mirror of
https://github.com/archlinuxarm/PKGBUILDs.git
synced 2024-11-08 22:45:43 +00:00
core/wget to 1.12-7
This commit is contained in:
parent
a7e8209d2b
commit
b482e527d7
2 changed files with 236 additions and 7 deletions
|
@ -1,4 +1,4 @@
|
|||
# $Id: PKGBUILD 110655 2011-02-21 09:03:23Z allan $
|
||||
# $Id: PKGBUILD 122950 2011-05-07 12:59:07Z allan $
|
||||
# Maintainer: Allan McRae <allan@archlinux.org>
|
||||
# Contributor: Judd Vinet <jvinet@zeroflux.org>
|
||||
|
||||
|
@ -8,7 +8,7 @@ plugrel=1
|
|||
|
||||
pkgname=wget
|
||||
pkgver=1.12
|
||||
pkgrel=5
|
||||
pkgrel=7
|
||||
pkgdesc="A network utility to retrieve files from the Web"
|
||||
arch=('i686' 'x86_64')
|
||||
url="http://www.gnu.org/software/wget/wget.html"
|
||||
|
@ -19,15 +19,25 @@ optdepends=('ca-certificates: HTTPS downloads')
|
|||
backup=('etc/wgetrc')
|
||||
install=wget.install
|
||||
source=(ftp://ftp.gnu.org/gnu/${pkgname}/${pkgname}-${pkgver}.tar.gz
|
||||
wget-1.12-CVE-2010-2252.patch)
|
||||
wget-1.12-CVE-2010-2252.patch
|
||||
wget-1.12-subjectAltName.patch)
|
||||
md5sums=('141461b9c04e454dc8933c9d1f2abf83'
|
||||
'2c8bc23eff98fd4efc3f96394fc8e61e')
|
||||
'2c8bc23eff98fd4efc3f96394fc8e61e'
|
||||
'bd589403b7bb4967a6f41b0f43b1c8aa')
|
||||
|
||||
build() {
|
||||
cd "${srcdir}/${pkgname}-${pkgver}"
|
||||
|
||||
|
||||
# Fix arbitrary file overwrite via 3xx redirect (CVE-2010-2252)
|
||||
patch -Np1 -i ../wget-1.12-CVE-2010-2252.patch
|
||||
patch -Np1 -i $srcdir/wget-1.12-CVE-2010-2252.patch
|
||||
|
||||
# https://savannah.gnu.org/bugs/index.php?20421
|
||||
patch -Np0 -i $srcdir/wget-1.12-subjectAltName.patch
|
||||
|
||||
# Note : We do not build with --enable-nls, because there is a bug in wget causing
|
||||
# international domain names to be not properly converted to punycode if
|
||||
# the current locale is a UTF-8 one
|
||||
# See : http://lists.gnu.org/archive/html/bug-wget/2011-02/msg00026.html
|
||||
|
||||
./configure -with-ssl --prefix=/usr --sysconfdir=/etc
|
||||
make
|
||||
|
@ -36,11 +46,14 @@ build() {
|
|||
package() {
|
||||
cd "${srcdir}/${pkgname}-${pkgver}"
|
||||
make DESTDIR="${pkgdir}" install
|
||||
|
||||
|
||||
cat >> "$pkgdir/etc/wgetrc" <<EOF
|
||||
|
||||
# default root certs location
|
||||
ca_certificate=/etc/ssl/certs/ca-certificates.crt
|
||||
EOF
|
||||
|
||||
# remove IRI option from wgetrc as it does not work (see above)
|
||||
sed -i '118,120d' $pkgdir/etc/wgetrc
|
||||
|
||||
}
|
||||
|
|
216
core/wget/wget-1.12-subjectAltName.patch
Normal file
216
core/wget/wget-1.12-subjectAltName.patch
Normal file
|
@ -0,0 +1,216 @@
|
|||
=== modified file 'src/openssl.c'
|
||||
--- src/openssl.c 2009-09-22 16:16:43 +0000
|
||||
+++ src/openssl.c 2009-10-24 23:06:44 +0000
|
||||
@@ -39,7 +39,7 @@
|
||||
#include <string.h>
|
||||
|
||||
#include <openssl/ssl.h>
|
||||
-#include <openssl/x509.h>
|
||||
+#include <openssl/x509v3.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/rand.h>
|
||||
|
||||
@@ -486,9 +486,11 @@
|
||||
ssl_check_certificate (int fd, const char *host)
|
||||
{
|
||||
X509 *cert;
|
||||
+ GENERAL_NAMES *subjectAltNames;
|
||||
char common_name[256];
|
||||
long vresult;
|
||||
bool success = true;
|
||||
+ bool alt_name_checked = false;
|
||||
|
||||
/* If the user has specified --no-check-cert, we still want to warn
|
||||
him about problems with the server's certificate. */
|
||||
@@ -536,7 +538,8 @@
|
||||
break;
|
||||
case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
|
||||
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
|
||||
- logprintf (LOG_NOTQUIET, _(" Self-signed certificate encountered.\n"));
|
||||
+ logprintf (LOG_NOTQUIET,
|
||||
+ _(" Self-signed certificate encountered.\n"));
|
||||
break;
|
||||
case X509_V_ERR_CERT_NOT_YET_VALID:
|
||||
logprintf (LOG_NOTQUIET, _(" Issued certificate not yet valid.\n"));
|
||||
@@ -558,10 +561,6 @@
|
||||
/* Check that HOST matches the common name in the certificate.
|
||||
#### The following remains to be done:
|
||||
|
||||
- - It should use dNSName/ipAddress subjectAltName extensions if
|
||||
- available; according to rfc2818: "If a subjectAltName extension
|
||||
- of type dNSName is present, that MUST be used as the identity."
|
||||
-
|
||||
- When matching against common names, it should loop over all
|
||||
common names and choose the most specific one, i.e. the last
|
||||
one, not the first one, which the current code picks.
|
||||
@@ -569,50 +568,123 @@
|
||||
- Ensure that ASN1 strings from the certificate are encoded as
|
||||
UTF-8 which can be meaningfully compared to HOST. */
|
||||
|
||||
- X509_NAME *xname = X509_get_subject_name(cert);
|
||||
- common_name[0] = '\0';
|
||||
- X509_NAME_get_text_by_NID (xname, NID_commonName, common_name,
|
||||
- sizeof (common_name));
|
||||
+ subjectAltNames = X509_get_ext_d2i (cert, NID_subject_alt_name, NULL, NULL);
|
||||
|
||||
- if (!pattern_match (common_name, host))
|
||||
+ if (subjectAltNames)
|
||||
{
|
||||
- logprintf (LOG_NOTQUIET, _("\
|
||||
-%s: certificate common name %s doesn't match requested host name %s.\n"),
|
||||
- severity, quote_n (0, common_name), quote_n (1, host));
|
||||
- success = false;
|
||||
+ /* Test subject alternative names */
|
||||
+
|
||||
+ /* Do we want to check for dNSNAmes or ipAddresses (see RFC 2818)?
|
||||
+ * Signal it by host_in_octet_string. */
|
||||
+ ASN1_OCTET_STRING *host_in_octet_string = NULL;
|
||||
+ host_in_octet_string = a2i_IPADDRESS (host);
|
||||
+
|
||||
+ int numaltnames = sk_GENERAL_NAME_num (subjectAltNames);
|
||||
+ int i;
|
||||
+ for (i=0; i < numaltnames; i++)
|
||||
+ {
|
||||
+ const GENERAL_NAME *name =
|
||||
+ sk_GENERAL_NAME_value (subjectAltNames, i);
|
||||
+ if (name)
|
||||
+ {
|
||||
+ if (host_in_octet_string)
|
||||
+ {
|
||||
+ if (name->type == GEN_IPADD)
|
||||
+ {
|
||||
+ /* Check for ipAddress */
|
||||
+ /* TODO: Should we convert between IPv4-mapped IPv6
|
||||
+ * addresses and IPv4 addresses? */
|
||||
+ alt_name_checked = true;
|
||||
+ if (!ASN1_STRING_cmp (host_in_octet_string,
|
||||
+ name->d.iPAddress))
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ else if (name->type == GEN_DNS)
|
||||
+ {
|
||||
+ /* Check for dNSName */
|
||||
+ alt_name_checked = true;
|
||||
+ /* dNSName should be IA5String (i.e. ASCII), however who
|
||||
+ * does trust CA? Convert it into UTF-8 for sure. */
|
||||
+ unsigned char *name_in_utf8 = NULL;
|
||||
+ if (0 <= ASN1_STRING_to_UTF8 (&name_in_utf8, name->d.dNSName))
|
||||
+ {
|
||||
+ /* Compare and check for NULL attack in ASN1_STRING */
|
||||
+ if (pattern_match ((char *)name_in_utf8, host) &&
|
||||
+ (strlen ((char *)name_in_utf8) ==
|
||||
+ ASN1_STRING_length (name->d.dNSName)))
|
||||
+ {
|
||||
+ OPENSSL_free (name_in_utf8);
|
||||
+ break;
|
||||
+ }
|
||||
+ OPENSSL_free (name_in_utf8);
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ sk_GENERAL_NAME_free (subjectAltNames);
|
||||
+ if (host_in_octet_string)
|
||||
+ ASN1_OCTET_STRING_free(host_in_octet_string);
|
||||
+
|
||||
+ if (alt_name_checked == true && i >= numaltnames)
|
||||
+ {
|
||||
+ logprintf (LOG_NOTQUIET,
|
||||
+ _("%s: no certificate subject alternative name matches\n"
|
||||
+ "\trequested host name %s.\n"),
|
||||
+ severity, quote_n (1, host));
|
||||
+ success = false;
|
||||
+ }
|
||||
}
|
||||
- else
|
||||
+
|
||||
+ if (alt_name_checked == false)
|
||||
{
|
||||
- /* We now determine the length of the ASN1 string. If it differs from
|
||||
- * common_name's length, then there is a \0 before the string terminates.
|
||||
- * This can be an instance of a null-prefix attack.
|
||||
- *
|
||||
- * https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike
|
||||
- * */
|
||||
-
|
||||
- int i = -1, j;
|
||||
- X509_NAME_ENTRY *xentry;
|
||||
- ASN1_STRING *sdata;
|
||||
-
|
||||
- if (xname) {
|
||||
- for (;;)
|
||||
- {
|
||||
- j = X509_NAME_get_index_by_NID (xname, NID_commonName, i);
|
||||
- if (j == -1) break;
|
||||
- i = j;
|
||||
+ /* Test commomName */
|
||||
+ X509_NAME *xname = X509_get_subject_name(cert);
|
||||
+ common_name[0] = '\0';
|
||||
+ X509_NAME_get_text_by_NID (xname, NID_commonName, common_name,
|
||||
+ sizeof (common_name));
|
||||
+
|
||||
+ if (!pattern_match (common_name, host))
|
||||
+ {
|
||||
+ logprintf (LOG_NOTQUIET, _("\
|
||||
+ %s: certificate common name %s doesn't match requested host name %s.\n"),
|
||||
+ severity, quote_n (0, common_name), quote_n (1, host));
|
||||
+ success = false;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ /* We now determine the length of the ASN1 string. If it
|
||||
+ * differs from common_name's length, then there is a \0
|
||||
+ * before the string terminates. This can be an instance of a
|
||||
+ * null-prefix attack.
|
||||
+ *
|
||||
+ * https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike
|
||||
+ * */
|
||||
+
|
||||
+ int i = -1, j;
|
||||
+ X509_NAME_ENTRY *xentry;
|
||||
+ ASN1_STRING *sdata;
|
||||
+
|
||||
+ if (xname) {
|
||||
+ for (;;)
|
||||
+ {
|
||||
+ j = X509_NAME_get_index_by_NID (xname, NID_commonName, i);
|
||||
+ if (j == -1) break;
|
||||
+ i = j;
|
||||
+ }
|
||||
}
|
||||
- }
|
||||
|
||||
- xentry = X509_NAME_get_entry(xname,i);
|
||||
- sdata = X509_NAME_ENTRY_get_data(xentry);
|
||||
- if (strlen (common_name) != ASN1_STRING_length (sdata))
|
||||
- {
|
||||
- logprintf (LOG_NOTQUIET, _("\
|
||||
-%s: certificate common name is invalid (contains a NUL character).\n\
|
||||
-This may be an indication that the host is not who it claims to be\n\
|
||||
-(that is, it is not the real %s).\n"),
|
||||
- severity, quote (host));
|
||||
- success = false;
|
||||
+ xentry = X509_NAME_get_entry(xname,i);
|
||||
+ sdata = X509_NAME_ENTRY_get_data(xentry);
|
||||
+ if (strlen (common_name) != ASN1_STRING_length (sdata))
|
||||
+ {
|
||||
+ logprintf (LOG_NOTQUIET, _("\
|
||||
+ %s: certificate common name is invalid (contains a NUL character).\n\
|
||||
+ This may be an indication that the host is not who it claims to be\n\
|
||||
+ (that is, it is not the real %s).\n"),
|
||||
+ severity, quote (host));
|
||||
+ success = false;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -631,3 +703,7 @@
|
||||
/* Allow --no-check-cert to disable certificate checking. */
|
||||
return opt.check_cert ? success : true;
|
||||
}
|
||||
+
|
||||
+/*
|
||||
+ * vim: tabstop=2 shiftwidth=2 softtabstop=2
|
||||
+ */
|
||||
|
Loading…
Reference in a new issue