Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CVE-2024-10524 for wget :2.0 #11173

Merged
merged 3 commits into from
Nov 22, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
182 changes: 182 additions & 0 deletions SPECS/wget/CVE-2024-10524.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,182 @@
From 4cfddf2cd1aac9b0e36cd08df36f077ee68bd87b Mon Sep 17 00:00:00 2001
From: kavyasree <kkaitepalli@microsoft.com>
Date: Thu, 21 Nov 2024 12:17:03 +0530
Subject: [PATCH] Fix CVE-2024-10524

---
doc/wget.texi | 12 ++++-------
src/html-url.c | 2 +-
src/main.c | 2 +-
src/retr.c | 2 +-
src/url.c | 57 ++++++++++++++++----------------------------------
src/url.h | 2 +-
6 files changed, 26 insertions(+), 51 deletions(-)

diff --git a/doc/wget.texi b/doc/wget.texi
index 0c282b3..d59994a 100644
--- a/doc/wget.texi
+++ b/doc/wget.texi
@@ -314,8 +314,8 @@ for text files. Here is an example:
ftp://host/directory/file;type=a
@end example

-Two alternative variants of @sc{url} specification are also supported,
-because of historical (hysterical?) reasons and their widespreaded use.
+The two alternative variants of @sc{url} specifications are no longer
+supported because of security considerations:

@sc{ftp}-only syntax (supported by @code{NcFTP}):
@example
@@ -327,12 +327,8 @@ host:/dir/file
host[:port]/dir/file
@end example

-These two alternative forms are deprecated, and may cease being
-supported in the future.
-
-If you do not understand the difference between these notations, or do
-not know which one to use, just use the plain ordinary format you use
-with your favorite browser, like @code{Lynx} or @code{Netscape}.
+These two alternative forms have been deprecated long time ago,
+and support is removed with version 1.22.0.

@c man begin OPTIONS

diff --git a/src/html-url.c b/src/html-url.c
index eaddc17..ab3ada6 100644
--- a/src/html-url.c
+++ b/src/html-url.c
@@ -931,7 +931,7 @@ get_urls_file (const char *file)
url_text = merged;
}

- new_url = rewrite_shorthand_url (url_text);
+ new_url = maybe_prepend_scheme (url_text);
if (new_url)
{
xfree (url_text);
diff --git a/src/main.c b/src/main.c
index 7c27b0c..6e00ca7 100644
--- a/src/main.c
+++ b/src/main.c
@@ -2120,7 +2120,7 @@ only if outputting to a regular file.\n"));
struct iri *iri = iri_new ();
struct url *url_parsed;

- t = rewrite_shorthand_url (argv[optind]);
+ t = maybe_prepend_scheme (argv[optind]);
if (!t)
t = argv[optind];

diff --git a/src/retr.c b/src/retr.c
index 2e18eae..7a34dd5 100644
--- a/src/retr.c
+++ b/src/retr.c
@@ -1502,7 +1502,7 @@ getproxy (struct url *u)

/* Handle shorthands. `rewritten_storage' is a kludge to allow
getproxy() to return static storage. */
- rewritten_url = rewrite_shorthand_url (proxy);
+ rewritten_url = maybe_prepend_scheme (proxy);
if (rewritten_url)
return rewritten_url;

diff --git a/src/url.c b/src/url.c
index 65dd27d..01a4391 100644
--- a/src/url.c
+++ b/src/url.c
@@ -594,60 +594,39 @@ parse_credentials (const char *beg, const char *end, char **user, char **passwd)
return true;
}

-/* Used by main.c: detect URLs written using the "shorthand" URL forms
- originally popularized by Netscape and NcFTP. HTTP shorthands look
- like this:
-
- www.foo.com[:port]/dir/file -> http://www.foo.com[:port]/dir/file
- www.foo.com[:port] -> http://www.foo.com[:port]
-
- FTP shorthands look like this:
-
- foo.bar.com:dir/file -> ftp://foo.bar.com/dir/file
- foo.bar.com:/absdir/file -> ftp://foo.bar.com//absdir/file
+static bool is_valid_port(const char *p)
+{
+ unsigned port = (unsigned) atoi (p);
+ if (port == 0 || port > 65535)
+ return false;

- If the URL needs not or cannot be rewritten, return NULL. */
+ int digits = strspn (p, "0123456789");
+ return digits && (p[digits] == '/' || p[digits] == '\0');
+}

+/* Prepend "http://" to url if scheme is missing, otherwise return NULL. */
char *
-rewrite_shorthand_url (const char *url)
+maybe_prepend_scheme (const char *url)
{
- const char *p;
- char *ret;
-
if (url_scheme (url) != SCHEME_INVALID)
return NULL;

- /* Look for a ':' or '/'. The former signifies NcFTP syntax, the
- latter Netscape. */
- p = strpbrk (url, ":/");
+ const char *p = strchr (url, ':');
if (p == url)
return NULL;

/* If we're looking at "://", it means the URL uses a scheme we
don't support, which may include "https" when compiled without
- SSL support. Don't bogusly rewrite such URLs. */
+ SSL support. Don't bogusly prepend "http://" to such URLs. */
if (p && p[0] == ':' && p[1] == '/' && p[2] == '/')
return NULL;

- if (p && *p == ':')
- {
- /* Colon indicates ftp, as in foo.bar.com:path. Check for
- special case of http port number ("localhost:10000"). */
- int digits = strspn (p + 1, "0123456789");
- if (digits && (p[1 + digits] == '/' || p[1 + digits] == '\0'))
- goto http;
-
- /* Turn "foo.bar.com:path" to "ftp://foo.bar.com/path". */
- if ((ret = aprintf ("ftp://%s", url)) != NULL)
- ret[6 + (p - url)] = '/';
- }
- else
- {
- http:
- /* Just prepend "http://" to URL. */
- ret = aprintf ("http://%s", url);
- }
- return ret;
+ if (p && p[0] == ':' && !is_valid_port (p + 1))
+ return NULL;
+
+
+ fprintf(stderr, "Prepended http:// to '%s'\n", url);
+ return aprintf ("http://%s", url);
}

static void split_path (const char *, char **, char **);
diff --git a/src/url.h b/src/url.h
index 29c591d..804c0a7 100644
--- a/src/url.h
+++ b/src/url.h
@@ -128,7 +128,7 @@ char *uri_merge (const char *, const char *);

int mkalldirs (const char *);

-char *rewrite_shorthand_url (const char *);
+char *maybe_prepend_scheme (const char *);
bool schemes_are_similar_p (enum url_scheme a, enum url_scheme b);

bool are_urls_equal (const char *u1, const char *u2);
--
2.34.1

6 changes: 5 additions & 1 deletion SPECS/wget/wget.spec
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
Summary: A network utility to retrieve files from the Web
Name: wget
Version: 1.21.2
Release: 3%{?dist}
Release: 4%{?dist}
License: GPL-3.0-or-later AND LGPL-3.0-or-later
URL: https://www.gnu.org/software/wget/wget.html
Group: System Environment/NetworkingPrograms
Vendor: Microsoft Corporation
Distribution: Mariner
Source0: https://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.gz
Patch0: CVE-2024-38428.patch
Patch1: CVE-2024-10524.patch
BuildRequires: openssl-devel
%if %{with_check}
BuildRequires: perl
Expand Down Expand Up @@ -55,6 +56,9 @@ rm -rf %{buildroot}/%{_infodir}
%{_datadir}/locale/*/LC_MESSAGES/*.mo

%changelog
* Thu Nov 21 2024 Kavya Sree Kaitepalli <kkaitepalli@microsoft.com> - 1.21.2-4
- Patch for CVE-2024-10524

* Wed Jun 19 2024 Saul Paredes <saulparedes@microsoft.com> - 1.21.2-3
- Patch for CVE-2024-38428

Expand Down
Loading