Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package wget for openSUSE:Factory checked in 
at 2026-07-10 17:34:42
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/wget (Old)
 and      /work/SRC/openSUSE:Factory/.wget.new.1991 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "wget"

Fri Jul 10 17:34:42 2026 rev:75 rq:1364738 version:1.25.0

Changes:
--------
--- /work/SRC/openSUSE:Factory/wget/wget.changes        2025-08-03 
13:36:02.488043916 +0200
+++ /work/SRC/openSUSE:Factory/.wget.new.1991/wget.changes      2026-07-10 
17:35:29.689197795 +0200
@@ -1,0 +2,16 @@
+Thu Jul  9 13:06:45 UTC 2026 - Valentin Lefebvre <[email protected]>
+
+- Fix buffer underflow in clean_metalink_link
+  [bsc#1271033, CVE-2026-58469]
+  * CVE-2026-58469.patch
+- Fix integer overflow in parse_content_range
+  [bsc#1271034, CVE-2026-58470]
+  * CVE-2026-58470.patch
+- Fix buffer size handling in filename conversion
+  [bsc#1271035, CVE-2026-58471]
+  * CVE-2026-58471.patch
+- Fix integer+buffer overflow in html_quote_string
+  [bsc#1271036, CVE-2026-58472]
+  * CVE-2026-58472.patch
+
+-------------------------------------------------------------------

New:
----
  CVE-2026-58469.patch
  CVE-2026-58470.patch
  CVE-2026-58471.patch
  CVE-2026-58472.patch

----------(New B)----------
  New:  [bsc#1271033, CVE-2026-58469]
  * CVE-2026-58469.patch
- Fix integer overflow in parse_content_range
  New:  [bsc#1271034, CVE-2026-58470]
  * CVE-2026-58470.patch
- Fix buffer size handling in filename conversion
  New:  [bsc#1271035, CVE-2026-58471]
  * CVE-2026-58471.patch
- Fix integer+buffer overflow in html_quote_string
  New:  [bsc#1271036, CVE-2026-58472]
  * CVE-2026-58472.patch
----------(New E)----------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ wget.spec ++++++
--- /var/tmp/diff_new_pack.kcBoyb/_old  2026-07-10 17:35:32.141281697 +0200
+++ /var/tmp/diff_new_pack.kcBoyb/_new  2026-07-10 17:35:32.141281697 +0200
@@ -1,7 +1,7 @@
 #
 # spec file for package wget
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 # Copyright (c) 2025 Andreas Stieger <[email protected]>
 #
 # All modifications and additions to the file contributed by third parties
@@ -36,6 +36,14 @@
 Patch3:         wget-errno-clobber.patch
 Patch4:         remove-env-from-shebang.patch
 Patch5:         wget-do-not-propagate-credentials.patch
+#PATCH-FIX-UPSTREAM commit 37a40fcb450153f69537c7cbc2a7a4fb0b6f7826
+Patch6:         CVE-2026-58469.patch
+#PATCH-FIX-UPSTREAM commit 43d3ba9336bc94937e6fae2365c6ffd30c34ffcf
+Patch7:         CVE-2026-58470.patch
+#PATCH-FIX-UPSTREAM commit c2640fe5171c59f87c58dc9fcb195b2d18b010ee
+Patch8:         CVE-2026-58471.patch
+#PATCH-FIX-UPSTREAM commit dd692d9cea5335b181d877ae917fe6e75587a812
+Patch9:         CVE-2026-58472.patch
 BuildRequires:  makeinfo
 BuildRequires:  pkgconfig >= 0.9.0
 BuildRequires:  pkgconfig(gpgme) >= 0.4.2

++++++ CVE-2026-58469.patch ++++++
>From 37a40fcb450153f69537c7cbc2a7a4fb0b6f7826 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <[email protected]>
Date: Mon, 29 Jun 2026 18:32:02 +0200
Subject: [PATCH] * src/metalink.c (clean_metalink_string): Fix buffer
 underflow

Reported-by: [email protected]

[vlefebvre: patched adapted]
---
 src/metalink.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

Index: wget-1.25.0/src/metalink.c
===================================================================
--- wget-1.25.0.orig/src/metalink.c
+++ wget-1.25.0/src/metalink.c
@@ -46,6 +46,7 @@ as that of the covered work.  */
 #include "c-strcase.h"
 #include <errno.h>
 #include <unistd.h> /* For unlink.  */
+#include <ctype.h>
 #include <metalink/metalink_parser.h>
 #ifdef HAVE_GPGME
 #include <gpgme.h>
@@ -1041,7 +1042,6 @@ void
 clean_metalink_string (char **str)
 {
   int c;
-  size_t len;
   char *new, *beg, *end;
 
   if (!str || !*str)
@@ -1049,7 +1049,7 @@ clean_metalink_string (char **str)
 
   beg = *str;
 
-  while ((c = *beg) && (c == '\n' || c == '\r' || c == '\t' || c == ' '))
+  while (isspace(*beg))
     beg++;
 
   end = beg;
@@ -1062,12 +1062,10 @@ clean_metalink_string (char **str)
   /* If we are at the end of the string, search the first legit
      character going backward.  */
   if (*end == '\0')
-    while ((c = *(end - 1)) && (c == '\n' || c == '\r' || c == '\t' || c == ' 
'))
+    while (end > beg && !isspace(*(end - 1)))
       end--;
 
-  len = end - beg;
-
-  new = xmemdup0 (beg, len);
+  new = xmemdup0 (beg, end - beg);
   xfree (*str);
   *str = new;
 }

++++++ CVE-2026-58470.patch ++++++
>From 43d3ba9336bc94937e6fae2365c6ffd30c34ffcf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <[email protected]>
Date: Mon, 29 Jun 2026 18:57:54 +0200
Subject: [PATCH] * src/http.c (parse_content_range): Fix integer overflow

Reported-by: [email protected]
---
 src/http.c | 35 ++++++++++++++++++++++++-----------
 1 file changed, 24 insertions(+), 11 deletions(-)

diff --git a/src/http.c b/src/http.c
index 61d83df1..f447c7f7 100644
--- a/src/http.c
+++ b/src/http.c
@@ -914,6 +914,7 @@ parse_content_range (const char *hdr, wgint *first_byte_ptr,
                      wgint *last_byte_ptr, wgint *entity_length_ptr)
 {
   wgint num;
+  char *end;
 
   /* Ancient versions of Netscape proxy server, presumably predating
      rfc2068, sent out `Content-Range' without the "bytes"
@@ -932,27 +933,39 @@ parse_content_range (const char *hdr, wgint 
*first_byte_ptr,
     }
   if (!c_isdigit (*hdr))
     return false;
-  for (num = 0; c_isdigit (*hdr); hdr++)
-    num = 10 * num + (*hdr - '0');
-  if (*hdr != '-' || !c_isdigit (*(hdr + 1)))
+
+  errno = 0;
+  num = strtol(hdr, &end, 10);
+  if (errno == ERANGE)
+    return false;
+  hdr = end;
+
+  if (*hdr++ != '-' || !c_isdigit (*hdr))
     return false;
   *first_byte_ptr = num;
-  ++hdr;
-  for (num = 0; c_isdigit (*hdr); hdr++)
-    num = 10 * num + (*hdr - '0');
-  if (*hdr != '/')
+
+  errno = 0;
+  num = strtol(hdr, &end, 10);
+  if (errno == ERANGE)
+    return false;
+  hdr = end;
+
+  if (*hdr++ != '/')
     return false;
   *last_byte_ptr = num;
-  if (!(c_isdigit (*(hdr + 1)) || *(hdr + 1) == '*'))
+  if (!(c_isdigit (*hdr) || *hdr == '*'))
     return false;
   if (*last_byte_ptr < *first_byte_ptr)
     return false;
-  ++hdr;
   if (*hdr == '*')
     num = -1;
   else
-    for (num = 0; c_isdigit (*hdr); hdr++)
-      num = 10 * num + (*hdr - '0');
+    {
+      errno = 0;
+      num = strtol(hdr, NULL, 10);
+      if (errno == ERANGE)
+        return false;
+    }
   *entity_length_ptr = num;
   if ((*entity_length_ptr <= *last_byte_ptr) && *entity_length_ptr != -1)
     return false;
-- 
2.54.0


++++++ CVE-2026-58471.patch ++++++
>From c2640fe5171c59f87c58dc9fcb195b2d18b010ee Mon Sep 17 00:00:00 2001
From: Arkadi Vainbrand <[email protected]>
Date: Tue, 13 Jan 2026 12:22:04 +0200
Subject: [PATCH] Fix buffer size handling in filename conversion

* src/url.c (convert_fname): Fix buffer overflow.

Copyright-paperwork-exempt: Yes
Signed-off-by: Arkadi Vainbrand <[email protected]>
---
 src/url.c | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/src/url.c b/src/url.c
index 7540e90f..f334456c 100644
--- a/src/url.c
+++ b/src/url.c
@@ -1614,7 +1614,7 @@ convert_fname (char *fname)
   const char *from_encoding = opt.encoding_remote;
   const char *to_encoding = opt.locale;
   iconv_t cd;
-  size_t len, done, inlen, outlen;
+  size_t len, inlen, outlen;
   char *s;
   const char *orig_fname;
 
@@ -1636,7 +1636,6 @@ convert_fname (char *fname)
   inlen = strlen (fname);
   len = outlen = inlen * 2;
   converted_fname = s = xmalloc (outlen + 1);
-  done = 0;
 
   for (;;)
     {
@@ -1644,7 +1643,7 @@ convert_fname (char *fname)
       if (iconv (cd, (ICONV_CONST char **) &fname, &inlen, &s, &outlen) == 0
           && iconv (cd, NULL, NULL, &s, &outlen) == 0)
         {
-          *(converted_fname + len - outlen - done) = '\0';
+          *s = '\0';
           iconv_close (cd);
           DEBUGP (("Converted file name '%s' (%s) -> '%s' (%s)\n",
                    orig_fname, from_encoding, converted_fname, to_encoding));
@@ -1667,10 +1666,17 @@ convert_fname (char *fname)
         }
       else if (errno == E2BIG) /* Output buffer full */
         {
-          done = len;
-          len = outlen = done + inlen * 2;
-          converted_fname = xrealloc (converted_fname, outlen + 1);
-          s = converted_fname + done;
+          size_t used = s - converted_fname;
+          size_t newlen = used + inlen * 2 + 1;
+
+          /* Ensure we actually grow the buffer */
+          if (newlen <= len)
+            newlen = len * 2;
+
+          converted_fname = xrealloc (converted_fname, newlen + 1);
+          len = newlen;
+          s = converted_fname + used;
+          outlen = len - used;
         }
       else /* Weird, we got an unspecified error */
         {
-- 
2.54.0


++++++ CVE-2026-58472.patch ++++++
>From dd692d9cea5335b181d877ae917fe6e75587a812 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <[email protected]>
Date: Mon, 29 Jun 2026 19:13:15 +0200
Subject: [PATCH] * src/convert.c (html_quote_string): Fix integer+buffer
 overflow

Reported-by: [email protected]
---
 src/convert.c | 31 ++++++++++++++++++++++++-------
 1 file changed, 24 insertions(+), 7 deletions(-)

diff --git a/src/convert.c b/src/convert.c
index feb90a35..3baec850 100644
--- a/src/convert.c
+++ b/src/convert.c
@@ -36,6 +36,7 @@ as that of the covered work.  */
 #include <unistd.h>
 #include <errno.h>
 #include <assert.h>
+#include <intprops.h>
 #include "convert.h"
 #include "url.h"
 #include "recur.h"
@@ -1178,21 +1179,37 @@ html_quote_string (const char *s)
 {
   const char *b = s;
   char *p, *res;
-  int i;
+  size_t i;
+  int ok;
 
   /* Pass through the string, and count the new size.  */
-  for (i = 0; *s; s++, i++)
+  for (i = 0; *s; s++)
     {
       if (*s == '&')
-        i += 4;                 /* `amp;' */
+        ok = INT_ADD_OK (i, 4, &i);     /* `amp;' */
       else if (*s == '<' || *s == '>')
-        i += 3;                 /* `lt;' and `gt;' */
+        ok = INT_ADD_OK (i, 3, &i);     /* `lt;' and `gt;' */
       else if (*s == '\"')
-        i += 5;                 /* `quot;' */
+        ok = INT_ADD_OK (i, 5, &i);     /* `quot;' */
       else if (*s == ' ')
-        i += 4;                 /* #32; */
+        ok = INT_ADD_OK (i, 4, &i);     /* #32; */
+      else
+        ok = INT_ADD_OK (i, 1, &i);
+
+      if (!ok)
+        {
+          DEBUGP (("Overflow detected in html_quote_string().\n"));
+          abort();
+        }
     }
-  res = xmalloc (i + 1);
+
+  if (!INT_ADD_OK (i, 1, &i))
+    {
+      DEBUGP (("Overflow detected in html_quote_string().\n"));
+      abort();
+    }
+
+  res = xmalloc (i);
   s = b;
   for (p = res; *s; s++)
     {
-- 
2.54.0

Reply via email to