diff options
Diffstat (limited to 'pkgs/os-specific/linux/busybox/0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch')
-rw-r--r-- | pkgs/os-specific/linux/busybox/0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch | 94 |
1 files changed, 0 insertions, 94 deletions
diff --git a/pkgs/os-specific/linux/busybox/0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch b/pkgs/os-specific/linux/busybox/0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch deleted file mode 100644 index d11cd670d5e..00000000000 --- a/pkgs/os-specific/linux/busybox/0001-wget-implement-TLS-verification-with-ENABLE_FEATURE_.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 45fa3f18adf57ef9d743038743d9c90573aeeb91 Mon Sep 17 00:00:00 2001 -From: Dimitri John Ledkov <xnox@ubuntu.com> -Date: Tue, 19 May 2020 18:20:39 +0100 -Subject: [PATCH] wget: implement TLS verification with - ENABLE_FEATURE_WGET_OPENSSL - -When ENABLE_FEATURE_WGET_OPENSSL is enabled, correctly implement TLS -verification by default. And only ignore verification errors, if ---no-check-certificate was passed. - -Also note, that previously OPENSSL implementation did not implement -TLS verification, nor printed any warning messages that verification -was not performed. - -Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879533 - -CVE-2018-1000500 - -Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> -Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> ---- - networking/wget.c | 20 +++++++++++++++++--- - 1 file changed, 17 insertions(+), 3 deletions(-) - -diff --git a/networking/wget.c b/networking/wget.c -index f2fc9e215..6a8c08324 100644 ---- a/networking/wget.c -+++ b/networking/wget.c -@@ -91,6 +91,9 @@ - //config: patches, but do want to waste bandwidth expaining how wrong - //config: it is, you will be ignored. - //config: -+//config: FEATURE_WGET_OPENSSL does implement TLS verification -+//config: using the certificates available to OpenSSL. -+//config: - //config:config FEATURE_WGET_OPENSSL - //config: bool "Try to connect to HTTPS using openssl" - //config: default y -@@ -115,6 +118,9 @@ - //config: If openssl can't be executed, internal TLS code will be used - //config: (if you enabled it); if openssl can be executed but fails later, - //config: wget can't detect this, and download will fail. -+//config: -+//config: By default TLS verification is performed, unless -+//config: --no-check-certificate option is passed. - - //applet:IF_WGET(APPLET(wget, BB_DIR_USR_BIN, BB_SUID_DROP)) - -@@ -124,8 +130,11 @@ - //usage: IF_FEATURE_WGET_LONG_OPTIONS( - //usage: "[-c|--continue] [--spider] [-q|--quiet] [-O|--output-document FILE]\n" - //usage: " [-o|--output-file FILE] [--header 'header: value'] [-Y|--proxy on/off]\n" -+//usage: IF_FEATURE_WGET_OPENSSL( -+//usage: " [--no-check-certificate]\n" -+//usage: ) - /* Since we ignore these opts, we don't show them in --help */ --/* //usage: " [--no-check-certificate] [--no-cache] [--passive-ftp] [-t TRIES]" */ -+/* //usage: " [--no-cache] [--passive-ftp] [-t TRIES]" */ - /* //usage: " [-nv] [-nc] [-nH] [-np]" */ - //usage: " [-P DIR] [-S|--server-response] [-U|--user-agent AGENT]" IF_FEATURE_WGET_TIMEOUT(" [-T SEC]") " URL..." - //usage: ) -@@ -137,7 +146,9 @@ - //usage: "Retrieve files via HTTP or FTP\n" - //usage: IF_FEATURE_WGET_LONG_OPTIONS( - //usage: "\n --spider Only check URL existence: $? is 0 if exists" --///////: "\n --no-check-certificate Don't validate the server's certificate" -+//usage: IF_FEATURE_WGET_OPENSSL( -+//usage: "\n --no-check-certificate Don't validate the server's certificate" -+//usage: ) - //usage: ) - //usage: "\n -c Continue retrieval of aborted transfer" - //usage: "\n -q Quiet" -@@ -662,7 +673,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port) - pid = xvfork(); - if (pid == 0) { - /* Child */ -- char *argv[8]; -+ char *argv[9]; - - close(sp[0]); - xmove_fd(sp[1], 0); -@@ -689,6 +700,9 @@ static int spawn_https_helper_openssl(const char *host, unsigned port) - argv[5] = (char*)"-servername"; - argv[6] = (char*)servername; - } -+ if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) { -+ argv[7] = (char*)"-verify_return_error"; -+ } - - BB_EXECVP(argv[0], argv); - xmove_fd(3, 2); --- -2.28.0 - |