Re: UPDATE: net/wget -current,-stable (CVE-2017-13089, CVE-2017-13090)

On Tue Oct 31, 2017 at 12:03:22PM +0000, Stuart Henderson wrote:
> On 2017/10/31 12:20, Rafael Sadowski wrote:
> > Hi All,
> >
> > Update Wget to the latest stable version 1.19.1. This version includes
> > the following CVE patches:
> >
> > "Fix stack overflow in HTTP protocol handling (CVE-2017-13089)"
> > http://git.savannah.gnu.org/cgit/wget.git/commit/?id=d892291fb8ace4c3b734ea5125770989c215df3f
> >
> > "Fix heap overflow in HTTP protocol handling (CVE-2017-13090)"
> > http://git.savannah.gnu.org/cgit/wget.git/commit/?id=ba6b44f6745b14dce414761a8e4b35d31b176bba
> >
> > 1.19.1 provide only .tar.lz and tar.gz. Since we don't support *.lz, I
> > have decided to *.gz
> >
> > Also please find attached a diff for -stable.
> >
> > Ok? Feedback?
> >
> > Best regards,
> >
> > Rafael Sadowski
> >
> >
> > Index: Makefile
> > ===================================================================
> > RCS file: /cvs/ports/net/wget/Makefile,v
> > retrieving revision 1.72
> > diff -u -p -u -p -r1.72 Makefile
> > --- Makefile 22 Feb 2017 02:49:25 -0000 1.72
> > +++ Makefile 31 Oct 2017 10:54:50 -0000
> > @@ -2,7 +2,7 @@
> >
> > COMMENT = retrieve files from the web via HTTP, HTTPS and FTP
> >
> > -DISTNAME = wget-1.19.1
> > +DISTNAME = wget-1.19.2
> > CATEGORIES = net
> >
> > HOMEPAGE = https://www.gnu.org/software/wget/
> > @@ -17,7 +17,7 @@ LIB_DEPENDS = converters/libunistring \
> > net/libpsl
> >
> > MASTER_SITES = ${MASTER_SITE_GNU:=wget/}
> > -EXTRACT_SUFX = .tar.xz
> > +EXTRACT_SUFX = .tar.gz
>
> .tar.gz is the default, so just remove EXTRACT_SUFX. (We do have support
> for .lz but at least for -stable it's easier for people if they don't
> have to install a weird compression tool :)
>
> > -+++ doc/wget.texi Sat Feb 11 16:46:13 2017
> > -@@ -191,14 +191,14 @@ gauge can be customized to your preferences.
> > - Most of the features are fully configurable, either through command line
> > - options, or via the initialization file @file{.wgetrc} (@pxref{Startup
> > - File}). Wget allows you to define @dfn{global} startup files
> > --(@file{/usr/local/etc/wgetrc} by default) for site settings. You can also
> > -+(@file{${SYSCONFDIR}/wgetrc} by default) for site settings. You can also
> > - specify the location of a startup file with the --config option.
> > -
> > -
> > - @ignore
> > - @c man begin FILES
> > - @table @samp
> > --@item /usr/local/etc/wgetrc
> > -+@item ${SYSCONFDIR}/wgetrc
> > - Default location of the @dfn{global} startup file.
> > -
> > - @item .wgetrc
>
> That hunk of the patch needs merging by hand.
>

Thanks for the notes. New diff below, plus I removed gettext as MODULE.


Index: Makefile
===================================================================
RCS file: /cvs/ports/net/wget/Makefile,v
retrieving revision 1.72
diff -u -p -u -p -r1.72 Makefile
--- Makefile 22 Feb 2017 02:49:25 -0000 1.72
+++ Makefile 31 Oct 2017 16:52:31 -0000
@@ -2,7 +2,7 @@

COMMENT = retrieve files from the web via HTTP, HTTPS and FTP

-DISTNAME = wget-1.19.1
+DISTNAME = wget-1.19.2
CATEGORIES = net

HOMEPAGE = https://www.gnu.org/software/wget/
@@ -10,16 +10,17 @@ HOMEPAGE = https://www.gnu.org/software/
# GPLv3
PERMIT_PACKAGE_CDROM = Yes

-WANTLIB = c crypto idn2 pcre psl ssl unistring z
+WANTLIB += c crypto iconv idn2 intl pcre psl ssl unistring z
+
+BUILD_DEPENDS = devel/gettext-tools
+
LIB_DEPENDS = converters/libunistring \
+ devel/gettext \
devel/libidn2 \
devel/pcre \
net/libpsl

MASTER_SITES = ${MASTER_SITE_GNU:=wget/}
-EXTRACT_SUFX = .tar.xz
-
-MODULES = devel/gettext

# some regression tests require python3
MODULES += lang/python
Index: distinfo
===================================================================
RCS file: /cvs/ports/net/wget/distinfo,v
retrieving revision 1.19
diff -u -p -u -p -r1.19 distinfo
--- distinfo 22 Feb 2017 02:49:25 -0000 1.19
+++ distinfo 31 Oct 2017 16:52:31 -0000
@@ -1,2 +1,2 @@
-SHA256 (wget-1.19.1.tar.xz) = DJULlnGIEiKk04WwE8lgTpioAl0ZiFKd/KDpNhd0TNI=
-SIZE (wget-1.19.1.tar.xz) = 2111756
+SHA256 (wget-1.19.2.tar.gz) = T0pnO21GbvpQ+/unlr2EpGriTjcPpWLt5bIatTwRqSA=
+SIZE (wget-1.19.2.tar.gz) = 4349267
Index: patches/patch-doc_wget_texi
===================================================================
RCS file: /cvs/ports/net/wget/patches/patch-doc_wget_texi,v
retrieving revision 1.12
diff -u -p -u -p -r1.12 patch-doc_wget_texi
--- patches/patch-doc_wget_texi 22 Feb 2017 02:49:25 -0000 1.12
+++ patches/patch-doc_wget_texi 31 Oct 2017 16:52:31 -0000
@@ -1,15 +1,17 @@
$OpenBSD: patch-doc_wget_texi,v 1.12 2017/02/22 02:49:25 danj Exp $
---- doc/wget.texi.orig Sat Feb 11 05:45:22 2017
-+++ doc/wget.texi Sat Feb 11 16:46:13 2017
-@@ -191,14 +191,14 @@ gauge can be customized to your preferences.
+Index: doc/wget.texi
+--- doc/wget.texi.orig
++++ doc/wget.texi
+@@ -191,7 +191,7 @@ gauge can be customized to your preferences.
Most of the features are fully configurable, either through command line
options, or via the initialization file @file{.wgetrc} (@pxref{Startup
File}). Wget allows you to define @dfn{global} startup files
-(@file{/usr/local/etc/wgetrc} by default) for site settings. You can also
+(@file{${SYSCONFDIR}/wgetrc} by default) for site settings. You can also
specify the location of a startup file with the --config option.
-
-
+ To disable the reading of config files, use --no-config.
+ If both --config and --no-config are given, --no-config is ignored.
+@@ -200,7 +200,7 @@ If both --config and --no-config are given, --no-confi
@ignore
@c man begin FILES
@table @samp
@@ -18,7 +20,7 @@ $OpenBSD: patch-doc_wget_texi,v 1.12 201
Default location of the @dfn{global} startup file.

@item .wgetrc
-@@ -3113,9 +3113,8 @@ commands.
+@@ -3143,9 +3143,8 @@ commands.
@cindex location of wgetrc

When initializing, Wget will look for a @dfn{global} startup file,
@@ -30,7 +32,7 @@ $OpenBSD: patch-doc_wget_texi,v 1.12 201

Then it will look for the user's file. If the environmental variable
@code{WGETRC} is set, Wget will try to load that file. Failing that, no
-@@ -3125,7 +3124,7 @@ If @code{WGETRC} is not set, Wget will try to load @fi
+@@ -3155,7 +3154,7 @@ If @code{WGETRC} is not set, Wget will try to load @fi

The fact that user's settings are loaded after the system-wide ones
means that in case of collision user's wgetrc @emph{overrides} the