From 6b88912eb6c414467234678c347990181dbf848b Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Thu, 26 Oct 2017 23:23:44 +0200
Subject: gnu: wget: Update to 1.19.2 [fixes CVE-2017-13089 and
 CVE-2017-13090].

* gnu/packages/wget.scm (wget): Update to 1.19.2.
[source](uri): Change to '.lz' tarball.
[source](patches): Remove.
[native-inputs]: Add LZIP.
* gnu/packages/patches/wget-CVE-2017-6508.patch,
gnu/packages/patches/wget-fix-504-test-timeout.patch,
gnu/packages/patches/wget-perl-5.26.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
---
 gnu/packages/patches/wget-CVE-2017-6508.patch      |  45 ------
 .../patches/wget-fix-504-test-timeout.patch        | 160 ---------------------
 gnu/packages/patches/wget-perl-5.26.patch          |  96 -------------
 gnu/packages/wget.scm                              |  13 +-
 4 files changed, 6 insertions(+), 308 deletions(-)
 delete mode 100644 gnu/packages/patches/wget-CVE-2017-6508.patch
 delete mode 100644 gnu/packages/patches/wget-fix-504-test-timeout.patch
 delete mode 100644 gnu/packages/patches/wget-perl-5.26.patch

(limited to 'gnu/packages')

diff --git a/gnu/packages/patches/wget-CVE-2017-6508.patch b/gnu/packages/patches/wget-CVE-2017-6508.patch
deleted file mode 100644
index 0218fceaad..0000000000
--- a/gnu/packages/patches/wget-CVE-2017-6508.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-Fix CVE-2017-6508:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6508
-
-Patch copied from upstream source repository:
-
-https://git.savannah.gnu.org/cgit/wget.git/commit/?id=4d729e322fae359a1aefaafec1144764a54e8ad4
-
-From 4d729e322fae359a1aefaafec1144764a54e8ad4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
-Date: Mon, 6 Mar 2017 10:04:22 +0100
-Subject: [PATCH] Fix CRLF injection in Wget host part
-
-* src/url.c (url_parse): Reject control characters in host part of URL
-
-Reported-by: Orange Tsai
----
- src/url.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/src/url.c b/src/url.c
-index 8f8ff0b8..7d36b27d 100644
---- a/src/url.c
-+++ b/src/url.c
-@@ -925,6 +925,17 @@ url_parse (const char *url, int *error, struct iri *iri, bool percent_encode)
-       url_unescape (u->host);
-       host_modified = true;
- 
-+      /* check for invalid control characters in host name */
-+      for (p = u->host; *p; p++)
-+        {
-+          if (c_iscntrl(*p))
-+            {
-+              url_free(u);
-+              error_code = PE_INVALID_HOST_NAME;
-+              goto error;
-+            }
-+        }
-+
-       /* Apply IDNA regardless of iri->utf8_encode status */
-       if (opt.enable_iri && iri)
-         {
--- 
-2.12.0
-
diff --git a/gnu/packages/patches/wget-fix-504-test-timeout.patch b/gnu/packages/patches/wget-fix-504-test-timeout.patch
deleted file mode 100644
index d9bf154103..0000000000
--- a/gnu/packages/patches/wget-fix-504-test-timeout.patch
+++ /dev/null
@@ -1,160 +0,0 @@
-This patch is from upstream. If a machine is too slow it can cause
-test-504.py to fail.
-http://git.savannah.gnu.org/cgit/wget.git/patch/?id=ac4fed32204e9ec1874e7cb5ecc55f1b35c1c8de
-
-From ac4fed32204e9ec1874e7cb5ecc55f1b35c1c8de Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
-Date: Tue, 14 Feb 2017 16:20:26 +0100
-Subject: Fix 504 status handling
-
-* src/http.c (gethttp): Move 504 handling to correct place.
-  (http_loop): Fix memeory leak.
-* testenv/server/http/http_server.py: Add Content-Length header on non-2xx
-  status codes with a body
-
-Reported-by: Adam Sampson
----
- src/http.c                         | 30 +++++++++++-------------------
- testenv/server/http/http_server.py |  9 +++++----
- 2 files changed, 16 insertions(+), 23 deletions(-)
-
-diff --git a/src/http.c b/src/http.c
-index 898e184..d2c5c77 100644
---- a/src/http.c
-+++ b/src/http.c
-@@ -3476,7 +3476,7 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
- 
- #ifdef HAVE_METALINK
-   /* We need to check for the Metalink data in the very first response
--     we get from the server (before redirectionrs, authorization, etc.).  */
-+     we get from the server (before redirections, authorization, etc.).  */
-   if (metalink)
-     {
-       hs->metalink = metalink_from_http (resp, hs, u);
-@@ -3496,7 +3496,7 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
-       uerr_t auth_err = RETROK;
-       bool retry;
-       /* Normally we are not interested in the response body.
--         But if we are writing a WARC file we are: we like to keep everyting.  */
-+         But if we are writing a WARC file we are: we like to keep everything.  */
-       if (warc_enabled)
-         {
-           int _err;
-@@ -3556,20 +3556,6 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
-         pconn.authorized = true;
-     }
- 
--  if (statcode == HTTP_STATUS_GATEWAY_TIMEOUT)
--    {
--      hs->len = 0;
--      hs->res = 0;
--      hs->restval = 0;
--
--      CLOSE_FINISH (sock);
--      xfree (hs->message);
--
--      retval = GATEWAYTIMEOUT;
--      goto cleanup;
--    }
--
--
-   {
-     uerr_t ret = check_file_output (u, hs, resp, hdrval, sizeof hdrval);
-     if (ret != RETROK)
-@@ -3910,8 +3896,8 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
-               retval = _err;
-               goto cleanup;
-             }
--          else
--            CLOSE_FINISH (sock);
-+
-+          CLOSE_FINISH (sock);
-         }
-       else
-         {
-@@ -3934,7 +3920,11 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
-             CLOSE_INVALIDATE (sock);
-         }
- 
--      retval = RETRFINISHED;
-+      if (statcode == HTTP_STATUS_GATEWAY_TIMEOUT)
-+        retval = GATEWAYTIMEOUT;
-+      else
-+        retval = RETRFINISHED;
-+
-       goto cleanup;
-     }
- 
-@@ -4208,6 +4198,8 @@ http_loop (const struct url *u, struct url *original_url, char **newloc,
-              bring them to "while" statement at the end, to judge
-              whether the number of tries was exceeded.  */
-           printwhat (count, opt.ntry);
-+          xfree (hstat.message);
-+          xfree (hstat.error);
-           continue;
-         case FWRITEERR: case FOPENERR:
-           /* Another fatal error.  */
-diff --git a/testenv/server/http/http_server.py b/testenv/server/http/http_server.py
-index e96f6e8..b222df0 100644
---- a/testenv/server/http/http_server.py
-+++ b/testenv/server/http/http_server.py
-@@ -204,7 +204,6 @@ class _Handler(BaseHTTPRequestHandler):
- 
-     def Response(self, resp_obj):
-         self.send_response(resp_obj.response_code)
--        self.finish_headers()
-         if resp_obj.response_code == 304:
-             raise NoBodyServerError("Conditional get falling to head")
-         raise ServerError("Custom Response code sent.")
-@@ -329,7 +328,6 @@ class _Handler(BaseHTTPRequestHandler):
-         except AuthError as se:
-             self.send_response(401, "Authorization Required")
-             self.send_challenge(auth_rule.auth_type, auth_rule.auth_parm)
--            self.finish_headers()
-             raise se
- 
-     def handle_auth(self, auth_rule):
-@@ -362,7 +360,6 @@ class _Handler(BaseHTTPRequestHandler):
-             if header_recd is None or header_recd != exp_headers[header_line]:
-                 self.send_error(400, "Expected Header %s not found" %
-                                 header_line)
--                self.finish_headers()
-                 raise ServerError("Header " + header_line + " not found")
- 
-     def RejectHeader(self, header_obj):
-@@ -372,7 +369,6 @@ class _Handler(BaseHTTPRequestHandler):
-             if header_recd and header_recd == rej_headers[header_line]:
-                 self.send_error(400, 'Blacklisted Header %s received' %
-                                 header_line)
--                self.finish_headers()
-                 raise ServerError("Header " + header_line + ' received')
- 
-     def __log_request(self, method):
-@@ -400,6 +396,7 @@ class _Handler(BaseHTTPRequestHandler):
- 
-             content = self.server.fileSys.get(path)
-             content_length = len(content)
-+
-             for rule_name in self.rules:
-                 try:
-                     assert hasattr(self, rule_name)
-@@ -410,12 +407,16 @@ class _Handler(BaseHTTPRequestHandler):
-                     return(None, None)
-                 except AuthError as ae:
-                     print(ae.__str__())
-+                    self.finish_headers()
-                     return(None, None)
-                 except NoBodyServerError as nbse:
-                     print(nbse.__str__())
-+                    self.finish_headers()
-                     return(None, None)
-                 except ServerError as se:
-                     print(se.__str__())
-+                    self.add_header("Content-Length", content_length)
-+                    self.finish_headers()
-                     return(content, None)
- 
-             try:
--- 
-cgit v1.0-41-gc330
-
diff --git a/gnu/packages/patches/wget-perl-5.26.patch b/gnu/packages/patches/wget-perl-5.26.patch
deleted file mode 100644
index ee3a984daa..0000000000
--- a/gnu/packages/patches/wget-perl-5.26.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-This upstream commit adjusts tests for Perl 5.26.
-
-commit 7ffe93cabb181f39ad5091c31ab9f61bd940a55f
-Author: Anton Yuzhaninov <citrin+github@citrin.ru>
-Date:   Wed Apr 5 19:06:42 2017 +0300
-
-    Fix perl warnings in tests
-    
-    * tests/FTPServer.pm: Escape '{' in RE to fix warnings
-    * tests/FTPTest.pm: Likewise
-    * tests/HTTPServer.pm: Likewise
-    * tests/HTTPTest.pm: Likewise
-    * tests/Test-proxied-https-auth-keepalive.px: Likewise
-    * tests/Test-proxied-https-auth.px: Likewise
-    Escape '{' in RE to fix warnings:
-    Unescaped left brace in regex is deprecated, passed through in regex;
-    marked by <-- HERE in m/{{ <-- HERE port}}/
-
-diff --git a/tests/FTPServer.pm b/tests/FTPServer.pm
-index a5185d66..cac80942 100644
---- a/tests/FTPServer.pm
-+++ b/tests/FTPServer.pm
-@@ -589,7 +589,7 @@ sub new
-     foreach my $file (keys %{$self->{_input}})
-     {
-         my $ref = \$self->{_input}{$file}{content};
--        $$ref =~ s/{{port}}/$self->sockport/eg;
-+        $$ref =~ s/\Q{{port}}/$self->sockport/eg;
-     }
- 
-     return $self;
-diff --git a/tests/FTPTest.pm b/tests/FTPTest.pm
-index 50385ad0..0a1c768c 100644
---- a/tests/FTPTest.pm
-+++ b/tests/FTPTest.pm
-@@ -53,7 +53,7 @@ sub _substitute_port
- {
-     my $self = shift;
-     my $ret  = shift;
--    $ret =~ s/{{port}}/$self->{_server}->sockport/eg;
-+    $ret =~ s/\Q{{port}}/$self->{_server}->sockport/eg;
-     return $ret;
- }
- 
-diff --git a/tests/HTTPServer.pm b/tests/HTTPServer.pm
-index dd8ec043..78609f65 100644
---- a/tests/HTTPServer.pm
-+++ b/tests/HTTPServer.pm
-@@ -310,7 +310,7 @@ sub _substitute_port
- {
-     my $self = shift;
-     my $ret  = shift;
--    $ret =~ s/{{port}}/$self->sockport/eg;
-+    $ret =~ s/\Q{{port}}/$self->sockport/eg;
-     return $ret;
- }
- 
-diff --git a/tests/HTTPTest.pm b/tests/HTTPTest.pm
-index 00f079f8..6225c7f1 100644
---- a/tests/HTTPTest.pm
-+++ b/tests/HTTPTest.pm
-@@ -47,7 +47,7 @@ sub _substitute_port
- {
-     my $self = shift;
-     my $ret  = shift;
--    $ret =~ s/{{port}}/$self->{_server}->sockport/eg;
-+    $ret =~ s/\Q{{port}}/$self->{_server}->sockport/eg;
-     return $ret;
- }
- 
-diff --git a/tests/Test-proxied-https-auth-keepalive.px b/tests/Test-proxied-https-auth-keepalive.px
-index 049bebec..2a18ccfd 100755
---- a/tests/Test-proxied-https-auth-keepalive.px
-+++ b/tests/Test-proxied-https-auth-keepalive.px
-@@ -153,7 +153,7 @@ my $cmdline = $WgetTest::WGETPATH . " --user=fiddle-dee-dee"
-     . " --password=Dodgson -e https_proxy=localhost:{{port}}"
-     . " --no-check-certificate"
-     . " https://no.such.domain/needs-auth.txt";
--$cmdline =~ s/{{port}}/$SOCKET->sockport()/e;
-+$cmdline =~ s/\Q{{port}}/$SOCKET->sockport()/e;
- 
- if (defined $srcdir) {
-     $VALGRIND_SUPP_FILE = $srcdir . '/valgrind-suppressions-ssl';
-diff --git a/tests/Test-proxied-https-auth.px b/tests/Test-proxied-https-auth.px
-index ce4e736c..878114e7 100755
---- a/tests/Test-proxied-https-auth.px
-+++ b/tests/Test-proxied-https-auth.px
-@@ -152,7 +152,7 @@ my $cmdline = $WgetTest::WGETPATH . " --user=fiddle-dee-dee"
-     . " --password=Dodgson -e https_proxy=localhost:{{port}}"
-     . " --no-check-certificate"
-     . " https://no.such.domain/needs-auth.txt";
--$cmdline =~ s/{{port}}/$SOCKET->sockport()/e;
-+$cmdline =~ s/\Q{{port}}/$SOCKET->sockport()/e;
- 
- if (defined $srcdir) {
-     $VALGRIND_SUPP_FILE = $srcdir . '/valgrind-suppressions-ssl';
diff --git a/gnu/packages/wget.scm b/gnu/packages/wget.scm
index 3673ad5cc4..bfcfcad230 100644
--- a/gnu/packages/wget.scm
+++ b/gnu/packages/wget.scm
@@ -21,6 +21,7 @@
 (define-module (gnu packages wget)
   #:use-module (guix licenses)
   #:use-module (gnu packages)
+  #:use-module (gnu packages compression)
   #:use-module (gnu packages libidn)
   #:use-module (gnu packages python)
   #:use-module (gnu packages perl)
@@ -34,18 +35,15 @@
 (define-public wget
   (package
     (name "wget")
-    (version "1.19.1")
+    (version "1.19.2")
     (source
      (origin
       (method url-fetch)
       (uri (string-append "mirror://gnu/wget/wget-"
-                          version ".tar.xz"))
-      (patches (search-patches "wget-CVE-2017-6508.patch"
-                               "wget-fix-504-test-timeout.patch"
-                               "wget-perl-5.26.patch"))
+                          version ".tar.lz"))
       (sha256
        (base32
-        "1ljcfhbkdsd0zjfm520rbl1ai62fc34i7c45sfj244l8f6b0p58c"))))
+        "01yzal7xm85543x02bij3capnigr063d6c5vc039f8n5s9d796nm"))))
     (build-system gnu-build-system)
     (arguments
      '(#:phases (modify-phases %standard-phases
@@ -65,7 +63,8 @@
     (inputs
      `(("gnutls" ,gnutls)
        ("libidn2" ,libidn2)
-       ("libpsl" ,libpsl)))
+       ("libpsl" ,libpsl)
+       ("lzip" ,lzip)))
     (native-inputs
      `(("pkg-config" ,pkg-config)
        ("perl" ,perl)
-- 
cgit v1.2.3