diff --git a/packages/w/wget/files/CVE-2024-38428.patch b/packages/w/wget/files/CVE-2024-38428.patch deleted file mode 100644 index b27f1cba942..00000000000 --- a/packages/w/wget/files/CVE-2024-38428.patch +++ /dev/null @@ -1,75 +0,0 @@ -From ed0c7c7e0e8f7298352646b2fd6e06a11e242ace Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Tim=20R=C3=BChsen?= -Date: Sun, 2 Jun 2024 12:40:16 +0200 -Subject: Properly re-implement userinfo parsing (rfc2396) - -* src/url.c (url_skip_credentials): Properly re-implement userinfo parsing (rfc2396) - -The reason why the implementation is based on RFC 2396, an outdated standard, -is that the whole file is based on that RFC, and mixing standard here might be -dangerous. ---- - src/url.c | 40 ++++++++++++++++++++++++++++++++++------ - 1 file changed, 34 insertions(+), 6 deletions(-) - -diff --git a/src/url.c b/src/url.c -index 69e948b..07c3bc8 100644 ---- a/src/url.c -+++ b/src/url.c -@@ -41,6 +41,7 @@ as that of the covered work. */ - #include "url.h" - #include "host.h" /* for is_valid_ipv6_address */ - #include "c-strcase.h" -+#include "c-ctype.h" - - #ifdef HAVE_ICONV - # include -@@ -526,12 +527,39 @@ scheme_leading_string (enum url_scheme scheme) - static const char * - url_skip_credentials (const char *url) - { -- /* Look for '@' that comes before terminators, such as '/', '?', -- '#', or ';'. */ -- const char *p = (const char *)strpbrk (url, "@/?#;"); -- if (!p || *p != '@') -- return url; -- return p + 1; -+ /* -+ * This whole file implements https://www.rfc-editor.org/rfc/rfc2396 . -+ * RFC 2396 is outdated since 2005 and needs a rewrite or a thorough re-visit. -+ * -+ * The RFC says -+ * server = [ [ userinfo "@" ] hostport ] -+ * userinfo = *( unreserved | escaped | ";" | ":" | "&" | "=" | "+" | "$" | "," ) -+ * unreserved = alphanum | mark -+ * mark = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")" -+ */ -+ static const char *allowed = "-_.!~*'();:&=+$,"; -+ -+ for (const char *p = url; *p; p++) -+ { -+ if (c_isalnum(*p)) -+ continue; -+ -+ if (strchr(allowed, *p)) -+ continue; -+ -+ if (*p == '%' && c_isxdigit(p[1]) && c_isxdigit(p[2])) -+ { -+ p += 2; -+ continue; -+ } -+ -+ if (*p == '@') -+ return p + 1; -+ -+ break; -+ } -+ -+ return url; - } - - /* Parse credentials contained in [BEG, END). The region is expected --- -cgit v1.1 - diff --git a/packages/w/wget/package.yml b/packages/w/wget/package.yml index 34a1d2c68b4..6d26a3b00b2 100644 --- a/packages/w/wget/package.yml +++ b/packages/w/wget/package.yml @@ -1,8 +1,8 @@ name : wget -version : 1.24.5 -release : 33 +version : 1.25.0 +release : 34 source : - - https://ftp.gnu.org/gnu/wget/wget-1.24.5.tar.gz : fa2dc35bab5184ecbc46a9ef83def2aaaa3f4c9f3c97d4bd19dcb07d4da637de + - https://ftp.gnu.org/gnu/wget/wget-1.25.0.tar.gz : 766e48423e79359ea31e41db9e5c289675947a7fcf2efdcedb726ac9d0da3784 homepage : https://www.gnu.org/software/wget/ license : GPL-3.0-or-later component : network.clients @@ -20,7 +20,6 @@ checkdeps : - perl-http-daemon - valgrind setup : | - %patch -p1 -i $pkgfiles/CVE-2024-38428.patch # TODO switch this back to openssl after we figure out why it breaks TLS, or just keep using gnutls until wget2 %configure --with-ssl=gnutls \ --enable-valgrind-tests diff --git a/packages/w/wget/pspec_x86_64.xml b/packages/w/wget/pspec_x86_64.xml index 4c05f663719..b04cf895647 100644 --- a/packages/w/wget/pspec_x86_64.xml +++ b/packages/w/wget/pspec_x86_64.xml @@ -3,8 +3,8 @@ wget https://www.gnu.org/software/wget/ - Joey Riches - josephriches@gmail.com + Muhammad Alfi Syahrin + malfisya.dev@hotmail.com GPL-3.0-or-later network.clients @@ -106,12 +106,12 @@ - - 2024-06-26 - 1.24.5 + + 2024-12-20 + 1.25.0 Packaging update - Joey Riches - josephriches@gmail.com + Muhammad Alfi Syahrin + malfisya.dev@hotmail.com \ No newline at end of file