[OE-core] [PATCH 32/35] wget: upgrade 1.24.5 -> 1.25.0

Mon, 25 Nov 2024 04:02:01 -0800 

From: Alexander Kanavin <a...@linutronix.de>

Signed-off-by: Alexander Kanavin <a...@linutronix.de>
---
 .../wget/0002-improve-reproducibility.patch   |  6 +-
 .../wget/wget/CVE-2024-38428.patch            | 79 -------------------
 meta/recipes-extended/wget/wget_1.24.5.bb     |  8 --
 meta/recipes-extended/wget/wget_1.25.0.bb     |  7 ++
 4 files changed, 10 insertions(+), 90 deletions(-)
 delete mode 100644 meta/recipes-extended/wget/wget/CVE-2024-38428.patch
 delete mode 100644 meta/recipes-extended/wget/wget_1.24.5.bb
 create mode 100644 meta/recipes-extended/wget/wget_1.25.0.bb

diff --git a/meta/recipes-extended/wget/wget/0002-improve-reproducibility.patch 
b/meta/recipes-extended/wget/wget/0002-improve-reproducibility.patch
index 5438bafdcbd..6ecb9ef289f 100644
--- a/meta/recipes-extended/wget/wget/0002-improve-reproducibility.patch
+++ b/meta/recipes-extended/wget/wget/0002-improve-reproducibility.patch
@@ -1,4 +1,4 @@
-From b86e57b68363d108fe77c6fd588a275d2696cabe Mon Sep 17 00:00:00 2001
+From 304f55a3e2689154d829938d29e43d808ca6298a Mon Sep 17 00:00:00 2001
 From: Hongxu Jia <hongxu....@windriver.com>
 Date: Wed, 10 Jan 2018 14:43:20 +0800
 Subject: [PATCH] src/Makefile.am: improve reproducibility
@@ -44,10 +44,10 @@ Signed-off-by: Joe Slater <jsla...@windriver.com>
  1 file changed, 4 insertions(+)
 
 diff --git a/src/Makefile.am b/src/Makefile.am
-index 18ec622..38d252d 100644
+index 86be533..721a401 100644
 --- a/src/Makefile.am
 +++ b/src/Makefile.am
-@@ -108,9 +108,13 @@ version.c:  $(wget_SOURCES) ../lib/libgnu.a
+@@ -126,9 +126,13 @@ version.c:  $(wget_SOURCES) ../lib/libgnu.a
        echo '#include "version.h"' >> $@
        echo 'const char *version_string = "@VERSION@";' >> $@
        echo 'const char *compilation_string = "'$(COMPILE)'";' \
diff --git a/meta/recipes-extended/wget/wget/CVE-2024-38428.patch 
b/meta/recipes-extended/wget/wget/CVE-2024-38428.patch
deleted file mode 100644
index ed99a05464f..00000000000
--- a/meta/recipes-extended/wget/wget/CVE-2024-38428.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From ed0c7c7e0e8f7298352646b2fd6e06a11e242ace Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.rueh...@gmx.de>
-Date: Sun, 2 Jun 2024 12:40:16 +0200
-Subject: Properly re-implement userinfo parsing (rfc2396)
-
-* src/url.c (url_skip_credentials): Properly re-implement userinfo parsing 
(rfc2396)
-
-The reason why the implementation is based on RFC 2396, an outdated standard,
-is that the whole file is based on that RFC, and mixing standard here might be
-dangerous.
-
-Upstream-Status: Backport 
[https://git.savannah.gnu.org/cgit/wget.git/commit/?id=ed0c7c7e0e8f7298352646b2fd6e06a11e242ace]
-CVE: CVE-2024-38428
-Signed-off-by: Vijay Anusuri <vanus...@mvista.com>
----
- src/url.c | 40 ++++++++++++++++++++++++++++++++++------
- 1 file changed, 34 insertions(+), 6 deletions(-)
-
-diff --git a/src/url.c b/src/url.c
-index 69e948b..07c3bc8 100644
---- a/src/url.c
-+++ b/src/url.c
-@@ -41,6 +41,7 @@ as that of the covered work.  */
- #include "url.h"
- #include "host.h"  /* for is_valid_ipv6_address */
- #include "c-strcase.h"
-+#include "c-ctype.h"
- 
- #ifdef HAVE_ICONV
- # include <iconv.h>
-@@ -526,12 +527,39 @@ scheme_leading_string (enum url_scheme scheme)
- static const char *
- url_skip_credentials (const char *url)
- {
--  /* Look for '@' that comes before terminators, such as '/', '?',
--     '#', or ';'.  */
--  const char *p = (const char *)strpbrk (url, "@/?#;");
--  if (!p || *p != '@')
--    return url;
--  return p + 1;
-+  /*
-+   * This whole file implements https://www.rfc-editor.org/rfc/rfc2396 .
-+   * RFC 2396 is outdated since 2005 and needs a rewrite or a thorough 
re-visit.
-+   *
-+   * The RFC says
-+   * server        = [ [ userinfo "@" ] hostport ]
-+   * userinfo      = *( unreserved | escaped | ";" | ":" | "&" | "=" | "+" | 
"$" | "," )
-+   * unreserved    = alphanum | mark
-+   * mark          = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")"
-+   */
-+  static const char *allowed = "-_.!~*'();:&=+$,";
-+
-+  for (const char *p = url; *p; p++)
-+    {
-+      if (c_isalnum(*p))
-+        continue;
-+
-+      if (strchr(allowed, *p))
-+        continue;
-+
-+      if (*p == '%' && c_isxdigit(p[1]) && c_isxdigit(p[2]))
-+        {
-+          p += 2;
-+          continue;
-+        }
-+
-+      if (*p == '@')
-+        return p + 1;
-+
-+      break;
-+    }
-+
-+  return url;
- }
- 
- /* Parse credentials contained in [BEG, END).  The region is expected
--- 
-cgit v1.1
-
diff --git a/meta/recipes-extended/wget/wget_1.24.5.bb 
b/meta/recipes-extended/wget/wget_1.24.5.bb
deleted file mode 100644
index 602fc9e6274..00000000000
--- a/meta/recipes-extended/wget/wget_1.24.5.bb
+++ /dev/null
@@ -1,8 +0,0 @@
-SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \
-           file://0002-improve-reproducibility.patch \
-           file://CVE-2024-38428.patch \
-          "
-
-SRC_URI[sha256sum] = 
"fa2dc35bab5184ecbc46a9ef83def2aaaa3f4c9f3c97d4bd19dcb07d4da637de"
-
-require wget.inc
diff --git a/meta/recipes-extended/wget/wget_1.25.0.bb 
b/meta/recipes-extended/wget/wget_1.25.0.bb
new file mode 100644
index 00000000000..93fefc90926
--- /dev/null
+++ b/meta/recipes-extended/wget/wget_1.25.0.bb
@@ -0,0 +1,7 @@
+SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \
+           file://0002-improve-reproducibility.patch \
+           "
+
+SRC_URI[sha256sum] = 
"766e48423e79359ea31e41db9e5c289675947a7fcf2efdcedb726ac9d0da3784"
+
+require wget.inc
-- 
2.39.5


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#207779): 
https://lists.openembedded.org/g/openembedded-core/message/207779
Mute This Topic: https://lists.openembedded.org/mt/109769691/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to