Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package wget for openSUSE:Factory checked in at 2026-07-10 17:34:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/wget (Old) and /work/SRC/openSUSE:Factory/.wget.new.1991 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "wget" Fri Jul 10 17:34:42 2026 rev:75 rq:1364738 version:1.25.0 Changes: -------- --- /work/SRC/openSUSE:Factory/wget/wget.changes 2025-08-03 13:36:02.488043916 +0200 +++ /work/SRC/openSUSE:Factory/.wget.new.1991/wget.changes 2026-07-10 17:35:29.689197795 +0200 @@ -1,0 +2,16 @@ +Thu Jul 9 13:06:45 UTC 2026 - Valentin Lefebvre <[email protected]> + +- Fix buffer underflow in clean_metalink_link + [bsc#1271033, CVE-2026-58469] + * CVE-2026-58469.patch +- Fix integer overflow in parse_content_range + [bsc#1271034, CVE-2026-58470] + * CVE-2026-58470.patch +- Fix buffer size handling in filename conversion + [bsc#1271035, CVE-2026-58471] + * CVE-2026-58471.patch +- Fix integer+buffer overflow in html_quote_string + [bsc#1271036, CVE-2026-58472] + * CVE-2026-58472.patch + +------------------------------------------------------------------- New: ---- CVE-2026-58469.patch CVE-2026-58470.patch CVE-2026-58471.patch CVE-2026-58472.patch ----------(New B)---------- New: [bsc#1271033, CVE-2026-58469] * CVE-2026-58469.patch - Fix integer overflow in parse_content_range New: [bsc#1271034, CVE-2026-58470] * CVE-2026-58470.patch - Fix buffer size handling in filename conversion New: [bsc#1271035, CVE-2026-58471] * CVE-2026-58471.patch - Fix integer+buffer overflow in html_quote_string New: [bsc#1271036, CVE-2026-58472] * CVE-2026-58472.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ wget.spec ++++++ --- /var/tmp/diff_new_pack.kcBoyb/_old 2026-07-10 17:35:32.141281697 +0200 +++ /var/tmp/diff_new_pack.kcBoyb/_new 2026-07-10 17:35:32.141281697 +0200 @@ -1,7 +1,7 @@ # # spec file for package wget # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2026 SUSE LLC and contributors # Copyright (c) 2025 Andreas Stieger <[email protected]> # # All modifications and additions to the file contributed by third parties @@ -36,6 +36,14 @@ Patch3: wget-errno-clobber.patch Patch4: remove-env-from-shebang.patch Patch5: wget-do-not-propagate-credentials.patch +#PATCH-FIX-UPSTREAM commit 37a40fcb450153f69537c7cbc2a7a4fb0b6f7826 +Patch6: CVE-2026-58469.patch +#PATCH-FIX-UPSTREAM commit 43d3ba9336bc94937e6fae2365c6ffd30c34ffcf +Patch7: CVE-2026-58470.patch +#PATCH-FIX-UPSTREAM commit c2640fe5171c59f87c58dc9fcb195b2d18b010ee +Patch8: CVE-2026-58471.patch +#PATCH-FIX-UPSTREAM commit dd692d9cea5335b181d877ae917fe6e75587a812 +Patch9: CVE-2026-58472.patch BuildRequires: makeinfo BuildRequires: pkgconfig >= 0.9.0 BuildRequires: pkgconfig(gpgme) >= 0.4.2 ++++++ CVE-2026-58469.patch ++++++ >From 37a40fcb450153f69537c7cbc2a7a4fb0b6f7826 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20R=C3=BChsen?= <[email protected]> Date: Mon, 29 Jun 2026 18:32:02 +0200 Subject: [PATCH] * src/metalink.c (clean_metalink_string): Fix buffer underflow Reported-by: [email protected] [vlefebvre: patched adapted] --- src/metalink.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) Index: wget-1.25.0/src/metalink.c =================================================================== --- wget-1.25.0.orig/src/metalink.c +++ wget-1.25.0/src/metalink.c @@ -46,6 +46,7 @@ as that of the covered work. */ #include "c-strcase.h" #include <errno.h> #include <unistd.h> /* For unlink. */ +#include <ctype.h> #include <metalink/metalink_parser.h> #ifdef HAVE_GPGME #include <gpgme.h> @@ -1041,7 +1042,6 @@ void clean_metalink_string (char **str) { int c; - size_t len; char *new, *beg, *end; if (!str || !*str) @@ -1049,7 +1049,7 @@ clean_metalink_string (char **str) beg = *str; - while ((c = *beg) && (c == '\n' || c == '\r' || c == '\t' || c == ' ')) + while (isspace(*beg)) beg++; end = beg; @@ -1062,12 +1062,10 @@ clean_metalink_string (char **str) /* If we are at the end of the string, search the first legit character going backward. */ if (*end == '\0') - while ((c = *(end - 1)) && (c == '\n' || c == '\r' || c == '\t' || c == ' ')) + while (end > beg && !isspace(*(end - 1))) end--; - len = end - beg; - - new = xmemdup0 (beg, len); + new = xmemdup0 (beg, end - beg); xfree (*str); *str = new; } ++++++ CVE-2026-58470.patch ++++++ >From 43d3ba9336bc94937e6fae2365c6ffd30c34ffcf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20R=C3=BChsen?= <[email protected]> Date: Mon, 29 Jun 2026 18:57:54 +0200 Subject: [PATCH] * src/http.c (parse_content_range): Fix integer overflow Reported-by: [email protected] --- src/http.c | 35 ++++++++++++++++++++++++----------- 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/src/http.c b/src/http.c index 61d83df1..f447c7f7 100644 --- a/src/http.c +++ b/src/http.c @@ -914,6 +914,7 @@ parse_content_range (const char *hdr, wgint *first_byte_ptr, wgint *last_byte_ptr, wgint *entity_length_ptr) { wgint num; + char *end; /* Ancient versions of Netscape proxy server, presumably predating rfc2068, sent out `Content-Range' without the "bytes" @@ -932,27 +933,39 @@ parse_content_range (const char *hdr, wgint *first_byte_ptr, } if (!c_isdigit (*hdr)) return false; - for (num = 0; c_isdigit (*hdr); hdr++) - num = 10 * num + (*hdr - '0'); - if (*hdr != '-' || !c_isdigit (*(hdr + 1))) + + errno = 0; + num = strtol(hdr, &end, 10); + if (errno == ERANGE) + return false; + hdr = end; + + if (*hdr++ != '-' || !c_isdigit (*hdr)) return false; *first_byte_ptr = num; - ++hdr; - for (num = 0; c_isdigit (*hdr); hdr++) - num = 10 * num + (*hdr - '0'); - if (*hdr != '/') + + errno = 0; + num = strtol(hdr, &end, 10); + if (errno == ERANGE) + return false; + hdr = end; + + if (*hdr++ != '/') return false; *last_byte_ptr = num; - if (!(c_isdigit (*(hdr + 1)) || *(hdr + 1) == '*')) + if (!(c_isdigit (*hdr) || *hdr == '*')) return false; if (*last_byte_ptr < *first_byte_ptr) return false; - ++hdr; if (*hdr == '*') num = -1; else - for (num = 0; c_isdigit (*hdr); hdr++) - num = 10 * num + (*hdr - '0'); + { + errno = 0; + num = strtol(hdr, NULL, 10); + if (errno == ERANGE) + return false; + } *entity_length_ptr = num; if ((*entity_length_ptr <= *last_byte_ptr) && *entity_length_ptr != -1) return false; -- 2.54.0 ++++++ CVE-2026-58471.patch ++++++ >From c2640fe5171c59f87c58dc9fcb195b2d18b010ee Mon Sep 17 00:00:00 2001 From: Arkadi Vainbrand <[email protected]> Date: Tue, 13 Jan 2026 12:22:04 +0200 Subject: [PATCH] Fix buffer size handling in filename conversion * src/url.c (convert_fname): Fix buffer overflow. Copyright-paperwork-exempt: Yes Signed-off-by: Arkadi Vainbrand <[email protected]> --- src/url.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/src/url.c b/src/url.c index 7540e90f..f334456c 100644 --- a/src/url.c +++ b/src/url.c @@ -1614,7 +1614,7 @@ convert_fname (char *fname) const char *from_encoding = opt.encoding_remote; const char *to_encoding = opt.locale; iconv_t cd; - size_t len, done, inlen, outlen; + size_t len, inlen, outlen; char *s; const char *orig_fname; @@ -1636,7 +1636,6 @@ convert_fname (char *fname) inlen = strlen (fname); len = outlen = inlen * 2; converted_fname = s = xmalloc (outlen + 1); - done = 0; for (;;) { @@ -1644,7 +1643,7 @@ convert_fname (char *fname) if (iconv (cd, (ICONV_CONST char **) &fname, &inlen, &s, &outlen) == 0 && iconv (cd, NULL, NULL, &s, &outlen) == 0) { - *(converted_fname + len - outlen - done) = '\0'; + *s = '\0'; iconv_close (cd); DEBUGP (("Converted file name '%s' (%s) -> '%s' (%s)\n", orig_fname, from_encoding, converted_fname, to_encoding)); @@ -1667,10 +1666,17 @@ convert_fname (char *fname) } else if (errno == E2BIG) /* Output buffer full */ { - done = len; - len = outlen = done + inlen * 2; - converted_fname = xrealloc (converted_fname, outlen + 1); - s = converted_fname + done; + size_t used = s - converted_fname; + size_t newlen = used + inlen * 2 + 1; + + /* Ensure we actually grow the buffer */ + if (newlen <= len) + newlen = len * 2; + + converted_fname = xrealloc (converted_fname, newlen + 1); + len = newlen; + s = converted_fname + used; + outlen = len - used; } else /* Weird, we got an unspecified error */ { -- 2.54.0 ++++++ CVE-2026-58472.patch ++++++ >From dd692d9cea5335b181d877ae917fe6e75587a812 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20R=C3=BChsen?= <[email protected]> Date: Mon, 29 Jun 2026 19:13:15 +0200 Subject: [PATCH] * src/convert.c (html_quote_string): Fix integer+buffer overflow Reported-by: [email protected] --- src/convert.c | 31 ++++++++++++++++++++++++------- 1 file changed, 24 insertions(+), 7 deletions(-) diff --git a/src/convert.c b/src/convert.c index feb90a35..3baec850 100644 --- a/src/convert.c +++ b/src/convert.c @@ -36,6 +36,7 @@ as that of the covered work. */ #include <unistd.h> #include <errno.h> #include <assert.h> +#include <intprops.h> #include "convert.h" #include "url.h" #include "recur.h" @@ -1178,21 +1179,37 @@ html_quote_string (const char *s) { const char *b = s; char *p, *res; - int i; + size_t i; + int ok; /* Pass through the string, and count the new size. */ - for (i = 0; *s; s++, i++) + for (i = 0; *s; s++) { if (*s == '&') - i += 4; /* `amp;' */ + ok = INT_ADD_OK (i, 4, &i); /* `amp;' */ else if (*s == '<' || *s == '>') - i += 3; /* `lt;' and `gt;' */ + ok = INT_ADD_OK (i, 3, &i); /* `lt;' and `gt;' */ else if (*s == '\"') - i += 5; /* `quot;' */ + ok = INT_ADD_OK (i, 5, &i); /* `quot;' */ else if (*s == ' ') - i += 4; /* #32; */ + ok = INT_ADD_OK (i, 4, &i); /* #32; */ + else + ok = INT_ADD_OK (i, 1, &i); + + if (!ok) + { + DEBUGP (("Overflow detected in html_quote_string().\n")); + abort(); + } } - res = xmalloc (i + 1); + + if (!INT_ADD_OK (i, 1, &i)) + { + DEBUGP (("Overflow detected in html_quote_string().\n")); + abort(); + } + + res = xmalloc (i); s = b; for (p = res; *s; s++) { -- 2.54.0
