summary refs log tree commit diff
path: root/pkgs/os-specific/linux/busybox/0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/os-specific/linux/busybox/0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch')
-rw-r--r--pkgs/os-specific/linux/busybox/0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch94
1 files changed, 0 insertions, 94 deletions
diff --git a/pkgs/os-specific/linux/busybox/0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch b/pkgs/os-specific/linux/busybox/0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch
deleted file mode 100644
index d11cd670d5e..00000000000
--- a/pkgs/os-specific/linux/busybox/0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From 45fa3f18adf57ef9d743038743d9c90573aeeb91 Mon Sep 17 00:00:00 2001
-From: Dimitri John Ledkov <xnox@ubuntu.com>
-Date: Tue, 19 May 2020 18:20:39 +0100
-Subject: [PATCH] wget: implement TLS verification with
- ENABLE_FEATURE_WGET_OPENSSL
-
-When ENABLE_FEATURE_WGET_OPENSSL is enabled, correctly implement TLS
-verification by default. And only ignore verification errors, if
---no-check-certificate was passed.
-
-Also note, that previously OPENSSL implementation did not implement
-TLS verification, nor printed any warning messages that verification
-was not performed.
-
-Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879533
-
-CVE-2018-1000500
-
-Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
-Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
----
- networking/wget.c | 20 +++++++++++++++++---
- 1 file changed, 17 insertions(+), 3 deletions(-)
-
-diff --git a/networking/wget.c b/networking/wget.c
-index f2fc9e215..6a8c08324 100644
---- a/networking/wget.c
-+++ b/networking/wget.c
-@@ -91,6 +91,9 @@
- //config:	patches, but do want to waste bandwidth expaining how wrong
- //config:	it is, you will be ignored.
- //config:
-+//config:	FEATURE_WGET_OPENSSL does implement TLS verification
-+//config:	using the certificates available to OpenSSL.
-+//config:
- //config:config FEATURE_WGET_OPENSSL
- //config:	bool "Try to connect to HTTPS using openssl"
- //config:	default y
-@@ -115,6 +118,9 @@
- //config:	If openssl can't be executed, internal TLS code will be used
- //config:	(if you enabled it); if openssl can be executed but fails later,
- //config:	wget can't detect this, and download will fail.
-+//config:
-+//config:	By default TLS verification is performed, unless
-+//config:	--no-check-certificate option is passed.
- 
- //applet:IF_WGET(APPLET(wget, BB_DIR_USR_BIN, BB_SUID_DROP))
- 
-@@ -124,8 +130,11 @@
- //usage:	IF_FEATURE_WGET_LONG_OPTIONS(
- //usage:       "[-c|--continue] [--spider] [-q|--quiet] [-O|--output-document FILE]\n"
- //usage:       "	[-o|--output-file FILE] [--header 'header: value'] [-Y|--proxy on/off]\n"
-+//usage:	IF_FEATURE_WGET_OPENSSL(
-+//usage:       "	[--no-check-certificate]\n"
-+//usage:	)
- /* Since we ignore these opts, we don't show them in --help */
--/* //usage:    "	[--no-check-certificate] [--no-cache] [--passive-ftp] [-t TRIES]" */
-+/* //usage:    "	[--no-cache] [--passive-ftp] [-t TRIES]" */
- /* //usage:    "	[-nv] [-nc] [-nH] [-np]" */
- //usage:       "	[-P DIR] [-S|--server-response] [-U|--user-agent AGENT]" IF_FEATURE_WGET_TIMEOUT(" [-T SEC]") " URL..."
- //usage:	)
-@@ -137,7 +146,9 @@
- //usage:       "Retrieve files via HTTP or FTP\n"
- //usage:	IF_FEATURE_WGET_LONG_OPTIONS(
- //usage:     "\n	--spider	Only check URL existence: $? is 0 if exists"
--///////:     "\n	--no-check-certificate	Don't validate the server's certificate"
-+//usage:	IF_FEATURE_WGET_OPENSSL(
-+//usage:     "\n	--no-check-certificate	Don't validate the server's certificate"
-+//usage:	)
- //usage:	)
- //usage:     "\n	-c		Continue retrieval of aborted transfer"
- //usage:     "\n	-q		Quiet"
-@@ -662,7 +673,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
- 	pid = xvfork();
- 	if (pid == 0) {
- 		/* Child */
--		char *argv[8];
-+		char *argv[9];
- 
- 		close(sp[0]);
- 		xmove_fd(sp[1], 0);
-@@ -689,6 +700,9 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
- 			argv[5] = (char*)"-servername";
- 			argv[6] = (char*)servername;
- 		}
-+		if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) {
-+			argv[7] = (char*)"-verify_return_error";
-+		}
- 
- 		BB_EXECVP(argv[0], argv);
- 		xmove_fd(3, 2);
--- 
-2.28.0
-