++## Global settings (useful for setting up in /etc/wgetrc). + ## Think well before you change them, since they may reduce wget's + ## functionality, and make it behave contrary to the documentation: + ## +diff -urN wget-1.12/doc/wget.info wget-1.12.patched/doc/wget.info +--- wget-1.12/doc/wget.info 2009-09-22 18:30:20.000000000 +0200 ++++ wget-1.12.patched/doc/wget.info 2009-11-17 12:28:40.000000000 +0100 +@@ -113,7 +113,7 @@ + * Most of the features are fully configurable, either through + command line options, or via the initialization file `.wgetrc' + (*note Startup File::). Wget allows you to define "global" +- startup files (`/usr/local/etc/wgetrc' by default) for site ++ startup files (`/etc/wgetrc' by default) for site + settings. + + * Finally, GNU Wget is free software. This means that everyone may +@@ -2351,8 +2351,8 @@ + =================== + + When initializing, Wget will look for a "global" startup file, +-`/usr/local/etc/wgetrc' by default (or some prefix other than +-`/usr/local', if Wget was not installed there) and read commands from ++`/etc/wgetrc' by default (or some prefix other than ++`/etc', if Wget was not installed there) and read commands from + there, if it exists. + + Then it will look for the user's file. If the environmental variable +@@ -2363,7 +2363,7 @@ + + The fact that user's settings are loaded after the system-wide ones + means that in case of collision user's wgetrc _overrides_ the +-system-wide wgetrc (in `/usr/local/etc/wgetrc' by default). Fascist ++system-wide wgetrc (in `/etc/wgetrc' by default). Fascist + admins, away! + +  +@@ -2876,7 +2876,7 @@ + ## not contain a comprehensive list of commands -- look at the manual + ## to find out what you can put into this file. + ## +- ## Wget initialization file can reside in /usr/local/etc/wgetrc ++ ## Wget initialization file can reside in /etc/wgetrc + ## (global, for all users) or $HOME/.wgetrc (for a single user). + ## + ## To use the settings in this file, you will have to uncomment them, +@@ -2885,7 +2885,7 @@ + + + ## +- ## Global settings (useful for setting up in /usr/local/etc/wgetrc). ++ ## Global settings (useful for setting up in /etc/wgetrc). + ## Think well before you change them, since they may reduce wget's + ## functionality, and make it behave contrary to the documentation: + ## +diff -urN wget-1.12/doc/wget.texi wget-1.12.patched/doc/wget.texi +--- wget-1.12/doc/wget.texi 2009-09-04 23:22:04.000000000 +0200 ++++ wget-1.12.patched/doc/wget.texi 2009-11-17 12:29:03.000000000 +0100 +@@ -190,12 +190,12 @@ + Most of the features are fully configurable, either through command line + options, or via the initialization file @file{.wgetrc} (@pxref{Startup + File}). Wget allows you to define @dfn{global} startup files +-(@file{/usr/local/etc/wgetrc} by default) for site settings. ++(@file{/etc/wgetrc} by default) for site settings. + + @ignore + @c man begin FILES + @table @samp +-@item /usr/local/etc/wgetrc ++@item /etc/wgetrc + Default location of the @dfn{global} startup file. + + @item .wgetrc +@@ -2670,8 +2670,8 @@ + @cindex location of wgetrc + + When initializing, Wget will look for a @dfn{global} startup file, +-@file{/usr/local/etc/wgetrc} by default (or some prefix other than +-@file{/usr/local}, if Wget was not installed there) and read commands ++@file{/etc/wgetrc} by default (or some prefix other than ++@file{/etc}, if Wget was not installed there) and read commands + from there, if it exists. + + Then it will look for the user's file. If the environmental variable +@@ -2682,7 +2682,7 @@ + + The fact that user's settings are loaded after the system-wide ones + means that in case of collision user's wgetrc @emph{overrides} the +-system-wide wgetrc (in @file{/usr/local/etc/wgetrc} by default). ++system-wide wgetrc (in @file{/etc/wgetrc} by default). + Fascist admins, away! + + @node Wgetrc Syntax, Wgetrc Commands, Wgetrc Location, Startup File +diff -urN wget-1.12/NEWS wget-1.12.patched/NEWS +--- wget-1.12/NEWS 2009-09-22 04:53:35.000000000 +0200 ++++ wget-1.12.patched/NEWS 2009-11-17 12:30:10.000000000 +0100 +@@ -562,7 +562,7 @@ + + ** Compiles on pre-ANSI compilers. + +-** Global wgetrc now goes to /usr/local/etc (i.e. $sysconfdir). ++** Global wgetrc now goes to /etc (i.e. $sysconfdir). + + ** Lots of bugfixes. + +@@ -625,7 +625,7 @@ + ** Fixed a long-standing bug, so that Wget now works over SLIP + connections. + +-** You can have a system-wide wgetrc (/usr/local/lib/wgetrc by ++** You can have a system-wide wgetrc (/etc/wgetrc by + default). Settings in $HOME/.wgetrc override the global ones, of + course :-) + +diff -urN wget-1.12/README wget-1.12.patched/README +--- wget-1.12/README 2009-09-21 00:59:32.000000000 +0200 ++++ wget-1.12.patched/README 2009-11-17 12:30:27.000000000 +0100 +@@ -33,7 +33,7 @@ + + Most of the features are configurable, either through command-line + options, or via initialization file .wgetrc. Wget allows you to +-install a global startup file (/usr/local/etc/wgetrc by default) for ++install a global startup file (/etc/wgetrc by default) for + site settings. + + Wget works under almost all Unix variants in use today and, unlike diff --git a/wget-rh-modified.patch b/wget-rh-modified.patch index 4a9728a..8508007 100644 --- a/wget-rh-modified.patch +++ b/wget-rh-modified.patch @@ -1,6 +1,12 @@ -diff -up wget-1.11.1/src/version.c.rh1 wget-1.11.1/src/version.c ---- wget-1.11.1/src/version.c.rh1 2008-03-31 11:27:06.000000000 +0200 -+++ wget-1.11.1/src/version.c 2008-03-31 11:27:22.000000000 +0200 -@@ -1 +1 @@ --char *version_string = "1.11.4"; -+char *version_string = "1.11.4 (Red Hat modified)"; +diff -urN wget-1.12/configure wget-1.12.patched/configure +--- wget-1.12/configure 2009-11-17 12:36:23.000000000 +0100 ++++ wget-1.12.patched/configure 2009-09-22 18:40:13.000000000 +0200 +@@ -597,7 +597,7 @@ + PACKAGE_NAME='wget' + PACKAGE_TARNAME='wget' + PACKAGE_VERSION='1.12' +-PACKAGE_STRING='wget 1.12' ++PACKAGE_STRING='wget 1.12 (Red Hat modified)' + PACKAGE_BUGREPORT='bug-wget@gnu.org' + + # Factoring default headers for most tests. diff --git a/wget.spec b/wget.spec index 5c4ae04..a96e881 100644 --- a/wget.spec +++ b/wget.spec @@ -1,15 +1,13 @@ Summary: A utility for retrieving files using the HTTP or FTP protocols Name: wget -Version: 1.11.4 -Release: 5%{?dist} +Version: 1.12 +Release: 1%{?dist} License: GPLv3+ Group: Applications/Internet Url: http://wget.sunsite.dk/ Source: ftp://ftp.gnu.org/gnu/wget/wget-%{version}.tar.bz2 -#Source2: http://people.fedora.de/rsc/wget-1.11-de.po Patch1: wget-rh-modified.patch -Patch2: wget-1.11-path.patch -Patch3: wget-1.10.1-helpfix.patch +Patch2: wget-1.12-path.patch Provides: webclient Requires(post): /sbin/install-info Requires(preun): /sbin/install-info @@ -29,10 +27,6 @@ support for Proxy servers, and configurability. %setup -q %patch1 -p1 %patch2 -p1 -%patch3 -p1 - -#cp %{SOURCE2} $RPM_BUILD_DIR/wget-%{version}/po/de.po -#chmod a+x doc/texi2pod.pl %build if pkg-config openssl ; then @@ -68,6 +62,11 @@ rm -rf $RPM_BUILD_ROOT %{_infodir}/* %changelog +* Tue Nov 17 2009 Karsten Hopp 1.12-1 +- update to wget-1.12 +- fixes CVE-2009-3490 wget: incorrect verification of SSL certificate + with NUL in name + * Fri Aug 21 2009 Tomas Mraz - 1.11.4-5 - rebuilt with new openssl