[pkgsrc/trunk]: pkgsrc/net/wget wget: update to 1.19.2.

[wiz <wiz%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/b8032632850a
branches:  trunk
changeset: 371845:b8032632850a
user:      wiz <wiz%pkgsrc.org@localhost>
date:      Thu Nov 23 16:03:29 2017 +0000

description:
wget: update to 1.19.2.

* Changes in Wget 1.19.2

* Fix CVE-2017-13089 (Stack overflow in HTTP protocol handling)

* Fix CVE-2017-13090 (Heap overflow in HTTP protocol handling)

* New option --compression for gzip Content-Encoding

* New option --[no]-netrc to control .netrc parsing

* Added GNU extensions to .netrc parsing

* Improved IDNA 2003 compatibility

* Fix VPATH issues

* Improved and extended the test suite

* Support Wayback Machine's X-Archive-Orig-last-modified

* Several bug fixes

diffstat:

 net/wget/Makefile                     |  12 ++--------
 net/wget/distinfo                     |  16 ++++---------
 net/wget/patches/patch-CVE-2017-13089 |  36 --------------------------------
 net/wget/patches/patch-CVE-2017-13090 |  39 -----------------------------------
 4 files changed, 8 insertions(+), 95 deletions(-)

diffs (127 lines):

diff -r 6e44c5b71f90 -r b8032632850a net/wget/Makefile
--- a/net/wget/Makefile Thu Nov 23 15:59:59 2017 +0000
+++ b/net/wget/Makefile Thu Nov 23 16:03:29 2017 +0000
@@ -1,15 +1,9 @@
-# $NetBSD: Makefile,v 1.137 2017/11/14 09:51:13 leot Exp $
+# $NetBSD: Makefile,v 1.138 2017/11/23 16:03:29 wiz Exp $
 
-DISTNAME=      wget-1.19.1
-PKGREVISION=   3
+DISTNAME=      wget-1.19.2
 CATEGORIES=    net
 MASTER_SITES=  ${MASTER_SITE_GNU:=wget/}
-EXTRACT_SUFX=  .tar.xz
-
-PATCH_SITES=           http://git.savannah.gnu.org/cgit/wget.git/patch/?id=
-PATCH_DIST_STRIP=      -p1
-# For CVE-2017-6508
-PATCHFILES=            4d729e322fae359a1aefaafec1144764a54e8ad4
+EXTRACT_SUFX=  .tar.lz
 
 MAINTAINER=    pkgsrc-users%NetBSD.org@localhost
 HOMEPAGE=      http://www.gnu.org/software/wget/wget.html
diff -r 6e44c5b71f90 -r b8032632850a net/wget/distinfo
--- a/net/wget/distinfo Thu Nov 23 15:59:59 2017 +0000
+++ b/net/wget/distinfo Thu Nov 23 16:03:29 2017 +0000
@@ -1,13 +1,7 @@
-$NetBSD: distinfo,v 1.55 2017/10/26 15:01:38 tez Exp $
+$NetBSD: distinfo,v 1.56 2017/11/23 16:03:29 wiz Exp $
 
-SHA1 (4d729e322fae359a1aefaafec1144764a54e8ad4) = 95acf2c162f0e413c40c5881940daafff2cca9bb
-RMD160 (4d729e322fae359a1aefaafec1144764a54e8ad4) = 41f0ac16a00f0837045120d1b65fd0e86c5c8618
-SHA512 (4d729e322fae359a1aefaafec1144764a54e8ad4) = fd36c9225c567e9958f030449f40cb747c0a23b7023fd4eee4e982c867d96be1562377a2d9b80150d9dc714bdbdc2bd509a8a244c4969c731002bdf6434d9cf8
-Size (4d729e322fae359a1aefaafec1144764a54e8ad4) = 1051 bytes
-SHA1 (wget-1.19.1.tar.xz) = cde25e99c144191644406793cbd1c69c102c6970
-RMD160 (wget-1.19.1.tar.xz) = 158d759b81c0893cc9c83e4beabb104f4987f6dd
-SHA512 (wget-1.19.1.tar.xz) = 00864d225439bcb7c5af01d7ef19efa615427812d3320ab3f4c8f62c38191e837b1392397843f935d7dc5860a4d0ce89ee31f2730c4a729402f1f2bf3e5f64e5
-Size (wget-1.19.1.tar.xz) = 2111756 bytes
-SHA1 (patch-CVE-2017-13089) = 4dc004441198b6ae1cb2fb07eb6db3d55a007d1a
-SHA1 (patch-CVE-2017-13090) = ad77c0406bb0e08979067649f93f5fa07328a1ea
+SHA1 (wget-1.19.2.tar.lz) = 262ddadec85b7836e2f724a4f3e47797a063f772
+RMD160 (wget-1.19.2.tar.lz) = a304bb50b388eaeeb23f4222d38fb45acc75bd5a
+SHA512 (wget-1.19.2.tar.lz) = ed99ca6cc58a6a9001326d1081c4110ff9732a11b0b2c129ef4e9719aab029087276bfce9fb38c0d56c19054f5417b37d712098b2ec9e814e68a68f9a5b48cec
+Size (wget-1.19.2.tar.lz) = 2152055 bytes
 SHA1 (patch-doc_wget.texi) = 6db25b3500ff4617b5ade34d9013b1f9876104f8
diff -r 6e44c5b71f90 -r b8032632850a net/wget/patches/patch-CVE-2017-13089
--- a/net/wget/patches/patch-CVE-2017-13089     Thu Nov 23 15:59:59 2017 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,36 +0,0 @@
-$NetBSD: patch-CVE-2017-13089,v 1.1 2017/10/26 15:01:38 tez Exp $
-
-From 3dbc2e06ad487862c2fcc64d4891ff8aeb254bad Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen%gmx.de@localhost>
-Date: Fri, 20 Oct 2017 10:59:38 +0200
-Subject: [PATCH 1/2] Fix stack overflow in HTTP protocol handling
- (CVE-2017-13089)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-* src/http.c (skip_short_body): Return error on negative chunk size
-
-Reported-by: Antti Levomäki, Christian Jalio, Joonas Pihlaja from Forcepoint
-Reported-by: Juhani Eronen from Finnish National Cyber Security Centre
----
- src/http.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/http.c b/src/http.c
-index 55367688..dc318231 100644
---- src/http.c
-+++ src/http.c
-@@ -973,6 +973,9 @@ skip_short_body (int fd, wgint contlen, bool chunked)
-               remaining_chunk_size = strtol (line, &endl, 16);
-               xfree (line);
- 
-+              if (remaining_chunk_size < 0)
-+                return false;
-+
-               if (remaining_chunk_size == 0)
-                 {
-                   line = fd_read_line (fd);
--- 
-2.15.0.rc1
-
diff -r 6e44c5b71f90 -r b8032632850a net/wget/patches/patch-CVE-2017-13090
--- a/net/wget/patches/patch-CVE-2017-13090     Thu Nov 23 15:59:59 2017 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,39 +0,0 @@
-$NetBSD: patch-CVE-2017-13090,v 1.1 2017/10/26 15:01:38 tez Exp $
-
-From 28925c37b72867c0819799c6f35caf9439080f83 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen%gmx.de@localhost>
-Date: Fri, 20 Oct 2017 15:15:47 +0200
-Subject: [PATCH 2/2] Fix heap overflow in HTTP protocol handling
- (CVE-2017-13090)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-* src/retr.c (fd_read_body): Stop processing on negative chunk size
-
-Reported-by: Antti Levomäki, Christian Jalio, Joonas Pihlaja from Forcepoint
-Reported-by: Juhani Eronen from Finnish National Cyber Security Centre
----
- src/retr.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/src/retr.c b/src/retr.c
-index a27d58af..723ac725 100644
---- src/retr.c
-+++ src/retr.c
-@@ -378,6 +378,12 @@ fd_read_body (const char *downloaded_filename, int fd, FILE *out, wgint toread,
-               remaining_chunk_size = strtol (line, &endl, 16);
-               xfree (line);
- 
-+              if (remaining_chunk_size < 0)
-+                {
-+                  ret = -1;
-+                  break;
-+                }
-+
-               if (remaining_chunk_size == 0)
-                 {
-                   ret = 0;
--- 
-2.15.0.rc1
-