Re: UPDATE: net/wget-1.9.5

2018-05-07 Thread Stuart Henderson
The file it's in is a new test. Given the security fix I'd go ahead and 
commit but please report it upstream.


--
Sent from a phone, apologies for poor formatting.
On 7 May 2018 04:36:09 Björn Ketelaars  wrote:


On Sun 06/05/2018 23:01, Gleydson Soares wrote:
update to wget-1.9.5. This update addresses a vunerability CVE-2018-0494, 
along with

several bug fixes.

builds and runs fine, @amd64
OK?


I'm unable to run 'make test', log is enclosed. On 1.9.4 'make test'
runs fine.






Re: UPDATE: net/wget-1.9.5

2018-05-06 Thread Björn Ketelaars
On Sun 06/05/2018 23:01, Gleydson Soares wrote:
> update to wget-1.9.5. This update addresses a vunerability CVE-2018-0494, 
> along with
> several bug fixes.
> 
> builds and runs fine, @amd64
> OK?

I'm unable to run 'make test', log is enclosed. On 1.9.4 'make test'
runs fine.
make  check-recursive
Making check in lib
make  check-recursive
Making check in src
make  libunittest.a
cc -DHAVE_CONFIG_H -DSYSTEM_WGETRC=\"/etc/wgetrc\" 
-DLOCALEDIR=\"/usr/local/share/locale\" -I.  -DTESTING "-I../lib" "-I../lib" 
-I/usr/local/include  -I/usr/local/include  -DHAVE_LIBSSL  -I/usr/local/include 
-DNDEBUG -O2 -pipe -MT libunittest_a-connect.o -MD -MP -MF 
.deps/libunittest_a-connect.Tpo -c -o libunittest_a-connect.o `test -f 
'connect.c' || echo './'`connect.c
mv -f .deps/libunittest_a-connect.Tpo .deps/libunittest_a-connect.Po
cc -DHAVE_CONFIG_H -DSYSTEM_WGETRC=\"/etc/wgetrc\" 
-DLOCALEDIR=\"/usr/local/share/locale\" -I.  -DTESTING "-I../lib" "-I../lib" 
-I/usr/local/include  -I/usr/local/include  -DHAVE_LIBSSL  -I/usr/local/include 
-DNDEBUG -O2 -pipe -MT libunittest_a-convert.o -MD -MP -MF 
.deps/libunittest_a-convert.Tpo -c -o libunittest_a-convert.o `test -f 
'convert.c' || echo './'`convert.c
mv -f .deps/libunittest_a-convert.Tpo .deps/libunittest_a-convert.Po
cc -DHAVE_CONFIG_H -DSYSTEM_WGETRC=\"/etc/wgetrc\" 
-DLOCALEDIR=\"/usr/local/share/locale\" -I.  -DTESTING "-I../lib" "-I../lib" 
-I/usr/local/include  -I/usr/local/include  -DHAVE_LIBSSL  -I/usr/local/include 
-DNDEBUG -O2 -pipe -MT libunittest_a-cookies.o -MD -MP -MF 
.deps/libunittest_a-cookies.Tpo -c -o libunittest_a-cookies.o `test -f 
'cookies.c' || echo './'`cookies.c
mv -f .deps/libunittest_a-cookies.Tpo .deps/libunittest_a-cookies.Po
cc -DHAVE_CONFIG_H -DSYSTEM_WGETRC=\"/etc/wgetrc\" 
-DLOCALEDIR=\"/usr/local/share/locale\" -I.  -DTESTING "-I../lib" "-I../lib" 
-I/usr/local/include  -I/usr/local/include  -DHAVE_LIBSSL  -I/usr/local/include 
-DNDEBUG -O2 -pipe -MT libunittest_a-ftp.o -MD -MP -MF 
.deps/libunittest_a-ftp.Tpo -c -o libunittest_a-ftp.o `test -f 'ftp.c' || echo 
'./'`ftp.c
mv -f .deps/libunittest_a-ftp.Tpo .deps/libunittest_a-ftp.Po
cc -DHAVE_CONFIG_H -DSYSTEM_WGETRC=\"/etc/wgetrc\" 
-DLOCALEDIR=\"/usr/local/share/locale\" -I.  -DTESTING "-I../lib" "-I../lib" 
-I/usr/local/include  -I/usr/local/include  -DHAVE_LIBSSL  -I/usr/local/include 
-DNDEBUG -O2 -pipe -MT libunittest_a-css_.o -MD -MP -MF 
.deps/libunittest_a-css_.Tpo -c -o libunittest_a-css_.o `test -f 'css_.c' || 
echo './'`css_.c
mv -f .deps/libunittest_a-css_.Tpo .deps/libunittest_a-css_.Po
cc -DHAVE_CONFIG_H -DSYSTEM_WGETRC=\"/etc/wgetrc\" 
-DLOCALEDIR=\"/usr/local/share/locale\" -I.  -DTESTING "-I../lib" "-I../lib" 
-I/usr/local/include  -I/usr/local/include  -DHAVE_LIBSSL  -I/usr/local/include 
-DNDEBUG -O2 -pipe -MT libunittest_a-css-url.o -MD -MP -MF 
.deps/libunittest_a-css-url.Tpo -c -o libunittest_a-css-url.o `test -f 
'css-url.c' || echo './'`css-url.c
mv -f .deps/libunittest_a-css-url.Tpo .deps/libunittest_a-css-url.Po
cc -DHAVE_CONFIG_H -DSYSTEM_WGETRC=\"/etc/wgetrc\" 
-DLOCALEDIR=\"/usr/local/share/locale\" -I.  -DTESTING "-I../lib" "-I../lib" 
-I/usr/local/include  -I/usr/local/include  -DHAVE_LIBSSL  -I/usr/local/include 
-DNDEBUG -O2 -pipe -MT libunittest_a-ftp-basic.o -MD -MP -MF 
.deps/libunittest_a-ftp-basic.Tpo -c -o libunittest_a-ftp-basic.o `test -f 
'ftp-basic.c' || echo './'`ftp-basic.c
mv -f .deps/libunittest_a-ftp-basic.Tpo .deps/libunittest_a-ftp-basic.Po
cc -DHAVE_CONFIG_H -DSYSTEM_WGETRC=\"/etc/wgetrc\" 
-DLOCALEDIR=\"/usr/local/share/locale\" -I.  -DTESTING "-I../lib" "-I../lib" 
-I/usr/local/include  -I/usr/local/include  -DHAVE_LIBSSL  -I/usr/local/include 
-DNDEBUG -O2 -pipe -MT libunittest_a-ftp-ls.o -MD -MP -MF 
.deps/libunittest_a-ftp-ls.Tpo -c -o libunittest_a-ftp-ls.o `test -f 'ftp-ls.c' 
|| echo './'`ftp-ls.c
mv -f .deps/libunittest_a-ftp-ls.Tpo .deps/libunittest_a-ftp-ls.Po
cc -DHAVE_CONFIG_H -DSYSTEM_WGETRC=\"/etc/wgetrc\" 
-DLOCALEDIR=\"/usr/local/share/locale\" -I.  -DTESTING "-I../lib" "-I../lib" 
-I/usr/local/include  -I/usr/local/include  -DHAVE_LIBSSL  -I/usr/local/include 
-DNDEBUG -O2 -pipe -MT libunittest_a-hash.o -MD -MP -MF 
.deps/libunittest_a-hash.Tpo -c -o libunittest_a-hash.o `test -f 'hash.c' || 
echo './'`hash.c
mv -f .deps/libunittest_a-hash.Tpo .deps/libunittest_a-hash.Po
cc -DHAVE_CONFIG_H -DSYSTEM_WGETRC=\"/etc/wgetrc\" 
-DLOCALEDIR=\"/usr/local/share/locale\" -I.  -DTESTING "-I../lib" "-I../lib" 
-I/usr/local/include  -I/usr/local/include  -DHAVE_LIBSSL  -I/usr/local/include 
-DNDEBUG -O2 -pipe -MT libunittest_a-host.o -MD -MP -MF 
.deps/libunittest_a-host.Tpo -c -o libunittest_a-host.o `test -f 'host.c' || 
echo './'`host.c
mv -f .deps/libunittest_a-host.Tpo .deps/libunittest_a-host.Po
cc -DHAVE_CONFIG_H -DSYSTEM_WGETRC=\"/etc/wgetrc\" 
-DLOCALEDIR=\"/usr/local/share/locale\" -I.  -DTESTING "-I../lib" "-I../lib" 
-I/usr/local/include  -I/usr/local/include  -DHAVE_LIBSSL  -I/usr/local/include 
-DNDEBUG -O2 

Re: UPDATE net/wget

2018-02-04 Thread Björn Ketelaars
On Wed 31/01/2018 14:52, Björn Ketelaars wrote:
> Diff below brings net/wget to the latest version, which addresses:
> 
>   - A major bug that caused GZip'ed pages to never be decompressed has
> been fixed
>   - Support for Content-Encoding and Transfer-Encoding have been marked
> as experimental and disabled by default
>   - Prevent erroneous decompression of .gz and .tgz files with broken
> server
>   - Added support for HTTP 308 Permanent Redirect response
>   - Fix a segfault in some cases where the Content-Type header is not
> sent
>   - Several minor bug fixes
> 
> Output make test:
> 
> # TOTAL: 93
> # PASS:  84
> # SKIP:  9
> # XFAIL: 0
> # FAIL:  0
> # XPASS: 0
> # ERROR: 0
> ...
> # TOTAL: 44
> # PASS:  44
> # SKIP:  0
> # XFAIL: 0
> # FAIL:  0
> # XPASS: 0
> # ERROR: 0

Ping!



Re: UPDATE: net/wget -current,-stable (CVE-2017-13089, CVE-2017-13090)

2017-11-02 Thread Rafael Sadowski
On Tue Oct 31, 2017 at 01:02:44PM +0100, Rafael Sadowski wrote:
> On Tue Oct 31, 2017 at 12:20:26PM +0100, Rafael Sadowski wrote:
> > Hi All,
> > 
> > Update Wget to the latest stable version 1.19.1. This version includes
> > the following CVE patches:
> > 
> > "Fix stack overflow in HTTP protocol handling (CVE-2017-13089)"
> > http://git.savannah.gnu.org/cgit/wget.git/commit/?id=d892291fb8ace4c3b734ea5125770989c215df3f
> > 
> > "Fix heap overflow in HTTP protocol handling (CVE-2017-13090)"
> > http://git.savannah.gnu.org/cgit/wget.git/commit/?id=ba6b44f6745b14dce414761a8e4b35d31b176bba
> > 
> > 1.19.1 provide only .tar.lz and tar.gz. Since we don't support *.lz, I
> > have decided to *.gz
> > 
> > Also please find attached a diff for -stable.
> > 
> 
> Forget the attachment, so here it is inline:
> 

*ping-stable*

> 
> Index: Makefile
> ===
> RCS file: /cvs/ports/net/wget/Makefile,v
> retrieving revision 1.72
> diff -u -p -u -p -r1.72 Makefile
> --- Makefile  22 Feb 2017 02:49:25 -  1.72
> +++ Makefile  31 Oct 2017 11:09:04 -
> @@ -4,6 +4,7 @@ COMMENT = retrieve files from the web vi
>  
>  DISTNAME =   wget-1.19.1
>  CATEGORIES = net
> +REVISION =   0
>  
>  HOMEPAGE =   https://www.gnu.org/software/wget/
>  
> Index: patches/patch-src_http_c
> ===
> RCS file: patches/patch-src_http_c
> diff -N patches/patch-src_http_c
> --- /dev/null 1 Jan 1970 00:00:00 -
> +++ patches/patch-src_http_c  31 Oct 2017 11:09:04 -
> @@ -0,0 +1,16 @@
> +$OpenBSD$
> +Fix stack overflow in HTTP protocol handling (CVE-2017-13089)
> +Commit from upstream d892291fb8ace4c3b734ea5125770989c215df3f
> +Index: src/http.c
> +--- src/http.c.orig
>  src/http.c
> +@@ -973,6 +973,9 @@ skip_short_body (int fd, wgint contlen, bool chunked)
> +   remaining_chunk_size = strtol (line, , 16);
> +   xfree (line);
> + 
> ++  if (remaining_chunk_size < 0)
> ++  return false;
> ++
> +   if (remaining_chunk_size == 0)
> + {
> +   line = fd_read_line (fd);
> Index: patches/patch-src_retr_c
> ===
> RCS file: patches/patch-src_retr_c
> diff -N patches/patch-src_retr_c
> --- /dev/null 1 Jan 1970 00:00:00 -
> +++ patches/patch-src_retr_c  31 Oct 2017 11:09:04 -
> @@ -0,0 +1,19 @@
> +$OpenBSD$
> +Fix heap overflow in HTTP protocol handling (CVE-2017-13090)
> +Commit from upstream ba6b44f6745b14dce414761a8e4b35d31b176bba
> +Index: src/retr.c
> +--- src/retr.c.orig
>  src/retr.c
> +@@ -320,6 +320,12 @@ fd_read_body (const char *downloaded_filename, int fd,
> +   remaining_chunk_size = strtol (line, , 16);
> +   xfree (line);
> + 
> ++  if (remaining_chunk_size < 0)
> ++  {
> ++  ret = -1;
> ++  break;
> ++  }
> ++
> +   if (remaining_chunk_size == 0)
> + {
> +   ret = 0;
> 



Re: UPDATE: net/wget -current,-stable (CVE-2017-13089, CVE-2017-13090)

2017-10-31 Thread Rafael Sadowski
On Tue Oct 31, 2017 at 12:03:22PM +, Stuart Henderson wrote:
> On 2017/10/31 12:20, Rafael Sadowski wrote:
> > Hi All,
> > 
> > Update Wget to the latest stable version 1.19.1. This version includes
> > the following CVE patches:
> > 
> > "Fix stack overflow in HTTP protocol handling (CVE-2017-13089)"
> > http://git.savannah.gnu.org/cgit/wget.git/commit/?id=d892291fb8ace4c3b734ea5125770989c215df3f
> > 
> > "Fix heap overflow in HTTP protocol handling (CVE-2017-13090)"
> > http://git.savannah.gnu.org/cgit/wget.git/commit/?id=ba6b44f6745b14dce414761a8e4b35d31b176bba
> > 
> > 1.19.1 provide only .tar.lz and tar.gz. Since we don't support *.lz, I
> > have decided to *.gz
> > 
> > Also please find attached a diff for -stable.
> > 
> > Ok? Feedback?
> > 
> > Best regards,
> > 
> > Rafael Sadowski
> > 
> > 
> > Index: Makefile
> > ===
> > RCS file: /cvs/ports/net/wget/Makefile,v
> > retrieving revision 1.72
> > diff -u -p -u -p -r1.72 Makefile
> > --- Makefile22 Feb 2017 02:49:25 -  1.72
> > +++ Makefile31 Oct 2017 10:54:50 -
> > @@ -2,7 +2,7 @@
> >  
> >  COMMENT =  retrieve files from the web via HTTP, HTTPS and FTP
> >  
> > -DISTNAME = wget-1.19.1
> > +DISTNAME = wget-1.19.2
> >  CATEGORIES =   net
> >  
> >  HOMEPAGE = https://www.gnu.org/software/wget/
> > @@ -17,7 +17,7 @@ LIB_DEPENDS = converters/libunistring \
> > net/libpsl
> >  
> >  MASTER_SITES = ${MASTER_SITE_GNU:=wget/}
> > -EXTRACT_SUFX = .tar.xz
> > +EXTRACT_SUFX = .tar.gz
> 
> .tar.gz is the default, so just remove EXTRACT_SUFX. (We do have support
> for .lz but at least for -stable it's easier for people if they don't
> have to install a weird compression tool :)
> 
> > -+++ doc/wget.texi  Sat Feb 11 16:46:13 2017
> > -@@ -191,14 +191,14 @@ gauge can be customized to your preferences.
> > - Most of the features are fully configurable, either through command line
> > - options, or via the initialization file @file{.wgetrc} (@pxref{Startup
> > - File}).  Wget allows you to define @dfn{global} startup files
> > --(@file{/usr/local/etc/wgetrc} by default) for site settings. You can also
> > -+(@file{${SYSCONFDIR}/wgetrc} by default) for site settings. You can also
> > - specify the location of a startup file with the --config option.
> > -  
> > - 
> > - @ignore
> > - @c man begin FILES
> > - @table @samp
> > --@item /usr/local/etc/wgetrc
> > -+@item ${SYSCONFDIR}/wgetrc
> > - Default location of the @dfn{global} startup file.
> > - 
> > - @item .wgetrc
> 
> That hunk of the patch needs merging by hand.
> 

Thanks for the notes. New diff below, plus I removed gettext as MODULE.


Index: Makefile
===
RCS file: /cvs/ports/net/wget/Makefile,v
retrieving revision 1.72
diff -u -p -u -p -r1.72 Makefile
--- Makefile22 Feb 2017 02:49:25 -  1.72
+++ Makefile31 Oct 2017 16:52:31 -
@@ -2,7 +2,7 @@
 
 COMMENT =  retrieve files from the web via HTTP, HTTPS and FTP
 
-DISTNAME = wget-1.19.1
+DISTNAME = wget-1.19.2
 CATEGORIES =   net
 
 HOMEPAGE = https://www.gnu.org/software/wget/
@@ -10,16 +10,17 @@ HOMEPAGE =  https://www.gnu.org/software/
 # GPLv3
 PERMIT_PACKAGE_CDROM = Yes
 
-WANTLIB =  c crypto idn2 pcre psl ssl unistring z
+WANTLIB += c crypto iconv idn2 intl pcre psl ssl unistring z
+
+BUILD_DEPENDS =devel/gettext-tools
+
 LIB_DEPENDS =  converters/libunistring \
+   devel/gettext \
devel/libidn2 \
devel/pcre \
net/libpsl
 
 MASTER_SITES = ${MASTER_SITE_GNU:=wget/}
-EXTRACT_SUFX = .tar.xz
-
-MODULES =  devel/gettext
 
 # some regression tests require python3
 MODULES += lang/python
Index: distinfo
===
RCS file: /cvs/ports/net/wget/distinfo,v
retrieving revision 1.19
diff -u -p -u -p -r1.19 distinfo
--- distinfo22 Feb 2017 02:49:25 -  1.19
+++ distinfo31 Oct 2017 16:52:31 -
@@ -1,2 +1,2 @@
-SHA256 (wget-1.19.1.tar.xz) = DJULlnGIEiKk04WwE8lgTpioAl0ZiFKd/KDpNhd0TNI=
-SIZE (wget-1.19.1.tar.xz) = 2111756
+SHA256 (wget-1.19.2.tar.gz) = T0pnO21GbvpQ+/unlr2EpGriTjcPpWLt5bIatTwRqSA=
+SIZE (wget-1.19.2.tar.gz) = 4349267
Index: patches/patch-doc_wget_texi
===
RCS file: /cvs/ports/net/wget/patches/patch-doc_wget_texi,v
retrieving revision 1.12
diff -u -p -u -p -r1.12 patch-doc_wget_texi
--- patches/patch-doc_wget_texi 22 Feb 2017 02:49:25 -  1.12
+++ patches/patch-doc_wget_texi 31 Oct 2017 16:52:31 -
@@ -1,15 +1,17 @@
 $OpenBSD: patch-doc_wget_texi,v 1.12 2017/02/22 02:49:25 danj Exp $
 doc/wget.texi.orig Sat Feb 11 05:45:22 2017
-+++ doc/wget.texi  Sat Feb 11 16:46:13 

Re: UPDATE: net/wget -current,-stable (CVE-2017-13089, CVE-2017-13090)

2017-10-31 Thread Stuart Henderson
On 2017/10/31 12:20, Rafael Sadowski wrote:
> Hi All,
> 
> Update Wget to the latest stable version 1.19.1. This version includes
> the following CVE patches:
> 
> "Fix stack overflow in HTTP protocol handling (CVE-2017-13089)"
> http://git.savannah.gnu.org/cgit/wget.git/commit/?id=d892291fb8ace4c3b734ea5125770989c215df3f
> 
> "Fix heap overflow in HTTP protocol handling (CVE-2017-13090)"
> http://git.savannah.gnu.org/cgit/wget.git/commit/?id=ba6b44f6745b14dce414761a8e4b35d31b176bba
> 
> 1.19.1 provide only .tar.lz and tar.gz. Since we don't support *.lz, I
> have decided to *.gz
> 
> Also please find attached a diff for -stable.
> 
> Ok? Feedback?
> 
> Best regards,
> 
> Rafael Sadowski
> 
> 
> Index: Makefile
> ===
> RCS file: /cvs/ports/net/wget/Makefile,v
> retrieving revision 1.72
> diff -u -p -u -p -r1.72 Makefile
> --- Makefile  22 Feb 2017 02:49:25 -  1.72
> +++ Makefile  31 Oct 2017 10:54:50 -
> @@ -2,7 +2,7 @@
>  
>  COMMENT =retrieve files from the web via HTTP, HTTPS and FTP
>  
> -DISTNAME =   wget-1.19.1
> +DISTNAME =   wget-1.19.2
>  CATEGORIES = net
>  
>  HOMEPAGE =   https://www.gnu.org/software/wget/
> @@ -17,7 +17,7 @@ LIB_DEPENDS =   converters/libunistring \
>   net/libpsl
>  
>  MASTER_SITES =   ${MASTER_SITE_GNU:=wget/}
> -EXTRACT_SUFX =   .tar.xz
> +EXTRACT_SUFX =   .tar.gz

.tar.gz is the default, so just remove EXTRACT_SUFX. (We do have support
for .lz but at least for -stable it's easier for people if they don't
have to install a weird compression tool :)

> -+++ doc/wget.texiSat Feb 11 16:46:13 2017
> -@@ -191,14 +191,14 @@ gauge can be customized to your preferences.
> - Most of the features are fully configurable, either through command line
> - options, or via the initialization file @file{.wgetrc} (@pxref{Startup
> - File}).  Wget allows you to define @dfn{global} startup files
> --(@file{/usr/local/etc/wgetrc} by default) for site settings. You can also
> -+(@file{${SYSCONFDIR}/wgetrc} by default) for site settings. You can also
> - specify the location of a startup file with the --config option.
> -  
> - 
> - @ignore
> - @c man begin FILES
> - @table @samp
> --@item /usr/local/etc/wgetrc
> -+@item ${SYSCONFDIR}/wgetrc
> - Default location of the @dfn{global} startup file.
> - 
> - @item .wgetrc

That hunk of the patch needs merging by hand.



Re: UPDATE: net/wget -current,-stable (CVE-2017-13089, CVE-2017-13090)

2017-10-31 Thread Rafael Sadowski
On Tue Oct 31, 2017 at 12:20:26PM +0100, Rafael Sadowski wrote:
> Hi All,
> 
> Update Wget to the latest stable version 1.19.1. This version includes
> the following CVE patches:
> 
> "Fix stack overflow in HTTP protocol handling (CVE-2017-13089)"
> http://git.savannah.gnu.org/cgit/wget.git/commit/?id=d892291fb8ace4c3b734ea5125770989c215df3f
> 
> "Fix heap overflow in HTTP protocol handling (CVE-2017-13090)"
> http://git.savannah.gnu.org/cgit/wget.git/commit/?id=ba6b44f6745b14dce414761a8e4b35d31b176bba
> 
> 1.19.1 provide only .tar.lz and tar.gz. Since we don't support *.lz, I
> have decided to *.gz
> 
> Also please find attached a diff for -stable.
> 

Forget the attachment, so here it is inline:


Index: Makefile
===
RCS file: /cvs/ports/net/wget/Makefile,v
retrieving revision 1.72
diff -u -p -u -p -r1.72 Makefile
--- Makefile22 Feb 2017 02:49:25 -  1.72
+++ Makefile31 Oct 2017 11:09:04 -
@@ -4,6 +4,7 @@ COMMENT =   retrieve files from the web vi
 
 DISTNAME = wget-1.19.1
 CATEGORIES =   net
+REVISION = 0
 
 HOMEPAGE = https://www.gnu.org/software/wget/
 
Index: patches/patch-src_http_c
===
RCS file: patches/patch-src_http_c
diff -N patches/patch-src_http_c
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-src_http_c31 Oct 2017 11:09:04 -
@@ -0,0 +1,16 @@
+$OpenBSD$
+Fix stack overflow in HTTP protocol handling (CVE-2017-13089)
+Commit from upstream d892291fb8ace4c3b734ea5125770989c215df3f
+Index: src/http.c
+--- src/http.c.orig
 src/http.c
+@@ -973,6 +973,9 @@ skip_short_body (int fd, wgint contlen, bool chunked)
+   remaining_chunk_size = strtol (line, , 16);
+   xfree (line);
+ 
++  if (remaining_chunk_size < 0)
++  return false;
++
+   if (remaining_chunk_size == 0)
+ {
+   line = fd_read_line (fd);
Index: patches/patch-src_retr_c
===
RCS file: patches/patch-src_retr_c
diff -N patches/patch-src_retr_c
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-src_retr_c31 Oct 2017 11:09:04 -
@@ -0,0 +1,19 @@
+$OpenBSD$
+Fix heap overflow in HTTP protocol handling (CVE-2017-13090)
+Commit from upstream ba6b44f6745b14dce414761a8e4b35d31b176bba
+Index: src/retr.c
+--- src/retr.c.orig
 src/retr.c
+@@ -320,6 +320,12 @@ fd_read_body (const char *downloaded_filename, int fd,
+   remaining_chunk_size = strtol (line, , 16);
+   xfree (line);
+ 
++  if (remaining_chunk_size < 0)
++  {
++  ret = -1;
++  break;
++  }
++
+   if (remaining_chunk_size == 0)
+ {
+   ret = 0;



Re: update net/wget

2016-03-26 Thread Stuart Henderson
On 2016/03/25 23:01, Daniel Jakots wrote:
> Hi,
> 
> Here's a patch to update wget to latest release. Changelog is available
> in their repository [0].
> 
> make test on amd64 and i386 is fine. There is no more any failed test
> as in 1.16.3.
> 
> [0]: http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS

Makes sense I think. Please regenerate patches (make clean; make patch;
make update-patches), if you set PATCH_DEBUG=Yes in mk.conf it's easier to
see when this is needed then ok with me.

Please mention in the commit message that FTP no longer automatically
falls back to passive (this was due to whining from Tor people) so
sometimes it may now be necessary to use --no-passive-ftp.



Re: Update: net/wget 1.16

2014-11-05 Thread David Coppa
On Tue, Nov 4, 2014 at 11:58 PM, Christian Weisgerber
na...@mips.inka.de wrote:
 Here's an update of net/wget to 1.16.

 I've added the required dependencies to (successfully) run all the
 regression tests.  wget 1.15 would just skip most tests if the
 dependencies weren't installed, but 1.16 treats them as errors.

 I think the src/Makefile.in patch can go because @LIBINTL@ includes
 libiconv, i.e., @LIBICONV@ @LIBINTL@ will expand to something like
 -liconv -lintl -liconv.  Somebody who cares about vax may want to
 double check.

 Comments, questions, ok?

works for me. Ok dcoppa@

 Index: Makefile
 ===
 RCS file: /cvs/ports/net/wget/Makefile,v
 retrieving revision 1.63
 diff -u -p -r1.63 Makefile
 --- Makefile27 Oct 2014 15:28:39 -  1.63
 +++ Makefile4 Nov 2014 22:39:22 -
 @@ -2,8 +2,7 @@

  COMMENT =  retrieve files from the web via HTTP, HTTPS and FTP

 -DISTNAME = wget-1.15
 -REVISION = 0
 +DISTNAME = wget-1.16
  CATEGORIES =   net

  HOMEPAGE = https://www.gnu.org/software/wget/
 @@ -16,19 +15,28 @@ LIB_DEPENDS =   devel/libidn \
 devel/pcre

  MASTER_SITES = ${MASTER_SITE_GNU:=wget/}
 +EXTRACT_SUFX = .tar.xz

  MODULES =  devel/gettext

 -FAKE_FLAGS =   sysconfdir=${PREFIX}/share/examples/wget
 +TEST_DEPENDS = www/p5-HTTP-Daemon lang/python/3.4
 +# Test-proxied-https-auth.px
 +TEST_DEPENDS +=www/p5-HTTP-Message security/p5-IO-Socket-SSL
 +
 +FAKE_FLAGS =   sysconfdir=${PREFIX}/share/examples/wget

  CONFIGURE_STYLE =  gnu
 -CONFIGURE_ARGS =   --with-ssl=openssl
 +CONFIGURE_ARGS =   --without-libpsl --with-ssl=openssl
  CONFIGURE_ENV +=   CPPFLAGS=-I${LOCALBASE}/include \
 LDFLAGS=-L${LOCALBASE}/lib
  # do not pick up libuuid from sysutils/e2fsprogs
  CONFIGURE_ENV +=   ac_cv_header_uuid_uuid_h=no
 +MODGNU_CONFIG_GUESS_DIRS=${WRKSRC}/build-aux

  pre-build:
 @${SUBST_CMD} ${WRKSRC}/doc/wget.texi ${WRKSRC}/doc/sample.wgetrc
 +
 +pre-test:
 +   @ln -s ${LOCALBASE}/bin/python3.4 ${WRKDIR}/bin/python3

  .include bsd.port.mk
 Index: distinfo
 ===
 RCS file: /cvs/ports/net/wget/distinfo,v
 retrieving revision 1.13
 diff -u -p -r1.13 distinfo
 --- distinfo29 Jan 2014 06:08:42 -  1.13
 +++ distinfo4 Nov 2014 22:39:22 -
 @@ -1,2 +1,2 @@
 -SHA256 (wget-1.15.tar.gz) = UhJr6M8b3ddTaIbnTAU619DtKqibS2MPdnhbrCFpX80=
 -SIZE (wget-1.15.tar.gz) = 3417936
 +SHA256 (wget-1.16.tar.xz) = kmHdCQoXaHttwGgqJX6QqSbe8VYktlDo95mvV+XIsOc=
 +SIZE (wget-1.16.tar.xz) = 1697308
 Index: patches/patch-doc_wget_texi
 ===
 RCS file: /cvs/ports/net/wget/patches/patch-doc_wget_texi,v
 retrieving revision 1.7
 diff -u -p -r1.7 patch-doc_wget_texi
 --- patches/patch-doc_wget_texi 27 Oct 2014 15:28:39 -  1.7
 +++ patches/patch-doc_wget_texi 4 Nov 2014 22:39:22 -
 @@ -1,23 +1,7 @@
  $OpenBSD: patch-doc_wget_texi,v 1.7 2014/10/27 15:28:39 jasper Exp $
 -
 -Security fix for CVE-2014-4877, Arbitrary Symlink Access
 -http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7
 -
  doc/wget.texi.orig Sat Jan  4 13:49:47 2014
 -+++ doc/wget.texi  Mon Oct 27 16:19:34 2014
 -@@ -10,6 +10,11 @@
 - @setchapternewpage on
 - @c %**end of header
 -
 -+@dircategory Networking tools
 -+@direntry
 -+* Wget: (wget.info).A utility for network download.
 -+@end direntry
 -+
 - @iftex
 - @c Remove this if you don't use A4 paper.
 - @afourpaper
 -@@ -190,14 +195,14 @@ gauge can be customized to your preferences.
 +--- doc/wget.texi.orig Mon Oct 27 09:18:13 2014
  doc/wget.texi  Tue Nov  4 22:27:21 2014
 +@@ -190,14 +190,14 @@ gauge can be customized to your preferences.
   Most of the features are fully configurable, either through command line
   options, or via the initialization file @file{.wgetrc} (@pxref{Startup
   File}).  Wget allows you to define @dfn{global} startup files
 @@ -34,36 +18,7 @@ http://git.savannah.gnu.org/cgit/wget.gi
   Default location of the @dfn{global} startup file.

   @item .wgetrc
 -@@ -1837,17 +1842,18 @@ Preserve remote file permissions instead of 
 permission
 -
 - @cindex symbolic links, retrieving
 - @item --retr-symlinks
 --Usually, when retrieving @sc{ftp} directories recursively and a symbolic
 --link is encountered, the linked-to file is not downloaded.  Instead, a
 --matching symbolic link is created on the local filesystem.  The
 --pointed-to file will not be downloaded unless this recursive retrieval
 --would have encountered it separately and downloaded it anyway.
 -+By default, when retrieving @sc{ftp} directories recursively and a symbolic 
 link
 -+is encountered, the symbolic link is traversed and the pointed-to files are
 -+retrieved.  

Re: Update: net/wget 1.16

2014-11-05 Thread Christian Weisgerber
On 2014-11-04, Christian Weisgerber na...@mips.inka.de wrote:

 Here's an update of net/wget to 1.16.

 I've added the required dependencies to (successfully) run all the
 regression tests.  wget 1.15 would just skip most tests if the
 dependencies weren't installed, but 1.16 treats them as errors.

 I think the src/Makefile.in patch can go because @LIBINTL@ includes
 libiconv, i.e., @LIBICONV@ @LIBINTL@ will expand to something like
 -liconv -lintl -liconv.  Somebody who cares about vax may want to
 double check.

ajacoutot@ has kindly reminded me that the python module can be
used so we don't have to hardcode the exact python version.
How's this look?

Index: Makefile
===
RCS file: /cvs/ports/net/wget/Makefile,v
retrieving revision 1.63
diff -u -p -r1.63 Makefile
--- Makefile27 Oct 2014 15:28:39 -  1.63
+++ Makefile5 Nov 2014 15:10:54 -
@@ -2,8 +2,7 @@
 
 COMMENT =  retrieve files from the web via HTTP, HTTPS and FTP
 
-DISTNAME = wget-1.15
-REVISION = 0
+DISTNAME = wget-1.16
 CATEGORIES =   net
 
 HOMEPAGE = https://www.gnu.org/software/wget/
@@ -16,19 +15,34 @@ LIB_DEPENDS =   devel/libidn \
devel/pcre
 
 MASTER_SITES = ${MASTER_SITE_GNU:=wget/}
+EXTRACT_SUFX = .tar.xz
 
 MODULES =  devel/gettext
 
-FAKE_FLAGS =   sysconfdir=${PREFIX}/share/examples/wget
+# some regression tests require python3
+MODULES += lang/python
+MODPY_VERSION =${MODPY_DEFAULT_VERSION_3}
+MODPY_BUILDDEP =   No
+MODPY_RUNDEP = No
+
+TEST_DEPENDS = www/p5-HTTP-Daemon ${MODPY_RUN_DEPENDS}
+# Test-proxied-https-auth.px
+TEST_DEPENDS +=www/p5-HTTP-Message security/p5-IO-Socket-SSL
+
+FAKE_FLAGS =   sysconfdir=${PREFIX}/share/examples/wget
 
 CONFIGURE_STYLE =  gnu
-CONFIGURE_ARGS =   --with-ssl=openssl
+CONFIGURE_ARGS =   --without-libpsl --with-ssl=openssl
 CONFIGURE_ENV +=   CPPFLAGS=-I${LOCALBASE}/include \
LDFLAGS=-L${LOCALBASE}/lib
 # do not pick up libuuid from sysutils/e2fsprogs
 CONFIGURE_ENV +=   ac_cv_header_uuid_uuid_h=no
+MODGNU_CONFIG_GUESS_DIRS = ${WRKSRC}/build-aux
 
 pre-build:
@${SUBST_CMD} ${WRKSRC}/doc/wget.texi ${WRKSRC}/doc/sample.wgetrc
+
+pre-test:
+   @ln -s ${MODPY_BIN} ${WRKDIR}/bin/python3
 
 .include bsd.port.mk
Index: distinfo
===
RCS file: /cvs/ports/net/wget/distinfo,v
retrieving revision 1.13
diff -u -p -r1.13 distinfo
--- distinfo29 Jan 2014 06:08:42 -  1.13
+++ distinfo5 Nov 2014 15:10:54 -
@@ -1,2 +1,2 @@
-SHA256 (wget-1.15.tar.gz) = UhJr6M8b3ddTaIbnTAU619DtKqibS2MPdnhbrCFpX80=
-SIZE (wget-1.15.tar.gz) = 3417936
+SHA256 (wget-1.16.tar.xz) = kmHdCQoXaHttwGgqJX6QqSbe8VYktlDo95mvV+XIsOc=
+SIZE (wget-1.16.tar.xz) = 1697308
Index: patches/patch-doc_wget_texi
===
RCS file: /cvs/ports/net/wget/patches/patch-doc_wget_texi,v
retrieving revision 1.7
diff -u -p -r1.7 patch-doc_wget_texi
--- patches/patch-doc_wget_texi 27 Oct 2014 15:28:39 -  1.7
+++ patches/patch-doc_wget_texi 5 Nov 2014 15:10:54 -
@@ -1,23 +1,7 @@
 $OpenBSD: patch-doc_wget_texi,v 1.7 2014/10/27 15:28:39 jasper Exp $
-
-Security fix for CVE-2014-4877, Arbitrary Symlink Access
-http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7
-
 doc/wget.texi.orig Sat Jan  4 13:49:47 2014
-+++ doc/wget.texi  Mon Oct 27 16:19:34 2014
-@@ -10,6 +10,11 @@
- @setchapternewpage on
- @c %**end of header
- 
-+@dircategory Networking tools
-+@direntry
-+* Wget: (wget.info).A utility for network download.
-+@end direntry
-+
- @iftex
- @c Remove this if you don't use A4 paper.
- @afourpaper
-@@ -190,14 +195,14 @@ gauge can be customized to your preferences.
+--- doc/wget.texi.orig Mon Oct 27 09:18:13 2014
 doc/wget.texi  Tue Nov  4 22:27:21 2014
+@@ -190,14 +190,14 @@ gauge can be customized to your preferences.
  Most of the features are fully configurable, either through command line
  options, or via the initialization file @file{.wgetrc} (@pxref{Startup
  File}).  Wget allows you to define @dfn{global} startup files
@@ -34,36 +18,7 @@ http://git.savannah.gnu.org/cgit/wget.gi
  Default location of the @dfn{global} startup file.
  
  @item .wgetrc
-@@ -1837,17 +1842,18 @@ Preserve remote file permissions instead of permission
- 
- @cindex symbolic links, retrieving
- @item --retr-symlinks
--Usually, when retrieving @sc{ftp} directories recursively and a symbolic
--link is encountered, the linked-to file is not downloaded.  Instead, a
--matching symbolic link is created on the local filesystem.  The
--pointed-to file will not be downloaded unless this recursive retrieval
--would have encountered it separately and downloaded it anyway.
-+By